Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT issue

Looks like my PIX501 not doing what I told it to do. I want my internal LAN traffic to be NATed and crypted to all remote private LAN, except destination specified in ACL:

access-list toJoseph permit ip 10.1.1.0 255.255.255.0 192.168.200.0 255.255.255.0

access-list toJoseph permit ip 10.1.1.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list toJoseph permit ip 10.1.1.0 255.255.255.0 host 192.168.101.1

access-list toJoseph permit ip 10.1.1.0 255.255.255.0 host 192.168.42.11

access-list toJoseph permit ip 10.1.1.0 255.255.255.0 host 192.168.75.5

------------

nat (inside) 0 access-list toJoseph

nat (inside) 1 10.1.1.0 255.255.255.0 0 0

---------------

crypto map cmTest 10 match address toJoseph

-----------

When I ping remote side private LAN address 192.168.1.x I don't see matching increase on ACL rule from 10.1.1.0 to 192.168.0.0

When I ping 192.168.200.10 (another excluded IP from nat 1 rule) ACL matching number from 10.1.1.0 to 192.168.200.10 goes up.

Whole PIX config is attached.

2 REPLIES
New Member

Re: NAT issue

you tell:

When I ping remote side private LAN address 192.168.1.x I don't see matching increase on ACL rule from 10.1.1.0 to 192.168.0.0

on the config:

access-list toJoseph permit ip 10.1.1.0 255.255.255.0 192.168.0.0 255.255.255.0

it's correct the subnet id is

192.168.0.0 mask /24 !

maybe you need:

access-list toJoseph permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

New Member

Re: NAT issue

I think u shouldn't see it as your rule in the ACL is : access-list toJoseph permit ip 10.1.1.0 255.255.255.0 192.168.0.0 255.255.255.0

as u r pinging 192.168.1.x so there won't be any hits as ur rule above is for 192.168.0.0 with a mask of 255.255.255.0

117
Views
0
Helpful
2
Replies