Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Nat issue Pix 525

Hi, I'm having an issue with NAT on a Pix 525 running 6.3.4. I have two IP Address that I'm using a static nat on, one works and one does not.

Here are the static entries

static (inside,vpn) 63.xxx.xxx.37 10.200.100.131 netmask 255.255.255.255 0 0

static (inside,vpn) 63.xxx.xxx.38 10.200.199.131 netmask 255.255.255.255 0 0

The entry for 63.xxx.xxx.37 works fine, .38 will not nat.

pix-525-fw01# show capture fix

9 packets captured

12:01:06.109476 802.1Q vlan#16 P0 10.200.199.131.4184 > 199.xxx.xxx.242.700: S 1627796669:1627796669(0) win 64512 <mss 1260,nop,wscale 0,nop,nop,[|tcp]>

12:01:09.030363 802.1Q vlan#16 P0 10.200.199.131.4184 > 199.xxx.xxx.242.700: S 1627796669:1627796669(0) win 64512 <mss 1260,nop,wscale 0,nop,nop,[|tcp]>

12:01:15.065609 802.1Q vlan#16 P0 10.200.199.131.4184 > 199.xxx.xxx.242.700: S 1627796669:1627796669(0) win 64512 <mss 1260,nop,wscale 0,nop,nop,[|tcp]>

12:04:23.108987 802.1Q vlan#16 P0 10.200.199.131.4208 > 199.xxx.xxx.242.700: S 616249661:616249661(0) win 64512 <mss 1260,nop,wscale 0,nop,nop,[|tcp]>

12:04:26.082698 802.1Q vlan#16 P0 10.200.199.131.4208 > 199.xxx.xxx.242.700: S 616249661:616249661(0) win 64512 <mss 1260,nop,wscale 0,nop,nop,[|tcp]>

12:04:32.017378 802.1Q vlan#16 P0 10.200.199.131.4208 > 199.xxx.xxx.242.700: S 616249661:616249661(0) win 64512 <mss 1260,nop,wscale 0,nop,nop,[|tcp]>

12:20:25.125588 802.1Q vlan#16 P0 10.200.199.131.4330 > 199.xxx.xxx.242.700: S 2700232030:2700232030(0) win 64512 <mss 1260,nop,wscale 0,nop,nop,[|tcp]>

12:20:28.105051 802.1Q vlan#16 P0 10.200.199.131.4330 > 199.xxx.xxx.242.700: S 2700232030:2700232030(0) win 64512 <mss 1260,nop,wscale 0,nop,nop,[|tcp]>

12:20:34.039701 802.1Q vlan#16 P0 10.200.199.131.4330 > 199.xxx.xxx.242.700: S 2700232030:2700232030(0) win 64512 <mss 1260,nop,wscale 0,nop,nop,[|tcp]>

9 packets shown

Looking at the xlate table

pix-525-fw01# show xlate | include 10.200.100.131

Global 63.xxx.xxx.37 Local 10.200.100.131

PAT Global 65.xxx.xxx.146(30539) Local 10.200.100.131(62685)

Global 10.200.100.131 Local 10.200.100.131

pix-525-fw01#

pix-525-fw01#

pix-525-fw01# show xlate | include 10.200.199.131

Global 10.200.199.131 Local 10.200.199.131

PAT Global 65.xxx.xxx.146(28971) Local 10.200.199.131(4510)

PAT Global 65.xxx.xxx.146(30551) Local 10.200.199.131(4526)

pix-525-fw01#

The path for both of the sources is the same except the vlan. Has anyone ever seen something like this before?

17 REPLIES

Re: Nat issue Pix 525

Do you have a vlan interface for the x.x.199.x if not - do you have a route to the 10.200.199.x configured?

New Member

Re: Nat issue Pix 525

Yes I have a route for the 199.x.x.x network directing it to the VPN interface. The traffic gets to the interface for both clients but the NAT never happens for the one 10.200.x.x address, the 63.x.x.37 nat works but the .38 does not. This is for a VPN, the encryption domain is 63.x.x.x and 199.x.x.x so for the one 10. address the VPN works but without the NAT I can not get the other client to connect to the VPN

Re: Nat issue Pix 525

You have these config lines:-

static (inside,vpn) 63.xxx.xxx.37 10.200.100.131 netmask 255.255.255.255 0 0

static (inside,vpn) 63.xxx.xxx.38 10.200.199.131 netmask 255.255.255.255 0 0

Where is 10.200.100.131?

Where is 10.200.199.131?

Are they directly attached?

New Member

Re: Nat issue Pix 525

No, they are clients that sit behind the inside interface.

Re: Nat issue Pix 525

OK - are you natting it again? Of you have a layer 3 routing device that can route to them?

New Member

Re: Nat issue Pix 525

Yes, the 10. address are on my local LAN. they attempt to connect to the 199.x.x.x address, they follow my default route, once they get to the firewall I have a route that directs them to VPN DMZ. Before they get to the VPN interface they should be NAT'ed to the 63.x.x.x address. Then the VPN concentrator will see that as interesting traffic, bring up the VPN and everybody goes home happy.

Re: Nat issue Pix 525

Can you post all of:-

NAT

NO-NAT

Routes

Please?

New Member

Re: Nat issue Pix 525

global (outside) 1 interface

nat (inside) 1 10.0.0.0 255.0.0.0 0 0

nat (guest) 1 10.200.253.48 255.255.255.240 0 0

ip address outside 65.xxx.xxx.xxx 255.255.255.248

Re: Nat issue Pix 525

Confused.....

static (inside,vpn) 63.xxx.xxx.37 10.200.100.131 netmask 255.255.255.255 0 0

static (inside,vpn) 63.xxx.xxx.38 10.200.199.131 netmask 255.255.255.255 0 0

Can you post the entire config - sanitised, there is quite alot of info missing.

New Member

Re: Nat issue Pix 525

Sorry about the confusion. The flow is like this

10.200.100.131 > 199..x.x.x

That traffic gets routed to the VPN DMZ and the 10. address NAT'ed to 63.x.x.38

That traffic flow, 63.x.x.38 > 199.x.x.x should bring up a VPN on my concentrator .

I can run a capture and see the traffic going to the VPN interface but it does not get NAT'ed.

If I source the traffic from 10.200.100.131 the NAT works.

Both 10. address follow the same route.

I have attached a sanitized config.

New Member

Re: Nat issue Pix 525

Attached

Re: Nat issue Pix 525

Are you able to ping 10.200.199.131 from the firewall?

New Member

Re: Nat issue Pix 525

yes

Re: Nat issue Pix 525

I would recommend you remove the config line that is not currently working, then

clear xlate

<>

clear xlate

And re-test?

HTH>

New Member

Re: Nat issue Pix 525

Tried that, got the same result. One works and one does not. Is there a limit or something on static nat's? Is there a debug that I can use to see why it's not being nat'ed?

Silver

Re: Nat issue Pix 525

Hi,

Your NAT ip addresses (63.x.x.x) are in different range as your PIX vpn interface ip address .

"ip address vpn 10.200.253.17 255.255.255.248"

can you remove verify reverse-path- "no ip verify reverse-path interface vpn"

and then remove and add those two NAT statement and test.Do clear xlate also.

HTH

Saju

New Member

Re: Nat issue Pix 525

Tried that also, got the same result. I'm stumped!

248
Views
0
Helpful
17
Replies
CreatePlease login to create content