Solved: Error PATing on a PIX515E

ramzi-kotob · ‎08-24-2009

Greetings,

My client has a need to PAT via a L2L tunnel on a PIX515E 6.3(5. Allusers on the inside should be able to connect to 2 VLSM IP scopes and one test machine via a VPN tunnel. The remote site is allowing all connections to appear comming from a single IP address.

I created the access lists for PATing but I am getting an error message whaen I try to nat the single IP to an access list. Here is my configration and the error message:

name 10.254.1.1 partners_tunneltest

name 10.254.1.128 partners_portal

name 10.254.11.80 partners_meditech

name x.x.x.x PHS_router

!

object-group network PARTNERS_OUT

network-object partners_tunneltest 255.255.255.255

network-object partners_portal 255.255.255.128

network-object partners_meditech 255.255.255.240

!

access-list outside_cryptomap_51 permit ip host 10.255.11.62 object-group PARTNERS_OUT

access-list PARTNERS permit ip any object-group PARTNERS_OUT

crypto map mymap 51 ipsec-isakmp

crypto map mymap 51 match address outside_cryptomap_51

crypto map mymap 51 set pfs group2

crypto map mymap 51 set peer PHS_router

crypto map mymap 51 set transform-set ESP-3DES-SHA

crypto map mymap 51 set security-association lifetime seconds 28800 kilobytes 86400

!

PIX-515(config)#static (inside,outside) 10.255.11.62 access-list PARTNERS

ERROR: invalid netmask 255.0.0.0 with global address 10.255.11.62

Usage: [no] static [(real_ifc, mapped_ifc)]

{<mapped_ip>|interface}

{<real_ip> [netmask <mask>]} | {access-list <acl_name>}

[dns] [norandomseq] [<max_conns> [<emb_lim>]]

[no] static [(real_ifc, mapped_ifc)] {tcp|udp}

{<mapped_ip>|interface} <mapped_port>

{<real_ip> <real_port> [netmask <mask>]} |

{access-list <acl_name>}

[dns] [norandomseq] [<max_conns> [<emb_lim>]]

pix-515(config)# static (inside,outside) 10.255.11.62 netmask 255.255.255.255 access-list PARTNERS

ERROR: invalid local IP address netmask

Usage: [no] static [(real_ifc, mapped_ifc)]

{<mapped_ip>|interface}

{<real_ip> [netmask <mask>]} | {access-list <acl_name>}

[dns] [norandomseq] [<max_conns> [<emb_lim>]]

[no] static [(real_ifc, mapped_ifc)] {tcp|udp}

{<mapped_ip>|interface} <mapped_port>

{<real_ip> <real_port> [netmask <mask>]} |

{access-list <acl_name>}

[dns] [norandomseq] [<max_conns> [<emb_lim>]]

Thanks for the help

andrew.prince · ‎08-24-2009

I personally do not use the PDM. Just becuase the PDM does not recongnise/like the config - does not mean it is not working. The fact the PDM only configures about 10% of the availble commands in the PIX says it all.

I suggest your client upgrades the IOS to a version that supports the ASDM.

View solution in original post

andrew.prince · ‎08-24-2009

try this instead:-

global (outside) 99 10.255.11.62

nat (inside) 99 access-list PARTNERS

HTH>

ramzi-kotob · ‎08-24-2009

I also tried this policy NAT and did not work. I was able to create it using CLI but PDM reported as an invalid configuration and I had to remove it. The configurastion I listed in my initial post works for another client but they have an ASA instead.

Thanks,

Ramzi

andrew.prince · ‎08-24-2009

I have this as a workking config on multiple sites, what testing did you perform to confirm it did not work?

ramzi-kotob · ‎08-24-2009

Testing is browsing to 10.254.1.1. I just realized my tunnel is no longer up, I have to fix that. Attached is the error from PDM regarding the policy NAT

andrew.prince · ‎08-24-2009

OK - I see one potential issue, my testing (lab) and my working config, my firewalls are running ios 7.x & 8.x - what version are you running?

ramzi-kotob · ‎08-24-2009

6.3(5)

andrew.prince · ‎08-24-2009

It works with that ver

ramzi-kotob · ‎08-24-2009

I don't know why PDM rejects the Policy NAT and disable PDM configuration until these 2 lines are removed. My client depends on PDM for simple configurations so PDM configuration must be available. Did you see the attached error earlier?

Thanks

andrew.prince · ‎08-24-2009

I personally do not use the PDM. Just becuase the PDM does not recongnise/like the config - does not mean it is not working. The fact the PDM only configures about 10% of the availble commands in the PIX says it all.

I suggest your client upgrades the IOS to a version that supports the ASDM.

ramzi-kotob · ‎08-24-2009

I figured the static works for one to one and does it errors on one to many, the mask error). I used the policy nat and told the client he needs to upgrade.

Thanks for the help, I appreciate it

andrew.prince · ‎08-24-2009

np - glad to help