Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

only PAT works thru PIX, no static NAT

I have a Cisco 2821 router that sits behind a PIX firewall. When this router is using a PAT IP it can ping and telnet outside public IPs thru the firewall with no problem. Recently I added a static NAT entry so I can telnet to this router from the outside. I made sure that there was an ACL entry on the PIX permitting telnet traffic to the router's public IP but I was not able to telnet into the router from the outside. After double-checking my work and doing some testing I found that the minute I create a static NAT entry for the router I lose all connectivity to the outside from the router. This includes pinging and telneting out from the router that works when the router is using a PAT IP but not when the router has a static IP. What can be causing this?

Thanks,

Diego

BTW, there are other devices, like Windows servers that are working successfully with static IPs thru this firewall. The problem seems isolated to the router. I also tried different public IPs to NAT to the router but the same situation persists.

14 REPLIES
New Member

Re: only PAT works thru PIX, no static NAT

Can you post the PIX and 2821 configs?

New Member

Re: only PAT works thru PIX, no static NAT

Hello.

Depends on the PAT configuration, which may have covered subnets.

When your testing from the router do you specificy a source interface?

Likewise does the vty allow/restrict access via acl?

New Member

Re: only PAT works thru PIX, no static NAT

Here is the PIX config. I guess I am overlooking something but even after sleeping on it I can't find anything.

Thanks,

Diego

Re: only PAT works thru PIX, no static NAT

Hi Diego,

assuming this is the static translation for the router ( 67.93.238.167 10.23.0.254 )

I see you have this statement :

access-list 101 permit ip any host 67.93.238.167

we have to allow tcp as suppose to ip.

I woudl change as follows:

no access-list 101 permit ip any host 67.93.238.167

access-list 101 permit tcp any host 65.43.92.54 eq 23

static nat statements looks ok.

If this does not work, check any acls in your router applied to VTY 0 4 lines.

Re: only PAT works thru PIX, no static NAT

typo on the acl.

it should be:

no access-list 101 permit ip any host 67.93.238.167

access-list 101 permit tcp any host 67.93.238.167 eq 23

New Member

Re: only PAT works thru PIX, no static NAT

My intention is to all full access to the router. I believe that by using the parameter "permit ip" I am allowing all protocols including tcp, udp and all other IP based. I will try "permit tcp" to test but I am pretty sure "permit ip" should also work.

Diego

Re: only PAT works thru PIX, no static NAT

Pedro, that is correct with the "permit ip".

can you post the routers config , something then must be blocking inbound telnet access at the router.. can you see any hits in the fw logs for inbound telnet to the router.

New Member

Re: only PAT works thru PIX, no static NAT

is there an "access-class" defined under

line vty 0 4 ?

New Member

Re: only PAT works thru PIX, no static NAT

There is no access lists defined for VTY but please keep in mind that it is not only telnet that doesn't work with static NAT. ICMP/pings do not work either and GRE doesn't work either. My point is that the "permit ip" command should allow all traffic to the internal 10.23.0.254 router but nothing works. Attached is the config of the router

New Member

Re: only PAT works thru PIX, no static NAT

if you do a show access-list do you see acl hits on 101 incrementing? Are you sure the traffic is making it to the PIX?

New Member

Re: only PAT works thru PIX, no static NAT

Also,

if you are playing about with the translations its always good to perform a clear xlate

New Member

Re: only PAT works thru PIX, no static NAT

I had a kinda similar experiance with a pix 501. It seemed like a possible bug with the 6.2.2 code.

New Member

Re: only PAT works thru PIX, no static NAT

Sounds like a good idea. I will try an upgrade over the holiday and let you know what happens.

Thanks,

New Member

Re: only PAT works thru PIX, no static NAT

Can you provide a

show conn pro tcp local 10.23.0.254

after doing a telnet from the internet to your NAT address?

165
Views
5
Helpful
14
Replies