Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Problem with PAT

We are running PAT for the internal network host. However, we are unable to connect to one paticular website using any PC that uses PAT. The Servers that have a static NAT translation are able to connect without a problem. The issue is not related to DNS. If we ping from a PC that is unable to see the website we receive replys that state "Destination net unreachable". The PAT and NAT translations are taking place on a PIX 525 firewall. Has anyone else ever had a similar problem?

4 REPLIES

Re: Problem with PAT

Scott,

For ping replies to come back, have you allowed icmp inbound? What response do you get when you ping reachable websites. Can you input partial traces of your configs ? When you try to access this website, give a show xlate on the pix and see if the PAT translation is taking place or not.

New Member

Re: Problem with PAT

thisishanky,

Yes, icmp is allowed inbound:

access-list 101 permit icmp any any echo

access-list 101 permit icmp any any source-quench

access-list 101 permit icmp any any unreachable

access-list 101 permit icmp any any time-exceeded

access-list 101 permit icmp any any echo-reply

When I ping reachable websites I recieve a good responce. I ran the show xlate command after accessing both reachable websites and the unreachable website and the PAT translation looks sucessful.

global (outside) 1 interface

nat (inside) 0 access-list 100

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

.

.

access-group 101 in interface outside

access-group inside in interface inside

.

.

timeout xlate 1:30:00

New Member

Re: Problem with PAT

1.From where you are getting message "Destination net unreachable" messages ?

2.Wether Stattically NATed servers, and the pc's getting PATed in PIX are hosted in same zone?

3.PAT, NAT IP address are they from same pool?

New Member

Re: Problem with PAT

1. The "Destination net unreachable" messages seem to come from the router at the destination network. I can trace the route out to our Internet cloud past the firewall before I lose it on the PATed PCs, but the NATed PCs can trace to the destination.

2. All the PCs are in the same zone wether they are NATed or PATed.

3. The PAT addresses are using one ip address that is the same as the outside interface of the Pix. The statically NATed servers use external addesses from the rest of our range of external ip addresses.

89
Views
0
Helpful
4
Replies