Nat issue Pix 525

Unanswered Question
Sep 5th, 2008

Hi, I'm having an issue with NAT on a Pix 525 running 6.3.4. I have two IP Address that I'm using a static nat on, one works and one does not.

Here are the static entries

static (inside,vpn) 63.xxx.xxx.37 10.200.100.131 netmask 255.255.255.255 0 0

static (inside,vpn) 63.xxx.xxx.38 10.200.199.131 netmask 255.255.255.255 0 0

The entry for 63.xxx.xxx.37 works fine, .38 will not nat.

pix-525-fw01# show capture fix

9 packets captured

12:01:06.109476 802.1Q vlan#16 P0 10.200.199.131.4184 > 199.xxx.xxx.242.700: S 1627796669:1627796669(0) win 64512 <mss 1260,nop,wscale 0,nop,nop,[|tcp]>

12:01:09.030363 802.1Q vlan#16 P0 10.200.199.131.4184 > 199.xxx.xxx.242.700: S 1627796669:1627796669(0) win 64512 <mss 1260,nop,wscale 0,nop,nop,[|tcp]>

12:01:15.065609 802.1Q vlan#16 P0 10.200.199.131.4184 > 199.xxx.xxx.242.700: S 1627796669:1627796669(0) win 64512 <mss 1260,nop,wscale 0,nop,nop,[|tcp]>

12:04:23.108987 802.1Q vlan#16 P0 10.200.199.131.4208 > 199.xxx.xxx.242.700: S 616249661:616249661(0) win 64512 <mss 1260,nop,wscale 0,nop,nop,[|tcp]>

12:04:26.082698 802.1Q vlan#16 P0 10.200.199.131.4208 > 199.xxx.xxx.242.700: S 616249661:616249661(0) win 64512 <mss 1260,nop,wscale 0,nop,nop,[|tcp]>

12:04:32.017378 802.1Q vlan#16 P0 10.200.199.131.4208 > 199.xxx.xxx.242.700: S 616249661:616249661(0) win 64512 <mss 1260,nop,wscale 0,nop,nop,[|tcp]>

12:20:25.125588 802.1Q vlan#16 P0 10.200.199.131.4330 > 199.xxx.xxx.242.700: S 2700232030:2700232030(0) win 64512 <mss 1260,nop,wscale 0,nop,nop,[|tcp]>

12:20:28.105051 802.1Q vlan#16 P0 10.200.199.131.4330 > 199.xxx.xxx.242.700: S 2700232030:2700232030(0) win 64512 <mss 1260,nop,wscale 0,nop,nop,[|tcp]>

12:20:34.039701 802.1Q vlan#16 P0 10.200.199.131.4330 > 199.xxx.xxx.242.700: S 2700232030:2700232030(0) win 64512 <mss 1260,nop,wscale 0,nop,nop,[|tcp]>

9 packets shown

Looking at the xlate table

pix-525-fw01# show xlate | include 10.200.100.131

Global 63.xxx.xxx.37 Local 10.200.100.131

PAT Global 65.xxx.xxx.146(30539) Local 10.200.100.131(62685)

Global 10.200.100.131 Local 10.200.100.131

pix-525-fw01#

pix-525-fw01#

pix-525-fw01# show xlate | include 10.200.199.131

Global 10.200.199.131 Local 10.200.199.131

PAT Global 65.xxx.xxx.146(28971) Local 10.200.199.131(4510)

PAT Global 65.xxx.xxx.146(30551) Local 10.200.199.131(4526)

pix-525-fw01#

The path for both of the sources is the same except the vlan. Has anyone ever seen something like this before?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mlouis Fri, 09/05/2008 - 07:30

Yes I have a route for the 199.x.x.x network directing it to the VPN interface. The traffic gets to the interface for both clients but the NAT never happens for the one 10.200.x.x address, the 63.x.x.37 nat works but the .38 does not. This is for a VPN, the encryption domain is 63.x.x.x and 199.x.x.x so for the one 10. address the VPN works but without the NAT I can not get the other client to connect to the VPN

mlouis Fri, 09/05/2008 - 08:41

No, they are clients that sit behind the inside interface.

mlouis Fri, 09/05/2008 - 10:46

Yes, the 10. address are on my local LAN. they attempt to connect to the 199.x.x.x address, they follow my default route, once they get to the firewall I have a route that directs them to VPN DMZ. Before they get to the VPN interface they should be NAT'ed to the 63.x.x.x address. Then the VPN concentrator will see that as interesting traffic, bring up the VPN and everybody goes home happy.

mlouis Fri, 09/05/2008 - 12:21

global (outside) 1 interface

nat (inside) 1 10.0.0.0 255.0.0.0 0 0

nat (guest) 1 10.200.253.48 255.255.255.240 0 0

ip address outside 65.xxx.xxx.xxx 255.255.255.248

mlouis Mon, 09/08/2008 - 06:12

Sorry about the confusion. The flow is like this

10.200.100.131 > 199..x.x.x

That traffic gets routed to the VPN DMZ and the 10. address NAT'ed to 63.x.x.38

That traffic flow, 63.x.x.38 > 199.x.x.x should bring up a VPN on my concentrator .

I can run a capture and see the traffic going to the VPN interface but it does not get NAT'ed.

If I source the traffic from 10.200.100.131 the NAT works.

Both 10. address follow the same route.

I have attached a sanitized config.

mlouis Mon, 09/08/2008 - 08:28

Tried that, got the same result. One works and one does not. Is there a limit or something on static nat's? Is there a debug that I can use to see why it's not being nat'ed?

singhsaju Mon, 09/08/2008 - 07:27

Hi,

Your NAT ip addresses (63.x.x.x) are in different range as your PIX vpn interface ip address .

"ip address vpn 10.200.253.17 255.255.255.248"

can you remove verify reverse-path- "no ip verify reverse-path interface vpn"

and then remove and add those two NAT statement and test.Do clear xlate also.

HTH

Saju

mlouis Mon, 09/08/2008 - 11:52

Tried that also, got the same result. I'm stumped!

Actions

This Discussion