cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
391
Views
0
Helpful
3
Replies

PAT, NAT issues

evans.b
Level 1
Level 1

Hi,

My customer has a PIX 520. Below is the config.

global (Outside) 20 214.39.43.41-214.39.43.101

global (Dmz) 10 11.254.254.31

global (Customers) 20 11.151.4.51-11.151.4.101

nat (inside) 20 161.2.2.177 255.255.255.255 0 0

nat (inside) 20 161.2.2.180 255.255.255.255 0 0

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

nat (Dmz) 20 0.0.0.0 0.0.0.0 0 0

The device 161.2.2.177 (server) is on the inside interface. From the config above this device will be NAT/PAT'd to outgoing interfaces i.e.

(Inside) 161.2.2.177, NAT'd (Outside) 214.39.43.41-214.39.43.101

(Inside) 161.2.2.177, NAT'd (Customers) 11.151.4.51-11.151.4.101

(Inside) 161.2.2.177, PAT'd (DMZ) 11.254.254.31

From the Xlate table, 161.2.2.177 is NAT'd for Outside & Customer interfaces, but the PAT translation does not work!.

To Test PAT I have used a PC on the inside to ping the DMZ and the PC is PAT'd to 11.254.254.31.

Statically mapping 161.2.2.177 to an address on the DMZ also works. But PAT for this device doesn't work!!.

Until Previously PAT for this device on the DMZ worked, No configuration changes have been made at all to the PIX.

Has anyone come across this problem before??.

Thanks for your help

1 Accepted Solution

Accepted Solutions

The 161.2.2.177 address is excluded because you have this:

> nat (inside) 20 161.2.2.177 255.255.255.255 0 0

Any packet from this inside host is always going to use this nat statement since it is the most specific, it has a nat-id of 20, so you need a corresponding "global (dmz)" command with a nat-id of 20 also.

View solution in original post

3 Replies 3

gfullage
Cisco Employee
Cisco Employee

You have the following in the config:

global (Dmz) 10 11.254.254.31

nat (inside) 20 161.2.2.177 255.255.255.255 0 0

The inside address of 161.2.2.177 will NOT be PAT'd when it goes to the DMZ interface, in fact it won't be able to go to the DMZ interface at all cause it has no corresponding global statement. Remember that nat/global statements are paired up using the number just after the interface name. The inside host has a number of "20", there is no corresponding global statement for the DMZ with a "20" on it.

This would never have worked unless someone changed this, so if you think "No configuration changes have been made at all to the PIX", you'd better start ensuring only the correct people have the approriate access to make changes.

Hi,

Thanks for taking a look at this fault.

This may sound stupid, but from the config :

global (Outside) 20 214.39.43.41-214.39.43.101

nat(inside) 20 161.2.2.177 255.255.255.255 0 0

nat(inside) 20 161.2.2.178 255.255.255.255 0 0

These two (inside) devices will be NAT'd to an address from the Global pool??.

From the (dmz) config:

global (Dmz) 10 11.254.254.31

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

This statement implies that all devices on the (inside) wishing to get to the (dmz) will be PAT'd to 11.254.254.31. Does this exlude 161.2.2.177, which is an (inside) address??.

The 161.2.2.177 address is excluded because you have this:

> nat (inside) 20 161.2.2.177 255.255.255.255 0 0

Any packet from this inside host is always going to use this nat statement since it is the most specific, it has a nat-id of 20, so you need a corresponding "global (dmz)" command with a nat-id of 20 also.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: