Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX Nat/Pat issue

I have a global pat for a clients subnet to access the internet and a static nat for a specific host to host connection accross a site to site vpn. I recently added another static nat w/ access list and now the host can't access the internet. The client hits the static access-lists but it never hits the global pat for the internet. I have a pix 525 running 6.3.3 Any thoughts as to why this is happening? I cant reproduce this effect in the lab.

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: PIX Nat/Pat issue

Ah yes. You bring back good memories doug :-)

You are running into bug CSCec63822. It was resolved in 6.3(3.136) and later. There is no workaround other than upgrading.

Sincerely,

David.

PS> Please don't foget to mork the issue resolved if it solves your problem so we can check this issue off the list.

5 REPLIES
Cisco Employee

Re: PIX Nat/Pat issue

can you post the config and the ip address of client in Question..?

New Member

Re: PIX Nat/Pat issue

User 100.5.7.47 hits staic site to site access-lists but now won't hit Global PAT

Global PAT for Internet

global (outside) 10 192.252.127.254

nat (inside) 10 100.5.7.0 255.255.255.0 0 0

Site to Site #1

access-list host-to-host1 permit ip host 100.5.7.47 host 100.79.104.187

static (inside,outside) 192.252.127.241 access-list host-to-host1 0 0

Site to Site #2

access-list host-to-host2 permit ip host 100.5.7.47 host 100.200.251.110

static (inside,outside) 206.112.159.32 access-list host-to-host2 0 0

Silver

Re: PIX Nat/Pat issue

Ah yes. You bring back good memories doug :-)

You are running into bug CSCec63822. It was resolved in 6.3(3.136) and later. There is no workaround other than upgrading.

Sincerely,

David.

PS> Please don't foget to mork the issue resolved if it solves your problem so we can check this issue off the list.

New Member

Re: PIX Nat/Pat issue

Thanks for the info. I have found a workaround until we can upgrade code.

I created a new policy NAT for this specific host.

access-list host-pat deny ip host 100.5.7.47 host

x.x.x.x

access-list host-pat deny ip host 100.5.7.47 host y.y.y.y

access-list host-pat permit ip host 100.5.7.47 0.0.0.0 0.0.0.0

nat (inside) 10 access-list host-pat 0 0

This took care of my problem for the time being. We are scheduling a time to upgrade code.

Thanks for your help.

Silver

Re: PIX Nat/Pat issue

Hi Doug,

Be careful with the workaround, as 'deny' statements are not supported in policy-nat. So, your results may be unpredictable.

But, at least it is working for the time being :-)

David.

124
Views
0
Helpful
5
Replies