cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
973
Views
0
Helpful
11
Replies

Error PATing on a PIX515E

ramzi-kotob
Level 1
Level 1

Greetings,

My client has a need to PAT via a L2L tunnel on a PIX515E 6.3(5. Allusers on the inside should be able to connect to 2 VLSM IP scopes and one test machine via a VPN tunnel. The remote site is allowing all connections to appear comming from a single IP address.

I created the access lists for PATing but I am getting an error message whaen I try to nat the single IP to an access list. Here is my configration and the error message:

name 10.254.1.1 partners_tunneltest

name 10.254.1.128 partners_portal

name 10.254.11.80 partners_meditech

name x.x.x.x PHS_router

!

object-group network PARTNERS_OUT

network-object partners_tunneltest 255.255.255.255

network-object partners_portal 255.255.255.128

network-object partners_meditech 255.255.255.240

!

access-list outside_cryptomap_51 permit ip host 10.255.11.62 object-group PARTNERS_OUT

access-list PARTNERS permit ip any object-group PARTNERS_OUT

crypto map mymap 51 ipsec-isakmp

crypto map mymap 51 match address outside_cryptomap_51

crypto map mymap 51 set pfs group2

crypto map mymap 51 set peer PHS_router

crypto map mymap 51 set transform-set ESP-3DES-SHA

crypto map mymap 51 set security-association lifetime seconds 28800 kilobytes 86400

!

PIX-515(config)#static (inside,outside) 10.255.11.62 access-list PARTNERS

ERROR: invalid netmask 255.0.0.0 with global address 10.255.11.62

Usage: [no] static [(real_ifc, mapped_ifc)]

{<mapped_ip>|interface}

{<real_ip> [netmask <mask>]} | {access-list <acl_name>}

[dns] [norandomseq] [<max_conns> [<emb_lim>]]

[no] static [(real_ifc, mapped_ifc)] {tcp|udp}

{<mapped_ip>|interface} <mapped_port>

{<real_ip> <real_port> [netmask <mask>]} |

{access-list <acl_name>}

[dns] [norandomseq] [<max_conns> [<emb_lim>]]

pix-515(config)# static (inside,outside) 10.255.11.62 netmask 255.255.255.255 access-list PARTNERS

ERROR: invalid local IP address netmask

Usage: [no] static [(real_ifc, mapped_ifc)]

{<mapped_ip>|interface}

{<real_ip> [netmask <mask>]} | {access-list <acl_name>}

[dns] [norandomseq] [<max_conns> [<emb_lim>]]

[no] static [(real_ifc, mapped_ifc)] {tcp|udp}

{<mapped_ip>|interface} <mapped_port>

{<real_ip> <real_port> [netmask <mask>]} |

{access-list <acl_name>}

[dns] [norandomseq] [<max_conns> [<emb_lim>]]

Thanks for the help

1 Accepted Solution

Accepted Solutions

I personally do not use the PDM. Just becuase the PDM does not recongnise/like the config - does not mean it is not working. The fact the PDM only configures about 10% of the availble commands in the PIX says it all.

I suggest your client upgrades the IOS to a version that supports the ASDM.

View solution in original post

11 Replies 11

andrew.prince
Level 10
Level 10

try this instead:-

global (outside) 99 10.255.11.62

nat (inside) 99 access-list PARTNERS

HTH>

I also tried this policy NAT and did not work. I was able to create it using CLI but PDM reported as an invalid configuration and I had to remove it. The configurastion I listed in my initial post works for another client but they have an ASA instead.

Thanks,

Ramzi

I have this as a workking config on multiple sites, what testing did you perform to confirm it did not work?

Testing is browsing to 10.254.1.1. I just realized my tunnel is no longer up, I have to fix that. Attached is the error from PDM regarding the policy NAT

OK - I see one potential issue, my testing (lab) and my working config, my firewalls are running ios 7.x & 8.x - what version are you running?

6.3(5)

It works with that ver

I don't know why PDM rejects the Policy NAT and disable PDM configuration until these 2 lines are removed. My client depends on PDM for simple configurations so PDM configuration must be available. Did you see the attached error earlier?

Thanks

I personally do not use the PDM. Just becuase the PDM does not recongnise/like the config - does not mean it is not working. The fact the PDM only configures about 10% of the availble commands in the PIX says it all.

I suggest your client upgrades the IOS to a version that supports the ASDM.

I figured the static works for one to one and does it errors on one to many, the mask error). I used the policy nat and told the client he needs to upgrade.

Thanks for the help, I appreciate it

np - glad to help

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: