Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Static NAT Config Overlapping

Hi!

Good day to all.

I'm having a hard time figuring out the descripancy on a PIX firewall config I have here.

My difficult is that I have two interfaces. One is a VLAN interface named as CORE with a SecLevel of 87 and a physical interface named DMZ4 with a SecLev of 50.

I have verified the routes and they were ok and also access lists. Actually, I have permitted the hosts on both sides to see each other. Meaning PING is allowed and so are the other services on IP. There are hitcounts actually. But the result on the CORE side is "Request timed out" however on the DMZ4 segment the result is "TTL expired in transit".

I had made a debug icmp trace and the result was :

89226: ICMP echo-request from core:172.22.38.104 to 172.22.148.47 ID=768 seq=30791 length=40

89227: ICMP echo-request: translating core:172.22.38.104 to dmz4:172.22.38.104

89228: ICMP echo-request: untranslating core:172.22.148.47 to dmz4:172.22.148.47

I could not see the next line which should have been a reply from 172.22.148.47 going to the requester 172.22.38.104.

One of the segments named MANAGEMENT with a SecLev of 57 can see the host on the DMZ4 and vice versa. They could ping each other.

Below are the static configurations:

static (dmz4,management) 172.22.148.0 172.22.148.0 netmask 255.255.255.0 0 0

static (newtandem,dmz4) 172.22.29.20 172.22.25.138 netmask 255.255.255.255 0 0

static (dmz4,management) 172.27.0.0 172.27.0.0 netmask 255.255.0.0 0 0

static (core,management) 172.22.38.0 172.22.38.0 netmask 255.255.255.0 0 0

static (dmz1,management) 192.168.11.70 192.168.11.70 netmask 255.255.255.255 0 0

static (core,development) 172.22.38.0 172.22.38.0 netmask 255.255.255.0 0 0

static (spare,management) 172.22.29.35 172.22.29.35 netmask 255.255.255.255 0 0

static (management,spare) 172.22.29.128 172.22.29.128 netmask 255.255.255.192 0 0

static (dmz4,core) 172.22.148.0 172.22.148.0 netmask 255.255.255.0 0 0

static (core,dmz4) 172.22.38.0 172.22.38.0 netmask 255.255.255.0 0 0

static (dmz4,management) 172.22.0.0 172.22.0.0 netmask 255.255.0.0 0 0

static (dmz4,spare) 172.22.0.0 172.22.0.0 netmask 255.255.0.0 0 0

Could somebody help me understand.

Happy New Year!

Thanks again.

1 REPLY
New Member

Re: Static NAT Config Overlapping

Guys!

My problem has been resolved. There was no route on the router that is connected to the DMZ4 segment that we have here. We have just added a route on it pointing to the layer 3 switch on DMZ4 going to the CORE segment.

Thank you very much!!!

Happy New Year!!!

243
Views
0
Helpful
1
Replies