https://community.cisco.com/t5/network-security/xlate-issues/m-p/724111#M1005621 <HTML><HEAD></HEAD><BODY><P>hello ryan,</P><P></P><P>the only reason why a dynamic translation might be affected, is if the same IP has a static or a nonat , before the global NAT entry !!! Is the PC a part of Layer 2 on the inside interface ? i mean is the def gateway of the PC , the firewall ? I hope there arent any issues with ARP !! did u check if there are any software bugs related to your IOS ??</P><P></P><P>Raj</P></BODY></HTML> Tue, 01 May 2007 05:15:59 GMT sachinraja 2007-05-01T05:15:59Z https://community.cisco.com/t5/network-security/xlate-issues/m-p/724110#M1005619 <P>Hi all -</P><P></P><P>Had an interesting problem today, and I was wondering if someone might be able to explain to me what could have been happening. </P><P></P><P>I had this user that couldn't connect to the internet. After some snooping around, I noticed that the firewall wasn't building an xlate entry for her. Internally, routing seemed fine, because I could ping her device from our firewall and vice versa, and she was able to communicate to all internal services but nothing past our firewall. Her ip is assigned by dhcp and her PAT address falls under the Nat (1) 0.0.0.0 0.0.0.0 entry and matched to the global (1) address. Also looking at the Xlate table, there were over 100 entries for others in the same subnet she was in.</P><P></P><P>To resolve it, I switched to manual IP configuration, and switched it back to DHCP and it obtained a different IP address that the previous one and it worked fine.</P><P></P><P>So I guess my question is, what would prevent the firewall from building a dynamic translation from a specific private ip address. </P><P></P><P>Thanks for all the help.</P> Mon, 11 Mar 2019 10:07:02 GMT https://community.cisco.com/t5/network-security/xlate-issues/m-p/724110#M1005619 ryan.bachman 2019-03-11T10:07:02Z https://community.cisco.com/t5/network-security/xlate-issues/m-p/724111#M1005621 <HTML><HEAD></HEAD><BODY><P>hello ryan,</P><P></P><P>the only reason why a dynamic translation might be affected, is if the same IP has a static or a nonat , before the global NAT entry !!! Is the PC a part of Layer 2 on the inside interface ? i mean is the def gateway of the PC , the firewall ? I hope there arent any issues with ARP !! did u check if there are any software bugs related to your IOS ??</P><P></P><P>Raj</P></BODY></HTML> Tue, 01 May 2007 05:15:59 GMT https://community.cisco.com/t5/network-security/xlate-issues/m-p/724111#M1005621 sachinraja 2007-05-01T05:15:59Z https://community.cisco.com/t5/network-security/xlate-issues/m-p/724112#M1005624 <HTML><HEAD></HEAD><BODY><P>Raj -</P><P></P><P>Thanks for your response. I thought the same thing about either a bad no-nat entry or a static entry, but this particular ip had neither as part of the pix config. The inside network is a mix of L2 and L3 devices, but the actual gateway of the PC is a vlan interface on a 6509 L3 switch. </P><P></P><P>It might be an issue with arp, but wouldn't that problem effect pings as well. ICMP and Traceroute to and from the end PC worked fine, traffic just couldn't traverse the PIX because it wasn't building that translation. </P><P></P><P>I will have to check to see if there is a bug, and if not, hope this problem doesn't pop up again.</P><P></P><P>Thanks again.</P><P></P></BODY></HTML> Tue, 01 May 2007 14:54:04 GMT https://community.cisco.com/t5/network-security/xlate-issues/m-p/724112#M1005624 ryan.bachman 2007-05-01T14:54:04Z