08-24-2009 04:18 AM - edited 03-11-2019 09:08 AM
Greetings,
My client has a need to PAT via a L2L tunnel on a PIX515E 6.3(5. Allusers on the inside should be able to connect to 2 VLSM IP scopes and one test machine via a VPN tunnel. The remote site is allowing all connections to appear comming from a single IP address.
I created the access lists for PATing but I am getting an error message whaen I try to nat the single IP to an access list. Here is my configration and the error message:
name 10.254.1.1 partners_tunneltest
name 10.254.1.128 partners_portal
name 10.254.11.80 partners_meditech
name x.x.x.x PHS_router
!
object-group network PARTNERS_OUT
network-object partners_tunneltest 255.255.255.255
network-object partners_portal 255.255.255.128
network-object partners_meditech 255.255.255.240
!
access-list outside_cryptomap_51 permit ip host 10.255.11.62 object-group PARTNERS_OUT
access-list PARTNERS permit ip any object-group PARTNERS_OUT
crypto map mymap 51 ipsec-isakmp
crypto map mymap 51 match address outside_cryptomap_51
crypto map mymap 51 set pfs group2
crypto map mymap 51 set peer PHS_router
crypto map mymap 51 set transform-set ESP-3DES-SHA
crypto map mymap 51 set security-association lifetime seconds 28800 kilobytes 86400
!
PIX-515(config)#static (inside,outside) 10.255.11.62 access-list PARTNERS
ERROR: invalid netmask 255.0.0.0 with global address 10.255.11.62
Usage: [no] static [(real_ifc, mapped_ifc)]
{<mapped_ip>|interface}
{<real_ip> [netmask <mask>]} | {access-list <acl_name>}
[dns] [norandomseq] [<max_conns> [<emb_lim>]]
[no] static [(real_ifc, mapped_ifc)] {tcp|udp}
{<mapped_ip>|interface} <mapped_port>
{<real_ip> <real_port> [netmask <mask>]} |
{access-list <acl_name>}
[dns] [norandomseq] [<max_conns> [<emb_lim>]]
pix-515(config)# static (inside,outside) 10.255.11.62 netmask 255.255.255.255 access-list PARTNERS
ERROR: invalid local IP address netmask
Usage: [no] static [(real_ifc, mapped_ifc)]
{<mapped_ip>|interface}
{<real_ip> [netmask <mask>]} | {access-list <acl_name>}
[dns] [norandomseq] [<max_conns> [<emb_lim>]]
[no] static [(real_ifc, mapped_ifc)] {tcp|udp}
{<mapped_ip>|interface} <mapped_port>
{<real_ip> <real_port> [netmask <mask>]} |
{access-list <acl_name>}
[dns] [norandomseq] [<max_conns> [<emb_lim>]]
Thanks for the help
Solved! Go to Solution.
08-24-2009 05:58 AM
I personally do not use the PDM. Just becuase the PDM does not recongnise/like the config - does not mean it is not working. The fact the PDM only configures about 10% of the availble commands in the PIX says it all.
I suggest your client upgrades the IOS to a version that supports the ASDM.
08-24-2009 04:52 AM
try this instead:-
global (outside) 99 10.255.11.62
nat (inside) 99 access-list PARTNERS
HTH>
08-24-2009 05:09 AM
I also tried this policy NAT and did not work. I was able to create it using CLI but PDM reported as an invalid configuration and I had to remove it. The configurastion I listed in my initial post works for another client but they have an ASA instead.
Thanks,
Ramzi
08-24-2009 05:17 AM
I have this as a workking config on multiple sites, what testing did you perform to confirm it did not work?
08-24-2009 05:27 AM
08-24-2009 05:33 AM
OK - I see one potential issue, my testing (lab) and my working config, my firewalls are running ios 7.x & 8.x - what version are you running?
08-24-2009 05:35 AM
6.3(5)
08-24-2009 05:48 AM
It works with that ver
08-24-2009 05:51 AM
I don't know why PDM rejects the Policy NAT and disable PDM configuration until these 2 lines are removed. My client depends on PDM for simple configurations so PDM configuration must be available. Did you see the attached error earlier?
Thanks
08-24-2009 05:58 AM
I personally do not use the PDM. Just becuase the PDM does not recongnise/like the config - does not mean it is not working. The fact the PDM only configures about 10% of the availble commands in the PIX says it all.
I suggest your client upgrades the IOS to a version that supports the ASDM.
08-24-2009 09:33 AM
I figured the static works for one to one and does it errors on one to many, the mask error). I used the policy nat and told the client he needs to upgrade.
Thanks for the help, I appreciate it
08-24-2009 10:34 PM
np - glad to help
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide