Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PAT, NAT issues

Hi,

My customer has a PIX 520. Below is the config.

global (Outside) 20 214.39.43.41-214.39.43.101

global (Dmz) 10 11.254.254.31

global (Customers) 20 11.151.4.51-11.151.4.101

nat (inside) 20 161.2.2.177 255.255.255.255 0 0

nat (inside) 20 161.2.2.180 255.255.255.255 0 0

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

nat (Dmz) 20 0.0.0.0 0.0.0.0 0 0

The device 161.2.2.177 (server) is on the inside interface. From the config above this device will be NAT/PAT'd to outgoing interfaces i.e.

(Inside) 161.2.2.177, NAT'd (Outside) 214.39.43.41-214.39.43.101

(Inside) 161.2.2.177, NAT'd (Customers) 11.151.4.51-11.151.4.101

(Inside) 161.2.2.177, PAT'd (DMZ) 11.254.254.31

From the Xlate table, 161.2.2.177 is NAT'd for Outside & Customer interfaces, but the PAT translation does not work!.

To Test PAT I have used a PC on the inside to ping the DMZ and the PC is PAT'd to 11.254.254.31.

Statically mapping 161.2.2.177 to an address on the DMZ also works. But PAT for this device doesn't work!!.

Until Previously PAT for this device on the DMZ worked, No configuration changes have been made at all to the PIX.

Has anyone come across this problem before??.

Thanks for your help

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: PAT, NAT issues

The 161.2.2.177 address is excluded because you have this:

> nat (inside) 20 161.2.2.177 255.255.255.255 0 0

Any packet from this inside host is always going to use this nat statement since it is the most specific, it has a nat-id of 20, so you need a corresponding "global (dmz)" command with a nat-id of 20 also.

3 REPLIES
Cisco Employee

Re: PAT, NAT issues

You have the following in the config:

global (Dmz) 10 11.254.254.31

nat (inside) 20 161.2.2.177 255.255.255.255 0 0

The inside address of 161.2.2.177 will NOT be PAT'd when it goes to the DMZ interface, in fact it won't be able to go to the DMZ interface at all cause it has no corresponding global statement. Remember that nat/global statements are paired up using the number just after the interface name. The inside host has a number of "20", there is no corresponding global statement for the DMZ with a "20" on it.

This would never have worked unless someone changed this, so if you think "No configuration changes have been made at all to the PIX", you'd better start ensuring only the correct people have the approriate access to make changes.

New Member

Re: PAT, NAT issues

Hi,

Thanks for taking a look at this fault.

This may sound stupid, but from the config :

global (Outside) 20 214.39.43.41-214.39.43.101

nat(inside) 20 161.2.2.177 255.255.255.255 0 0

nat(inside) 20 161.2.2.178 255.255.255.255 0 0

These two (inside) devices will be NAT'd to an address from the Global pool??.

From the (dmz) config:

global (Dmz) 10 11.254.254.31

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

This statement implies that all devices on the (inside) wishing to get to the (dmz) will be PAT'd to 11.254.254.31. Does this exlude 161.2.2.177, which is an (inside) address??.

Cisco Employee

Re: PAT, NAT issues

The 161.2.2.177 address is excluded because you have this:

> nat (inside) 20 161.2.2.177 255.255.255.255 0 0

Any packet from this inside host is always going to use this nat statement since it is the most specific, it has a nat-id of 20, so you need a corresponding "global (dmz)" command with a nat-id of 20 also.

92
Views
0
Helpful
3
Replies