Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1187
Views
0
Helpful
17
Replies

Nat issue Pix 525

mlouis
Level 1
Level 1

‎09-05-2008 06:27 AM - edited ‎03-11-2019 06:40 AM

Hi, I'm having an issue with NAT on a Pix 525 running 6.3.4. I have two IP Address that I'm using a static nat on, one works and one does not.

Here are the static entries

static (inside,vpn) 63.xxx.xxx.37 10.200.100.131 netmask 255.255.255.255 0 0

static (inside,vpn) 63.xxx.xxx.38 10.200.199.131 netmask 255.255.255.255 0 0

The entry for 63.xxx.xxx.37 works fine, .38 will not nat.

pix-525-fw01# show capture fix

9 packets captured

12:01:06.109476 802.1Q vlan#16 P0 10.200.199.131.4184 > 199.xxx.xxx.242.700: S 1627796669:1627796669(0) win 64512 <mss 1260,nop,wscale 0,nop,nop,[|tcp]>

12:01:09.030363 802.1Q vlan#16 P0 10.200.199.131.4184 > 199.xxx.xxx.242.700: S 1627796669:1627796669(0) win 64512 <mss 1260,nop,wscale 0,nop,nop,[|tcp]>

12:01:15.065609 802.1Q vlan#16 P0 10.200.199.131.4184 > 199.xxx.xxx.242.700: S 1627796669:1627796669(0) win 64512 <mss 1260,nop,wscale 0,nop,nop,[|tcp]>

12:04:23.108987 802.1Q vlan#16 P0 10.200.199.131.4208 > 199.xxx.xxx.242.700: S 616249661:616249661(0) win 64512 <mss 1260,nop,wscale 0,nop,nop,[|tcp]>

12:04:26.082698 802.1Q vlan#16 P0 10.200.199.131.4208 > 199.xxx.xxx.242.700: S 616249661:616249661(0) win 64512 <mss 1260,nop,wscale 0,nop,nop,[|tcp]>

12:04:32.017378 802.1Q vlan#16 P0 10.200.199.131.4208 > 199.xxx.xxx.242.700: S 616249661:616249661(0) win 64512 <mss 1260,nop,wscale 0,nop,nop,[|tcp]>

12:20:25.125588 802.1Q vlan#16 P0 10.200.199.131.4330 > 199.xxx.xxx.242.700: S 2700232030:2700232030(0) win 64512 <mss 1260,nop,wscale 0,nop,nop,[|tcp]>

12:20:28.105051 802.1Q vlan#16 P0 10.200.199.131.4330 > 199.xxx.xxx.242.700: S 2700232030:2700232030(0) win 64512 <mss 1260,nop,wscale 0,nop,nop,[|tcp]>

12:20:34.039701 802.1Q vlan#16 P0 10.200.199.131.4330 > 199.xxx.xxx.242.700: S 2700232030:2700232030(0) win 64512 <mss 1260,nop,wscale 0,nop,nop,[|tcp]>

9 packets shown

Looking at the xlate table

pix-525-fw01# show xlate | include 10.200.100.131

Global 63.xxx.xxx.37 Local 10.200.100.131

PAT Global 65.xxx.xxx.146(30539) Local 10.200.100.131(62685)

Global 10.200.100.131 Local 10.200.100.131

pix-525-fw01#

pix-525-fw01#

pix-525-fw01# show xlate | include 10.200.199.131

Global 10.200.199.131 Local 10.200.199.131

PAT Global 65.xxx.xxx.146(28971) Local 10.200.199.131(4510)

PAT Global 65.xxx.xxx.146(30551) Local 10.200.199.131(4526)

pix-525-fw01#

The path for both of the sources is the same except the vlan. Has anyone ever seen something like this before?

Labels:
0 Helpful
17 Replies 17

mlouis
Level 1
Level 1
In response to andrew.prince

‎09-08-2008 08:28 AM

Tried that, got the same result. One works and one does not. Is there a limit or something on static nat's? Is there a debug that I can use to see why it's not being nat'ed?

0 Helpful

singhsaju
Level 4
Level 4
In response to mlouis

‎09-08-2008 07:27 AM

Hi,

Your NAT ip addresses (63.x.x.x) are in different range as your PIX vpn interface ip address .

"ip address vpn 10.200.253.17 255.255.255.248"

can you remove verify reverse-path- "no ip verify reverse-path interface vpn"

and then remove and add those two NAT statement and test.Do clear xlate also.

HTH

Saju

0 Helpful

mlouis
Level 1
Level 1
In response to singhsaju

‎09-08-2008 11:52 AM

Tried that also, got the same result. I'm stumped!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card