Nat in Pix 515

Unanswered Question
May 23rd, 2008


I'm running a pix 515E for management purposes. I have several nets, one outside, and three inside. I've set up nat between them, since my inside0 has real ip addresses, and 1 & 2 has private addresses. This is working brilliantly.

My problem is a third private net.

It's located behind a 3750. I can reach it ( -> - loopback interfaces) from the 3750, (their directly connected in some of the interfaces) but not from the rest of the units (e.g. my supervisor server). I'm thinking of reaching these via nat in the pix. But no matter what I try, I just can't seem to reach the 172... addresses from my 90.x.x.x network. The mng vlan is terminated on a vlan interface in the 3750 router.

Any pointers would do me great;=)


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
markraves Thu, 05/29/2008 - 00:45


Thanks for reply. Sorry for answering late, I'was taking a couple of days off;=)

Here's my current config regarding the matter:

interface Ethernet1

nameif mng_inside

security-level 100

ip address 90.x.x.1

global (mng_outside) 1 interface

static (mng_inside,RadioMan) 90.x.x.0 netmask // THis line works

static (mng_inside,AlliedMan) 90.x.x.0 netmask //This line works

static (mng_inside,mng_inside) 90.x.x.0 netmask //This line errors

access-group outside_access_in_1 in interface mng_outside

route mng_outside 128.x.x.1 10

route mng_outside 128.x.x.1 9

route mng_inside 1

route mng_inside 90.x.x.1 1

During a packet trace, I get this error:

Type -


Subtype -


Action -


Show rule in NAT Rules table.


static (mng_inside,mng_inside) 90.x.x.0 netmask match ip mng_inside mng_inside any static translation to 90.x.x.0 translate_hits = 0, untranslate_hits = 38

I've also tried the following line instead:

static (mng_inside,mng_inside) 90.x.x.0 netmask

This do not result in a packet trace error - the packet tracer gently confirms that the packet is allowed.

What I'm thinking - since the network is behind the 90.x.x.12 address, maybe my route in the pix should be route inside 90.x.x.12 ?



This Discussion