only PAT works thru PIX, no static NAT

Unanswered Question
Jun 25th, 2007

I have a Cisco 2821 router that sits behind a PIX firewall. When this router is using a PAT IP it can ping and telnet outside public IPs thru the firewall with no problem. Recently I added a static NAT entry so I can telnet to this router from the outside. I made sure that there was an ACL entry on the PIX permitting telnet traffic to the router's public IP but I was not able to telnet into the router from the outside. After double-checking my work and doing some testing I found that the minute I create a static NAT entry for the router I lose all connectivity to the outside from the router. This includes pinging and telneting out from the router that works when the router is using a PAT IP but not when the router has a static IP. What can be causing this?



BTW, there are other devices, like Windows servers that are working successfully with static IPs thru this firewall. The problem seems isolated to the router. I also tried different public IPs to NAT to the router but the same situation persists.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
JORGE RODRIGUEZ Fri, 06/29/2007 - 18:53

Hi Diego,

assuming this is the static translation for the router ( )

I see you have this statement :

access-list 101 permit ip any host

we have to allow tcp as suppose to ip.

I woudl change as follows:

no access-list 101 permit ip any host

access-list 101 permit tcp any host eq 23

static nat statements looks ok.

If this does not work, check any acls in your router applied to VTY 0 4 lines.

JORGE RODRIGUEZ Fri, 06/29/2007 - 19:37

typo on the acl.

it should be:

no access-list 101 permit ip any host

access-list 101 permit tcp any host eq 23

DIEGO ALONSO Sat, 06/30/2007 - 09:33

My intention is to all full access to the router. I believe that by using the parameter "permit ip" I am allowing all protocols including tcp, udp and all other IP based. I will try "permit tcp" to test but I am pretty sure "permit ip" should also work.


JORGE RODRIGUEZ Sat, 06/30/2007 - 14:37

Pedro, that is correct with the "permit ip".

can you post the routers config , something then must be blocking inbound telnet access at the router.. can you see any hits in the fw logs for inbound telnet to the router.

glynnd Sat, 06/30/2007 - 20:05

is there an "access-class" defined under

line vty 0 4 ?

DIEGO ALONSO Sun, 07/01/2007 - 11:32

There is no access lists defined for VTY but please keep in mind that it is not only telnet that doesn't work with static NAT. ICMP/pings do not work either and GRE doesn't work either. My point is that the "permit ip" command should allow all traffic to the internal router but nothing works. Attached is the config of the router

froggy3132000 Sun, 07/01/2007 - 14:09

if you do a show access-list do you see acl hits on 101 incrementing? Are you sure the traffic is making it to the PIX?

ryancolson Sun, 07/01/2007 - 20:05

I had a kinda similar experiance with a pix 501. It seemed like a possible bug with the 6.2.2 code.

DIEGO ALONSO Tue, 07/03/2007 - 06:33

Sounds like a good idea. I will try an upgrade over the holiday and let you know what happens.



This Discussion