cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1166
Views
0
Helpful
17
Replies

Nat issue Pix 525

mlouis
Level 1
Level 1

Hi, I'm having an issue with NAT on a Pix 525 running 6.3.4. I have two IP Address that I'm using a static nat on, one works and one does not.

Here are the static entries

static (inside,vpn) 63.xxx.xxx.37 10.200.100.131 netmask 255.255.255.255 0 0

static (inside,vpn) 63.xxx.xxx.38 10.200.199.131 netmask 255.255.255.255 0 0

The entry for 63.xxx.xxx.37 works fine, .38 will not nat.

pix-525-fw01# show capture fix

9 packets captured

12:01:06.109476 802.1Q vlan#16 P0 10.200.199.131.4184 > 199.xxx.xxx.242.700: S 1627796669:1627796669(0) win 64512 <mss 1260,nop,wscale 0,nop,nop,[|tcp]>

12:01:09.030363 802.1Q vlan#16 P0 10.200.199.131.4184 > 199.xxx.xxx.242.700: S 1627796669:1627796669(0) win 64512 <mss 1260,nop,wscale 0,nop,nop,[|tcp]>

12:01:15.065609 802.1Q vlan#16 P0 10.200.199.131.4184 > 199.xxx.xxx.242.700: S 1627796669:1627796669(0) win 64512 <mss 1260,nop,wscale 0,nop,nop,[|tcp]>

12:04:23.108987 802.1Q vlan#16 P0 10.200.199.131.4208 > 199.xxx.xxx.242.700: S 616249661:616249661(0) win 64512 <mss 1260,nop,wscale 0,nop,nop,[|tcp]>

12:04:26.082698 802.1Q vlan#16 P0 10.200.199.131.4208 > 199.xxx.xxx.242.700: S 616249661:616249661(0) win 64512 <mss 1260,nop,wscale 0,nop,nop,[|tcp]>

12:04:32.017378 802.1Q vlan#16 P0 10.200.199.131.4208 > 199.xxx.xxx.242.700: S 616249661:616249661(0) win 64512 <mss 1260,nop,wscale 0,nop,nop,[|tcp]>

12:20:25.125588 802.1Q vlan#16 P0 10.200.199.131.4330 > 199.xxx.xxx.242.700: S 2700232030:2700232030(0) win 64512 <mss 1260,nop,wscale 0,nop,nop,[|tcp]>

12:20:28.105051 802.1Q vlan#16 P0 10.200.199.131.4330 > 199.xxx.xxx.242.700: S 2700232030:2700232030(0) win 64512 <mss 1260,nop,wscale 0,nop,nop,[|tcp]>

12:20:34.039701 802.1Q vlan#16 P0 10.200.199.131.4330 > 199.xxx.xxx.242.700: S 2700232030:2700232030(0) win 64512 <mss 1260,nop,wscale 0,nop,nop,[|tcp]>

9 packets shown

Looking at the xlate table

pix-525-fw01# show xlate | include 10.200.100.131

Global 63.xxx.xxx.37 Local 10.200.100.131

PAT Global 65.xxx.xxx.146(30539) Local 10.200.100.131(62685)

Global 10.200.100.131 Local 10.200.100.131

pix-525-fw01#

pix-525-fw01#

pix-525-fw01# show xlate | include 10.200.199.131

Global 10.200.199.131 Local 10.200.199.131

PAT Global 65.xxx.xxx.146(28971) Local 10.200.199.131(4510)

PAT Global 65.xxx.xxx.146(30551) Local 10.200.199.131(4526)

pix-525-fw01#

The path for both of the sources is the same except the vlan. Has anyone ever seen something like this before?

17 Replies 17

andrew.prince
Level 10
Level 10

Do you have a vlan interface for the x.x.199.x if not - do you have a route to the 10.200.199.x configured?

Yes I have a route for the 199.x.x.x network directing it to the VPN interface. The traffic gets to the interface for both clients but the NAT never happens for the one 10.200.x.x address, the 63.x.x.37 nat works but the .38 does not. This is for a VPN, the encryption domain is 63.x.x.x and 199.x.x.x so for the one 10. address the VPN works but without the NAT I can not get the other client to connect to the VPN

You have these config lines:-

static (inside,vpn) 63.xxx.xxx.37 10.200.100.131 netmask 255.255.255.255 0 0

static (inside,vpn) 63.xxx.xxx.38 10.200.199.131 netmask 255.255.255.255 0 0

Where is 10.200.100.131?

Where is 10.200.199.131?

Are they directly attached?

No, they are clients that sit behind the inside interface.

OK - are you natting it again? Of you have a layer 3 routing device that can route to them?

Yes, the 10. address are on my local LAN. they attempt to connect to the 199.x.x.x address, they follow my default route, once they get to the firewall I have a route that directs them to VPN DMZ. Before they get to the VPN interface they should be NAT'ed to the 63.x.x.x address. Then the VPN concentrator will see that as interesting traffic, bring up the VPN and everybody goes home happy.

Can you post all of:-

NAT

NO-NAT

Routes

Please?

global (outside) 1 interface

nat (inside) 1 10.0.0.0 255.0.0.0 0 0

nat (guest) 1 10.200.253.48 255.255.255.240 0 0

ip address outside 65.xxx.xxx.xxx 255.255.255.248

Confused.....

static (inside,vpn) 63.xxx.xxx.37 10.200.100.131 netmask 255.255.255.255 0 0

static (inside,vpn) 63.xxx.xxx.38 10.200.199.131 netmask 255.255.255.255 0 0

Can you post the entire config - sanitised, there is quite alot of info missing.

Sorry about the confusion. The flow is like this

10.200.100.131 > 199..x.x.x

That traffic gets routed to the VPN DMZ and the 10. address NAT'ed to 63.x.x.38

That traffic flow, 63.x.x.38 > 199.x.x.x should bring up a VPN on my concentrator .

I can run a capture and see the traffic going to the VPN interface but it does not get NAT'ed.

If I source the traffic from 10.200.100.131 the NAT works.

Both 10. address follow the same route.

I have attached a sanitized config.

Attached

Are you able to ping 10.200.199.131 from the firewall?

yes

I would recommend you remove the config line that is not currently working, then

clear xlate

<>

clear xlate

And re-test?

HTH>

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: