Re: NAT won't works on PIX 515E

j.hato · ‎07-22-2003

Dear CIscoer,

global (outside) 1 202.160.2.xxx

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

But when I try to connect to internet the PIX do not NAT the client IP address. But when I do a ping the PIX will NAT the client interface but still cannot touch the target host (I have create and apply an access list to permit ICMP). The software version is 6.2 (2). Is it bug?

Thanks In Advance

HATO

jmia · ‎07-22-2003

Hato -

Have tried to clear translations with cmd: clear xlate ??

Thanks -

j.hato · ‎07-22-2003

Yes,

Have try to clear the transation. But still won't works. The PIX have 3 interface. It is ok right. I can ping from the PIX to the DNS. But not from the client side. The PIX will translate for the ICMP but with no return. When using the http the PIX not translate them.

BEst regards,

HATO

jmia · ‎07-22-2003

Hato -

Are we talking about DMZ problem or ICMP translation or even http translation problems ? can you please explain...

Thanks --

jmia · ‎07-22-2003

Hato,

Also, I presume you configured you NAT Like the following :

ip address outside 192.168.1.1 255.255.255.0

ip address inside 192.168.2.1 255.255.255.0

route outside 0.0.0.0 0.0.0.0 192.168.1.2 1

route inside 192.168.3.0 255.255.255.0 192.168.2.2 1

global (outside) 1 199.199.199.0 netmask 255.255.255.0

nat (inside) 1 0 0

After the config remember to save with cmd: wr m (write memory) and also issue a cmd: clear xlate

Hope this helps --

j.hato · ‎07-22-2003

Thank you.

l.mourits · ‎07-25-2003

Hi Hato,

You should not use ICMP to test for translations, cause ICMP is not handled by the ASA. All other traffic is, so, testing with tcp or udp will work with your current setup. If you especially want to test with ICMP you have to set some rules oin your outside in access-list to let the ICMP response traffic in :-)

Kind Regards,

Leo