Error PATing on a PIX515E

Answered Question
Aug 24th, 2009

Greetings,

My client has a need to PAT via a L2L tunnel on a PIX515E 6.3(5. Allusers on the inside should be able to connect to 2 VLSM IP scopes and one test machine via a VPN tunnel. The remote site is allowing all connections to appear comming from a single IP address.

I created the access lists for PATing but I am getting an error message whaen I try to nat the single IP to an access list. Here is my configration and the error message:

name 10.254.1.1 partners_tunneltest

name 10.254.1.128 partners_portal

name 10.254.11.80 partners_meditech

name x.x.x.x PHS_router

!

object-group network PARTNERS_OUT

network-object partners_tunneltest 255.255.255.255

network-object partners_portal 255.255.255.128

network-object partners_meditech 255.255.255.240

!

access-list outside_cryptomap_51 permit ip host 10.255.11.62 object-group PARTNERS_OUT

access-list PARTNERS permit ip any object-group PARTNERS_OUT

crypto map mymap 51 ipsec-isakmp

crypto map mymap 51 match address outside_cryptomap_51

crypto map mymap 51 set pfs group2

crypto map mymap 51 set peer PHS_router

crypto map mymap 51 set transform-set ESP-3DES-SHA

crypto map mymap 51 set security-association lifetime seconds 28800 kilobytes 86400

!

PIX-515(config)#static (inside,outside) 10.255.11.62 access-list PARTNERS

ERROR: invalid netmask 255.0.0.0 with global address 10.255.11.62

Usage: [no] static [(real_ifc, mapped_ifc)]

{<mapped_ip>|interface}

{<real_ip> [netmask <mask>]} | {access-list <acl_name>}

[dns] [norandomseq] [<max_conns> [<emb_lim>]]

[no] static [(real_ifc, mapped_ifc)] {tcp|udp}

{<mapped_ip>|interface} <mapped_port>

{<real_ip> <real_port> [netmask <mask>]} |

{access-list <acl_name>}

[dns] [norandomseq] [<max_conns> [<emb_lim>]]

pix-515(config)# static (inside,outside) 10.255.11.62 netmask 255.255.255.255 access-list PARTNERS

ERROR: invalid local IP address netmask

Usage: [no] static [(real_ifc, mapped_ifc)]

{<mapped_ip>|interface}

{<real_ip> [netmask <mask>]} | {access-list <acl_name>}

[dns] [norandomseq] [<max_conns> [<emb_lim>]]

[no] static [(real_ifc, mapped_ifc)] {tcp|udp}

{<mapped_ip>|interface} <mapped_port>

{<real_ip> <real_port> [netmask <mask>]} |

{access-list <acl_name>}

[dns] [norandomseq] [<max_conns> [<emb_lim>]]

Thanks for the help

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
ramzi-kotob Mon, 08/24/2009 - 05:09

I also tried this policy NAT and did not work. I was able to create it using CLI but PDM reported as an invalid configuration and I had to remove it. The configurastion I listed in my initial post works for another client but they have an ASA instead.

Thanks,

Ramzi

ramzi-kotob Mon, 08/24/2009 - 05:51

I don't know why PDM rejects the Policy NAT and disable PDM configuration until these 2 lines are removed. My client depends on PDM for simple configurations so PDM configuration must be available. Did you see the attached error earlier?

Thanks

Actions

This Discussion