Problem w/ PIX NAT

cody.rowland · ‎06-30-2003

We recently added a new network segment and are having problems NAT'ing the new segment on our PIX 525. When I view xlate I can tell that the new IP's are not translating. I've cleared the xlate and even changed the PIX config from allowing specific networks to NAT to allowing all networks to NAT using "nat (inside) 1 0.0.0.0 0.0.0.0 0 0" and it's still not working for the new segment. Our primary network doesn't have any problems at all.

To give you an idea of how the network is configured:

Primary network segment is 10.0.4.0/22

New network segment is 10.0.12.0/26

The primary network uses the inside IP of the PIX as a default gateway. The new network segment uses as it's gateway a virtual interface IP address on our Catalyst switch. The L3 switch uses the inside IP of the PIX as it's gateway. I've added a route on the PIX back to the switch and I can ping the inside of the PIX from the new network segment so I'm confident it's not a routing issue.

I will be happy to provide specific portions of our PIX configuration if requested but we have quite a few VPN tunnels configured and I was hesitant to post it right off the start.

Any help would be much appreciated.

Thanks,

Cody Rowland

Infrastructure Engineer

pcomeaux · ‎06-30-2003

Hi Cody -

Your nat (inside) 1 0.0.0.0 0.0.0.0 will translate all source ip address coming from the inside interface, if you do not have any nat (inside) 0 or static statements which may be taking precedence. The nat 0 and statics are checked first before the nat (inside) 1 occurs.

Please check your configuration for this, especially since you have several vpn tunnels.

Hope this helps,

peter