Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT Failing to Work in the Admin Context (Ver 7)

Hi,

I have a strange issue when configuring NAT in the Admin context of my PIX ver.7 FW! When applying the following configuration:

NAT (inside) 1 0 0

global (oustide) 1 192.168.1.10-192.168.1.20

And tracing how the natting part work with "debug icmp trace" I see the inside addresses not being tranlstaed and the ping from inside to outside fails. However, when replacing the NAT and global commands with "stat (inside,outside) <my internal subnet> <my internal subnet> net <netmask>" the translation here works.

When applying similar NAT and Global rules on the other security context (CTX1) the tranlsation works fine.

Does anybody have an idea on what could be the problem? I'm posting my Admin context configuration below for your review:

PIX Version 7.0(4) <context>

!

hostname pixfirewall

names

!

interface Ethernet1

nameif inside

security-level 100

ip address 172.16.1.3 255.255.255.0 standby 172.16.1.33

!

interface Ethernet0

nameif outside

security-level 0

ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2

!

passwd 9ghfCrNHTpkZOynK encrypted

access-list out extended permit icmp any any

access-list in extended permit icmp any any

no pager

logging asdm informational

mtu inside 1500

icmp permit any inside

no asdm history enable

arp timeout 14400

global (outside) 1 192.168.1.10-192.168.1.20

nat (inside) 1 0.0.0.0 0.0.0.0

access-group in in interface inside

access-group out in interface outside

route inside 192.168.116.0 255.255.255.0 172.16.1.10 1

route inside 192.168.111.0 255.255.255.0 172.16.1.10 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh 172.16.0.0 255.255.0.0 inside

ssh timeout 5

dhcpd lease 3600

Thanks

Haitham

1 REPLY
Cisco Employee

Re: NAT Failing to Work in the Admin Context (Ver 7)

Hi Haitham

Try to enable "inspect icmp error", it should fix this issue.

thanks

Nadeem

92
Views
0
Helpful
1
Replies