Error PATing on a PIX515E

Answered Question
Aug 24th, 2009
User Badges:

Greetings,

My client has a need to PAT via a L2L tunnel on a PIX515E 6.3(5. Allusers on the inside should be able to connect to 2 VLSM IP scopes and one test machine via a VPN tunnel. The remote site is allowing all connections to appear comming from a single IP address.

I created the access lists for PATing but I am getting an error message whaen I try to nat the single IP to an access list. Here is my configration and the error message:

name 10.254.1.1 partners_tunneltest

name 10.254.1.128 partners_portal

name 10.254.11.80 partners_meditech

name x.x.x.x PHS_router

!

object-group network PARTNERS_OUT

network-object partners_tunneltest 255.255.255.255

network-object partners_portal 255.255.255.128

network-object partners_meditech 255.255.255.240

!

access-list outside_cryptomap_51 permit ip host 10.255.11.62 object-group PARTNERS_OUT

access-list PARTNERS permit ip any object-group PARTNERS_OUT

crypto map mymap 51 ipsec-isakmp

crypto map mymap 51 match address outside_cryptomap_51

crypto map mymap 51 set pfs group2

crypto map mymap 51 set peer PHS_router

crypto map mymap 51 set transform-set ESP-3DES-SHA

crypto map mymap 51 set security-association lifetime seconds 28800 kilobytes 86400

!

PIX-515(config)#static (inside,outside) 10.255.11.62 access-list PARTNERS

ERROR: invalid netmask 255.0.0.0 with global address 10.255.11.62

Usage: [no] static [(real_ifc, mapped_ifc)]

{<mapped_ip>|interface}

{<real_ip> [netmask <mask>]} | {access-list <acl_name>}

[dns] [norandomseq] [<max_conns> [<emb_lim>]]

[no] static [(real_ifc, mapped_ifc)] {tcp|udp}

{<mapped_ip>|interface} <mapped_port>

{<real_ip> <real_port> [netmask <mask>]} |

{access-list <acl_name>}

[dns] [norandomseq] [<max_conns> [<emb_lim>]]

pix-515(config)# static (inside,outside) 10.255.11.62 netmask 255.255.255.255 access-list PARTNERS

ERROR: invalid local IP address netmask

Usage: [no] static [(real_ifc, mapped_ifc)]

{<mapped_ip>|interface}

{<real_ip> [netmask <mask>]} | {access-list <acl_name>}

[dns] [norandomseq] [<max_conns> [<emb_lim>]]

[no] static [(real_ifc, mapped_ifc)] {tcp|udp}

{<mapped_ip>|interface} <mapped_port>

{<real_ip> <real_port> [netmask <mask>]} |

{access-list <acl_name>}

[dns] [norandomseq] [<max_conns> [<emb_lim>]]



Thanks for the help

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
ramzi-kotob Mon, 08/24/2009 - 05:09
User Badges:

I also tried this policy NAT and did not work. I was able to create it using CLI but PDM reported as an invalid configuration and I had to remove it. The configurastion I listed in my initial post works for another client but they have an ASA instead.


Thanks,

Ramzi


ramzi-kotob Mon, 08/24/2009 - 05:51
User Badges:

I don't know why PDM rejects the Policy NAT and disable PDM configuration until these 2 lines are removed. My client depends on PDM for simple configurations so PDM configuration must be available. Did you see the attached error earlier?


Thanks

Correct Answer

I personally do not use the PDM. Just becuase the PDM does not recongnise/like the config - does not mean it is not working. The fact the PDM only configures about 10% of the availble commands in the PIX says it all.


I suggest your client upgrades the IOS to a version that supports the ASDM.

ramzi-kotob Mon, 08/24/2009 - 09:33
User Badges:

I figured the static works for one to one and does it errors on one to many, the mask error). I used the policy nat and told the client he needs to upgrade.


Thanks for the help, I appreciate it

Actions

This Discussion