Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

nat issues

Can someone explain to me what's happening here? When I set up a static nat on my machine on the firewall I'm not able to get out to the internet, if I remove that nat and go over the global pat then everything works fine:

static (inside,outside) 172.18.10.39 10.14.2.39 netmask 255.255.255.255

FW# sh xlate | i 2.39

Global 172.18.10.39 Local 10.14.2.39

Apr 13 2007 10:04:44: %PIX-6-302020: Built ICMP connection for faddr 72.14.207.99/0 gaddr 172.18.10.39/0 laddr 10.14.2.39/0

The internet router has these lines:

ip nat inside source list 1 pool public

access-list 1 permit 172.18.10.39

11 REPLIES

Re: nat issues

hi, what are you trying to accomplish.. do you want to have public inbound connections to connect to your local machine.

it seems you are applying the static nat for outside interface using a private ip block 172.18.x.x instead of a public IP address.

usually:

static (inside,outside) publicIP localIP netmask 255.255.255.255 0 0

then your access list to permit inbound connections.

For outbound internet your static NAT which is your public IP should get you internet outbound connections.

New Member

Re: nat issues

yea the firewall is natting to another private block which is our dmz...the router then nats it to a public ip with ip nat inside source list 1 pool public.

List 1 includes both the static nat I created on the firewall and the pat.

really the only reason I want to do this is to tftp configs from the dmz equipment to my machine. I got it working using a policy nat but I'm just wondering why the the static nat I set up earlier wasn't working properly.

New Member

Re: nat issues

Can anybody shed some light on why that setup wasn't working?

New Member

Re: nat issues

Let's see if I understand the topology here. You have an "internet router." That nats a pool of addresses to one host. That router connects the your PIX. This PIX is generally configured for PAT on the outside interface of 172.18.10.39.

When you add the static command, connectivity to the Internet from 10.14.2.39 should work.

But any other host inside that PIX going out to the WWW will not. Always remember that a static command trumps a dynamic in ASA world. It trumps any NAT rules in any ID number. It also trumps NAT 0 rules IIRC.

So what you need to do is do a Static PAT not Static NAT.

This is how it would look if 10.14.2.39 were a Web server.

static (inside,outside) tcp 172.18.10.39 80 10.14.2.39 80. Just pick one port though per Static PAT entry.

Use this in conjuction with your existing dynamic PAT rules.

New Member

Re: nat issues

right...here is the topology:

insidenet - pix - dmz - router - internet

But...I do have a pat already...

global (outside) 1 172.18.10.100

nat (inside) 1 10.14.2.0 255.255.255.0

Everything works fine...however, when I add this line:

static (inside,outside) 172.18.10.39 10.14.2.39 netmask 255.255.255.255

All the other ip's still work obviously...but from 10.14.2.39 I can't access the internet anymore. The router translates both 172.18.10.39 and 172.18.10.100 to our public internet IP, and I verified that it has the right translations.

I did a ping test and I see the pings coming back in the logs:

Apr 13 2007 10:04:44: %PIX-6-302020: Built ICMP connection for faddr 72.14.207.99/0 gaddr 172.18.10.39/0 laddr 10.14.2.39/0

I noticed the port numbers are all 0's...when I do a ping test going over the pat it's right:

Apr 16 2007 11:48:35: %PIX-6-302020: Built ICMP connection for faddr 64.233.167.

99/0 gaddr 172.18.10.100/5050 laddr 10.14.2.39/512

Based on the setup and the nat pool on the router the 172.18.10.39 nat should still work...

New Member

Re: nat issues

What logical network is configured in the DMZ network? Where does 10.14.2.39 connect physically?

New Member

Re: nat issues

10.14.2.x/24 is internal and 172.18.10.x/24 is the DMZ

New Member

Re: nat issues

Is 172.18.10.39 the outside interface of the PIX?

If so, your problem is the Internet router thinks 172.18.10.100 is directly connected to itself in the DMZ. It works in the firewall's case because the firewwall broadcasts the ARP reply for .39 but not for .100.

New Member

Re: nat issues

No...the outside interface is actually 172.18.10.254

New Member

Re: nat issues

ip nat inside source list 1 pool public

access-list 1 permit 172.18.10.39

access-list 1 permit 172.18.10.100

It was staring me in the face. Add 172.18.10.100 to this ACL on the Internet Router.

New Member

Re: nat issues

Yea it's already there...i didn't add it to the original post because it's already working, probably should have to be more clear. :)

But yea it's there, 172.18.10.100 and 172.18.10.39 and I verified that both get translated to the public IP with sh ip nat trans.

The weird thing is when I add the 172.18.10.39 static nat to the firewall (and lose internet access)...I can do a tcpdump on a spanned port and I see the icmp traffic coming back to my machine...but my machine shows it as timing out. I guess I should try a to capture those packets on my machine to see what I'm getting. But I'm not sure why I'm getting those /0's in the firewall logs.

227
Views
0
Helpful
11
Replies
CreatePlease to create content