Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Policy NAT Issue

I have setup a L2L VPN for a customer in which the vendor requires their IPs to be natted when they come across. So, I have setup policy nat on their pix for the L2L VPN. Here is a snip of the NAT config:

access-list nat-to-vendor permit ip 192.168.10.0 255.255.255.0 172.22.1.0 255.255.255.0

access-list nat-to-vendor permit ip 192.168.20.0 255.255.255.0 172.22.1.0 255.255.255.0

access-list nat-to-vendor permit ip 192.168.30.0 255.255.255.0 172.22.1.0 255.255.255.0

access-list nat-to-vendor permit ip 10.4.224.0 255.255.255.0 172.22.1.0 255.255.255.0

global (outside) 100 10.11.46.33-10.11.46.62 netmask 255.255.255.224

global (outside) 1 interface

global (outside) 2 x.x.x.x

global (outside) 3 y.y.y.y

global (dmz) 1 interface

nat (inside) 0 access-list nonatvpn

nat (inside) 100 access-list nat-to-vendor 0 0

nat (inside) 2 192.168.10.7 255.255.255.255 0 0

nat (inside) 3 192.168.10.40 255.255.255.255 0 0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

The policy nat works, however, once a machine attempts a connection to the vendor using a 172.22.1.x destination address, it can no longer get to the internet. Checking the xlate table, there are 2 entries for the machine, one for the policy nat (ID 100) and one for the regular nat (ID 1). And, if I clear the xlate entry for the policy nat, the machine can then get to the internet. But, one ping to the 172.22.1.x network and internet access is lost. It is a PIX running 6.3(3).

Am I doing this wrong or does anyone have any other suggestions?

3 REPLIES
Cisco Employee

Re: Policy NAT Issue

I would try to replace this below line

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (inside) 1 access-list www-traffic

access-list www-traffic deny ip 192.168.10.0 255.255.255.0 172.22.1.0 255.255.255.0

access-list www-traffic deny ip 192.168.20.0 255.255.255.0 172.22.1.0 255.255.255.0

access-list www-traffic deny ip 192.168.30.0 255.255.255.0 172.22.1.0 255.255.255.0

access-list www-traffic deny ip 10.4.224.0 255.255.255.0 172.22.1.0 255.255.255.0

access-list www-traffic permit ip any any

Sorry, I am not in a position to try this out in the lab.

Give it a shot and let us know.

-KS

New Member

Re: Policy NAT Issue

Thanks for the reply. However, I found that this issue is a bug in PIX version 6.3.3. The bug ID is CSCec63822. The work around is to use policy nat for the internet traffic, or upgrade. I used the workaround, somewhat similar to what you have proposed, and the issue was resolved.

Cisco Employee

Re: Policy NAT Issue

Sorry. I wasn't aware of this bug but, I am glad I gave you the work around listed in this bug as a work around.

112
Views
5
Helpful
3
Replies