I'm certain I'm doing something wrong in my (simple) test config. I know I can do this as I have a PIX 515e doing this in another office. I'm trying to establish a single IP on the outside that inside hosts can use to access the internet - PAT. Then I'd like to selectively publish, for example, web servers and establish a handful of static NAT entries and manage those 1 to 1 IPs with ACLs. It seems simple but I'm botched something.
With the dynamic config in place, all hosts behing the internal interface can access the internet without any issues. As soon as I add the static NAT entry for the web server, it can no longer access the internet (nor does the static rule seem to work).
I've done this - and just did again to be sure - and it goes through the animation with the final result of "the packet is allowed". It's so strange.
To me that suggests an ACL: problem back inbound but it's going from an interface with a security level of 100 to the outside which is 0. I thought we don't need an "established" ACL entry....
(Tomorrow I may try to use some private IPs on both sides and start over. I have the PIX facing the internet with a globally unique IP that I eventually plan to use. Until Iget this worked out I may need to resort to all test IPs and drop a switch on each side.)
Is there something in my original (attached to first post) config that I'm missing to allow the return packets from a static vs. dynamic entry?
I think the problem is solved. You were right in confirming that the configuration looked fine and it should be working. In the end there was nothing wrong with the config. A routing statement on a router was causing the issue.
I thought I would post and update as I'm sure this happens to other people - it's a simple thing to overlook:
My issue all boiled down to routing statements on a router on the outside of the PIX. There was a route statement on the outside router to the effect of:
ip route 126.96.36.199 255.255.255.224 FastEthernet0/0 (Old Gateway Here)
When I was using a global IP and using the interface's own IP, the outside router knew - via ARP - where to send the packets back to. As soon as I tried to use a static rule then the router tried to send the packets to the current PIX that I'm planning to replace! The outside router wasn't sending the packets to the right PIX. I realized this after not seeing them logged coming back in.
All I did was remove the above old routing statement and replace it with:
ip route 188.8.131.52 255.255.255.224 FastEthernet0/0 184.108.40.206
And now static and dynamic ruls work just fine.
Thank you for troubleshooting this with me. It was helpful to confirm I was on the right track.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...