cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
398
Views
5
Helpful
3
Replies

Policy NAT Issue

f00f1ter
Level 1
Level 1

I have setup a L2L VPN for a customer in which the vendor requires their IPs to be natted when they come across. So, I have setup policy nat on their pix for the L2L VPN. Here is a snip of the NAT config:

access-list nat-to-vendor permit ip 192.168.10.0 255.255.255.0 172.22.1.0 255.255.255.0

access-list nat-to-vendor permit ip 192.168.20.0 255.255.255.0 172.22.1.0 255.255.255.0

access-list nat-to-vendor permit ip 192.168.30.0 255.255.255.0 172.22.1.0 255.255.255.0

access-list nat-to-vendor permit ip 10.4.224.0 255.255.255.0 172.22.1.0 255.255.255.0

global (outside) 100 10.11.46.33-10.11.46.62 netmask 255.255.255.224

global (outside) 1 interface

global (outside) 2 x.x.x.x

global (outside) 3 y.y.y.y

global (dmz) 1 interface

nat (inside) 0 access-list nonatvpn

nat (inside) 100 access-list nat-to-vendor 0 0

nat (inside) 2 192.168.10.7 255.255.255.255 0 0

nat (inside) 3 192.168.10.40 255.255.255.255 0 0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

The policy nat works, however, once a machine attempts a connection to the vendor using a 172.22.1.x destination address, it can no longer get to the internet. Checking the xlate table, there are 2 entries for the machine, one for the policy nat (ID 100) and one for the regular nat (ID 1). And, if I clear the xlate entry for the policy nat, the machine can then get to the internet. But, one ping to the 172.22.1.x network and internet access is lost. It is a PIX running 6.3(3).

Am I doing this wrong or does anyone have any other suggestions?

3 Replies 3

Kureli Sankar
Cisco Employee
Cisco Employee

I would try to replace this below line

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (inside) 1 access-list www-traffic

access-list www-traffic deny ip 192.168.10.0 255.255.255.0 172.22.1.0 255.255.255.0

access-list www-traffic deny ip 192.168.20.0 255.255.255.0 172.22.1.0 255.255.255.0

access-list www-traffic deny ip 192.168.30.0 255.255.255.0 172.22.1.0 255.255.255.0

access-list www-traffic deny ip 10.4.224.0 255.255.255.0 172.22.1.0 255.255.255.0

access-list www-traffic permit ip any any

Sorry, I am not in a position to try this out in the lab.

Give it a shot and let us know.

-KS

Thanks for the reply. However, I found that this issue is a bug in PIX version 6.3.3. The bug ID is CSCec63822. The work around is to use policy nat for the internet traffic, or upgrade. I used the workaround, somewhat similar to what you have proposed, and the issue was resolved.

Sorry. I wasn't aware of this bug but, I am glad I gave you the work around listed in this bug as a work around.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: