Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Error PATing on a PIX515E

Greetings,

My client has a need to PAT via a L2L tunnel on a PIX515E 6.3(5. Allusers on the inside should be able to connect to 2 VLSM IP scopes and one test machine via a VPN tunnel. The remote site is allowing all connections to appear comming from a single IP address.

I created the access lists for PATing but I am getting an error message whaen I try to nat the single IP to an access list. Here is my configration and the error message:

name 10.254.1.1 partners_tunneltest

name 10.254.1.128 partners_portal

name 10.254.11.80 partners_meditech

name x.x.x.x PHS_router

!

object-group network PARTNERS_OUT

network-object partners_tunneltest 255.255.255.255

network-object partners_portal 255.255.255.128

network-object partners_meditech 255.255.255.240

!

access-list outside_cryptomap_51 permit ip host 10.255.11.62 object-group PARTNERS_OUT

access-list PARTNERS permit ip any object-group PARTNERS_OUT

crypto map mymap 51 ipsec-isakmp

crypto map mymap 51 match address outside_cryptomap_51

crypto map mymap 51 set pfs group2

crypto map mymap 51 set peer PHS_router

crypto map mymap 51 set transform-set ESP-3DES-SHA

crypto map mymap 51 set security-association lifetime seconds 28800 kilobytes 86400

!

PIX-515(config)#static (inside,outside) 10.255.11.62 access-list PARTNERS

ERROR: invalid netmask 255.0.0.0 with global address 10.255.11.62

Usage: [no] static [(real_ifc, mapped_ifc)]

{<mapped_ip>|interface}

{<real_ip> [netmask <mask>]} | {access-list <acl_name>}

[dns] [norandomseq] [<max_conns> [<emb_lim>]]

[no] static [(real_ifc, mapped_ifc)] {tcp|udp}

{<mapped_ip>|interface} <mapped_port>

{<real_ip> <real_port> [netmask <mask>]} |

{access-list <acl_name>}

[dns] [norandomseq] [<max_conns> [<emb_lim>]]

pix-515(config)# static (inside,outside) 10.255.11.62 netmask 255.255.255.255 access-list PARTNERS

ERROR: invalid local IP address netmask

Usage: [no] static [(real_ifc, mapped_ifc)]

{<mapped_ip>|interface}

{<real_ip> [netmask <mask>]} | {access-list <acl_name>}

[dns] [norandomseq] [<max_conns> [<emb_lim>]]

[no] static [(real_ifc, mapped_ifc)] {tcp|udp}

{<mapped_ip>|interface} <mapped_port>

{<real_ip> <real_port> [netmask <mask>]} |

{access-list <acl_name>}

[dns] [norandomseq] [<max_conns> [<emb_lim>]]

Thanks for the help

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Error PATing on a PIX515E

I personally do not use the PDM. Just becuase the PDM does not recongnise/like the config - does not mean it is not working. The fact the PDM only configures about 10% of the availble commands in the PIX says it all.

I suggest your client upgrades the IOS to a version that supports the ASDM.

11 REPLIES

Re: Error PATing on a PIX515E

try this instead:-

global (outside) 99 10.255.11.62

nat (inside) 99 access-list PARTNERS

HTH>

New Member

Re: Error PATing on a PIX515E

I also tried this policy NAT and did not work. I was able to create it using CLI but PDM reported as an invalid configuration and I had to remove it. The configurastion I listed in my initial post works for another client but they have an ASA instead.

Thanks,

Ramzi

Re: Error PATing on a PIX515E

I have this as a workking config on multiple sites, what testing did you perform to confirm it did not work?

New Member

Re: Error PATing on a PIX515E

Testing is browsing to 10.254.1.1. I just realized my tunnel is no longer up, I have to fix that. Attached is the error from PDM regarding the policy NAT

Re: Error PATing on a PIX515E

OK - I see one potential issue, my testing (lab) and my working config, my firewalls are running ios 7.x & 8.x - what version are you running?

New Member

Re: Error PATing on a PIX515E

6.3(5)

Re: Error PATing on a PIX515E

It works with that ver

New Member

Re: Error PATing on a PIX515E

I don't know why PDM rejects the Policy NAT and disable PDM configuration until these 2 lines are removed. My client depends on PDM for simple configurations so PDM configuration must be available. Did you see the attached error earlier?

Thanks

Re: Error PATing on a PIX515E

I personally do not use the PDM. Just becuase the PDM does not recongnise/like the config - does not mean it is not working. The fact the PDM only configures about 10% of the availble commands in the PIX says it all.

I suggest your client upgrades the IOS to a version that supports the ASDM.

New Member

Re: Error PATing on a PIX515E

I figured the static works for one to one and does it errors on one to many, the mask error). I used the policy nat and told the client he needs to upgrade.

Thanks for the help, I appreciate it

Re: Error PATing on a PIX515E

np - glad to help

329
Views
0
Helpful
11
Replies
CreatePlease login to create content