NAT issue

Unanswered Question
Apr 18th, 2008

Looks like my PIX501 not doing what I told it to do. I want my internal LAN traffic to be NATed and crypted to all remote private LAN, except destination specified in ACL:

access-list toJoseph permit ip 10.1.1.0 255.255.255.0 192.168.200.0 255.255.255.0

access-list toJoseph permit ip 10.1.1.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list toJoseph permit ip 10.1.1.0 255.255.255.0 host 192.168.101.1

access-list toJoseph permit ip 10.1.1.0 255.255.255.0 host 192.168.42.11

access-list toJoseph permit ip 10.1.1.0 255.255.255.0 host 192.168.75.5

------------

nat (inside) 0 access-list toJoseph

nat (inside) 1 10.1.1.0 255.255.255.0 0 0

---------------

crypto map cmTest 10 match address toJoseph

-----------

When I ping remote side private LAN address 192.168.1.x I don't see matching increase on ACL rule from 10.1.1.0 to 192.168.0.0

When I ping 192.168.200.10 (another excluded IP from nat 1 rule) ACL matching number from 10.1.1.0 to 192.168.200.10 goes up.

Whole PIX config is attached.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ROBERTO TACCON Sat, 04/19/2008 - 11:03

you tell:

When I ping remote side private LAN address 192.168.1.x I don't see matching increase on ACL rule from 10.1.1.0 to 192.168.0.0

on the config:

access-list toJoseph permit ip 10.1.1.0 255.255.255.0 192.168.0.0 255.255.255.0

it's correct the subnet id is

192.168.0.0 mask /24 !

maybe you need:

access-list toJoseph permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

rkalia1 Fri, 04/25/2008 - 17:37

I think u shouldn't see it as your rule in the ACL is : access-list toJoseph permit ip 10.1.1.0 255.255.255.0 192.168.0.0 255.255.255.0

as u r pinging 192.168.1.x so there won't be any hits as ur rule above is for 192.168.0.0 with a mask of 255.255.255.0

Actions

This Discussion