02-27-2010 05:15 PM
I solved one problem from the discussion "Static NAT on PIX 501 help", but now I have no internet connectivity when that tunnel comes up. I have attached my current PIX 501 config. Any suggestions would be appreciated.
Solved! Go to Solution.
03-01-2010 02:46 PM
Try replacing:
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
with
access-list PAT permit ip 192.168.1.0 255.255.255.0 any
nat (inside) 1 access-list PAT
my thinking here is that once you start with policy NAT, all your NAT must work that way... I'm not truly sure it'll work, but I think it's worth a shot.
It wont break the static NAT because that is processed ahead of the NAT statement.
02-28-2010 09:03 PM
Hi,
I have reviewed the configuration and it appears good to me. As per your post it seems to me that post addition of static command VPN started working fine but you lost internet connectivity on PIX. I would suggest you following :-
1. Terminate the VPN by running "clear crypto ipsec sa"
2. Then to clear the existing translation please run command "clear xlate"
3. Initiate the internet traffic following by VPN tuneel initiation by pinging remote destination 192.168.27.x
Let me know how it goes.
Note :
A. Step 1 is optional but still i would request you to terminate the tunnel.
B. Step 2 is recommended on PIX 6.3 . Please refer :-
www.cisco.com/en/US/docs/security/pix/pix63/command/reference/s.html#wp1084248
HTH...
Regards
M
03-01-2010 11:37 AM
Ahh, let me clarify my problem, I don't think I expressed it correctly.
When I say "no internet" I am referring to general internet traffic, such as www.cisco.com from a browser. The internet traffic works fine until the VPN tunnel comes up, then the internet no longer works. But the VPN works fine, I can pass traffic in the tunnel no problem.
So, for example, if I start a ping to www.cisco.com, then I do another ping to 192.168.27.1 (which will initiate the VPN tunnel), the ping to www.cisco.com suddenly stops working, but I can fully use the VPN.
The commands you mentioned allow me to bring down the VPN tunnel just fine, and I can then again use the internet.
Thanks for your help with this.
03-01-2010 11:52 AM
My gut feeling is that it'll NAT causing you problems.
Are you getting errors in the log?
03-01-2010 12:02 PM
Hey Chris,
You explained your problem correctly and i did understand it in first place. I suspect there is some translation or Xlate issue on PIX. Thats why i have recommended the steps accordingly by stating that bringing the VPN tunnel down is just an optional step. What i want you to do is play with the NAT rule as suggested.
Try clearing the xlate .
Apply the policy NAT statement first and then apply the nat -global 1 rule on pix.
Regards
M
03-01-2010 12:49 PM
When I clear xlate, the internet starts working, even with the VPN still up. But as soon as I pass traffic over the VPN, the internet stops working. I can get it back by simply doing a clear xlate. I don't need to do a clear ipsec sa or clear isakmp sa.
I tried removing all the statements, clearing, adding them back in, clearing, but I still get the same results.
03-01-2010 12:51 PM
try adding a deny any any to the end of the ACL "chris-to-ocean-nat"
03-01-2010 01:19 PM
try nat 0 by adding same acl with different name of your vpn traffic then try split tunneling
03-01-2010 01:25 PM
"try nat 0 by adding same acl with different name of your vpn traffic then try split tunneling"
I don't think that'll do any good, from what I can see of the config he needs to do some translation as the original source subnet probably isn't valid on the peer device.
03-01-2010 01:42 PM
03-01-2010 01:49 PM
can you give us the output of show xlate?
take a copy immediately after clearing xlate, but before you send traffic over the tunnel, and then another after Internet access stops working.
03-01-2010 02:33 PM
03-01-2010 02:46 PM
Try replacing:
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
with
access-list PAT permit ip 192.168.1.0 255.255.255.0 any
nat (inside) 1 access-list PAT
my thinking here is that once you start with policy NAT, all your NAT must work that way... I'm not truly sure it'll work, but I think it's worth a shot.
It wont break the static NAT because that is processed ahead of the NAT statement.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide