Policy NAT Issue

Unanswered Question

I have setup a L2L VPN for a customer in which the vendor requires their IPs to be natted when they come across. So, I have setup policy nat on their pix for the L2L VPN. Here is a snip of the NAT config:

access-list nat-to-vendor permit ip 192.168.10.0 255.255.255.0 172.22.1.0 255.255.255.0

access-list nat-to-vendor permit ip 192.168.20.0 255.255.255.0 172.22.1.0 255.255.255.0

access-list nat-to-vendor permit ip 192.168.30.0 255.255.255.0 172.22.1.0 255.255.255.0

access-list nat-to-vendor permit ip 10.4.224.0 255.255.255.0 172.22.1.0 255.255.255.0

global (outside) 100 10.11.46.33-10.11.46.62 netmask 255.255.255.224

global (outside) 1 interface

global (outside) 2 x.x.x.x

global (outside) 3 y.y.y.y

global (dmz) 1 interface

nat (inside) 0 access-list nonatvpn

nat (inside) 100 access-list nat-to-vendor 0 0

nat (inside) 2 192.168.10.7 255.255.255.255 0 0

nat (inside) 3 192.168.10.40 255.255.255.255 0 0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

The policy nat works, however, once a machine attempts a connection to the vendor using a 172.22.1.x destination address, it can no longer get to the internet. Checking the xlate table, there are 2 entries for the machine, one for the policy nat (ID 100) and one for the regular nat (ID 1). And, if I clear the xlate entry for the policy nat, the machine can then get to the internet. But, one ping to the 172.22.1.x network and internet access is lost. It is a PIX running 6.3(3).

Am I doing this wrong or does anyone have any other suggestions?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Kureli Sankar Mon, 06/08/2009 - 18:46

I would try to replace this below line

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (inside) 1 access-list www-traffic

access-list www-traffic deny ip 192.168.10.0 255.255.255.0 172.22.1.0 255.255.255.0

access-list www-traffic deny ip 192.168.20.0 255.255.255.0 172.22.1.0 255.255.255.0

access-list www-traffic deny ip 192.168.30.0 255.255.255.0 172.22.1.0 255.255.255.0

access-list www-traffic deny ip 10.4.224.0 255.255.255.0 172.22.1.0 255.255.255.0

access-list www-traffic permit ip any any

Sorry, I am not in a position to try this out in the lab.

Give it a shot and let us know.

-KS

Kureli Sankar Thu, 06/11/2009 - 09:16

Sorry. I wasn't aware of this bug but, I am glad I gave you the work around listed in this bug as a work around.

Actions

This Discussion