https://community.cisco.com/t5/network-security/nat-question/m-p/808774#M1007942 <HTML><HEAD></HEAD><BODY><P>Could you please add your config to the conversation so I can check it out.</P><P></P><P>Franco</P></BODY></HTML> Tue, 10 Apr 2007 13:54:45 GMT fzamora 2007-04-10T13:54:45Z https://community.cisco.com/t5/network-security/nat-question/m-p/808771#M1007936 <P>i have next config for pix515e-</P><P>nameif ethernet0 outside security0</P><P>nameif ethernet1 inside security100</P><P>nameif ethernet2 branches security50</P><P>global (outside) 2 interface</P><P>nat (inside) 0 access-list vpn_outside_1</P><P>nat (inside) 1 0.0.0.0 0.0.0.0 0 0</P><P>nat (branches) 2 10.20.18.0 255.255.255.0 0 0</P><P></P><P>i tryed to ping public address from network 10.20.18.0 and i see not NATed packets at the outside interface-</P><P></P><P>--------- PACKET ---------</P><P></P><P>-- IP --</P><P>10.20.18.3 ==&gt; 1.1.119.28</P><P></P><P> ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0x64</P><P> id = 0x239 flags = 0x0 frag off=0x0</P><P> ttl = 0xfb proto=0x1 chksum = 0x547b</P><P></P><P> -- ICMP --</P><P> type = 0x8 code = 0x0 checksum=0x2f9e</P><P> identifier = 0x22 seq = 0x1</P><P> -- DATA --</P><P> 00000010: 00 00 00 00 | ....</P><P> 00000020: 5c 33 f2 55 ab cd ab cd ab cd ab cd ab cd ab cd | \3.U............</P><P> 00000030: ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd | ................</P><P> 00000040: ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd | ................</P><P> 00000050: ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd | ................</P><P> 00000060: ab cd ab cd 03 | .....</P><P></P><P>--------- END OF PACKET ---------</P><P></P><P>when i do the same from PIX - it's ok-</P><P>--------- PACKET ---------</P><P></P><P>-- IP --</P><P>Public_address_VPNgate ==&gt; 1.1.119.28</P><P></P><P> ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0x3c</P><P> id = 0xa407 flags = 0x0 frag off=0x0</P><P> ttl = 0xff proto=0x1 chksum = 0x8629</P><P></P><P> -- ICMP --</P><P> type = 0x8 code = 0x0 checksum=0xf5d8</P><P> identifier = 0x1124 seq = 0x2</P><P> -- DATA --</P><P> 00000018: 00 01 02 03 04 05 06 07 08 09 0a 0b | ............</P><P> 00000028: 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b | ................</P><P> 00000038: 1c 1d 1e 1f 18 | .....</P><P></P><P>--------- END OF PACKET ---------</P><P></P><P></P><P>where is a problem?</P> Mon, 11 Mar 2019 09:57:33 GMT https://community.cisco.com/t5/network-security/nat-question/m-p/808771#M1007936 rmv72 2019-03-11T09:57:33Z https://community.cisco.com/t5/network-security/nat-question/m-p/808772#M1007939 <HTML><HEAD></HEAD><BODY><P>Hi, </P><P></P><P>Did you add the access list in order to permit the incoming ICMP traffic on the outside interface? If you can ping from the PIX that means it has connectivity so one of the first things one needs to check is the ACL. Please add the following:</P><P></P><P>access-list inbound permit icmp any any</P><P></P><P>access-group inbound in interface outside</P><P></P><P>If you already added it, please let me know so we can continue with the troubleshooting</P><P></P><P>Hope it helps, </P><P></P><P>Franco Zamora</P><P></P></BODY></HTML> Tue, 10 Apr 2007 03:43:37 GMT https://community.cisco.com/t5/network-security/nat-question/m-p/808772#M1007939 fzamora 2007-04-10T03:43:37Z https://community.cisco.com/t5/network-security/nat-question/m-p/808773#M1007941 <HTML><HEAD></HEAD><BODY><P>Hi!</P><P>yes,i've ACL.</P><P>i think the problem is that packets goes from outside interface with private source (which is certainly is not routed in public internet <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> ).</P><P>Seems they don't NATed - maybe here problem?</P></BODY></HTML> Tue, 10 Apr 2007 05:29:21 GMT https://community.cisco.com/t5/network-security/nat-question/m-p/808773#M1007941 rmv72 2007-04-10T05:29:21Z https://community.cisco.com/t5/network-security/nat-question/m-p/808774#M1007942 <HTML><HEAD></HEAD><BODY><P>Could you please add your config to the conversation so I can check it out.</P><P></P><P>Franco</P></BODY></HTML> Tue, 10 Apr 2007 13:54:45 GMT https://community.cisco.com/t5/network-security/nat-question/m-p/808774#M1007942 fzamora 2007-04-10T13:54:45Z https://community.cisco.com/t5/network-security/nat-question/m-p/808775#M1007943 <HTML><HEAD></HEAD><BODY><P>Here config.</P><P></P><P> </P><P></P></BODY></HTML> Wed, 11 Apr 2007 08:19:11 GMT https://community.cisco.com/t5/network-security/nat-question/m-p/808775#M1007943 rmv72 2007-04-11T08:19:11Z https://community.cisco.com/t5/network-security/nat-question/m-p/808776#M1007944 <HTML><HEAD></HEAD><BODY><P>Take out...</P><P></P><P>nat (inside) 1 0.0.0.0 0.0.0.0 0 0</P><P></P><P>Save with: write mem and also issue: clear xlate</P></BODY></HTML> Wed, 11 Apr 2007 11:03:01 GMT https://community.cisco.com/t5/network-security/nat-question/m-p/808776#M1007944 jmia 2007-04-11T11:03:01Z https://community.cisco.com/t5/network-security/nat-question/m-p/808777#M1007945 <HTML><HEAD></HEAD><BODY><P>i've it already</P></BODY></HTML> Wed, 11 Apr 2007 11:21:04 GMT https://community.cisco.com/t5/network-security/nat-question/m-p/808777#M1007945 rmv72 2007-04-11T11:21:04Z https://community.cisco.com/t5/network-security/nat-question/m-p/808778#M1007946 <HTML><HEAD></HEAD><BODY><P>try the following:</P><P></P><P>global (outside) 1 interface</P><P>nat (inside) 1 0.0.0.0 0.0.0.0 0 0</P><P>clear xlate</P></BODY></HTML> Wed, 11 Apr 2007 16:58:38 GMT https://community.cisco.com/t5/network-security/nat-question/m-p/808778#M1007946 jbeltrame 2007-04-11T16:58:38Z https://community.cisco.com/t5/network-security/nat-question/m-p/808779#M1007947 <HTML><HEAD></HEAD><BODY><P>i've done it.</P><P>same problem.</P><P>from network 10.20.18.0/24-</P><P>debug packet outside dst A.177.119.28 netmask 255.255.255.255 </P><P></P><P>ping from network 10.20.18.0/24</P><P>-- IP --</P><P>10.20.18.3 ==&gt; A.177.119.28</P><P></P><P> ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0x64</P><P> id = 0x2aa flags = 0x0 frag off=0x0</P><P> ttl = 0xfb proto=0x1 chksum = 0x540a</P><P></P><P> -- ICMP --</P><P> type = 0x8 code = 0x0 checksum=0x41e9</P><P> identifier = 0x25 seq = 0x8</P><P> -- DATA --</P><P> 00000010: 00 00 00 00 | ....</P><P> 00000020: 6a 3d d1 f6 ab cd ab cd ab cd ab cd ab cd ab cd | j=..............</P><P> 00000030: ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd | ................</P><P> 00000040: ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd | ................</P><P> 00000050: ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd | ................</P><P> 00000060: ab cd ab cd 6e | ....n</P><P></P><P>--------- END OF PACKET ---------</P><P></P><P>ping from PIX-</P><P>PIX2# ping A.177.119.28</P><P>--------- PACKET ---------</P><P></P><P>-- IP --</P><P>VPNgate (ip address of outside interface) ==&gt; A.177.119.28</P><P></P><P> ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0x3c</P><P> id = 0x642d flags = 0x0 frag off=0x0</P><P> ttl = 0xff proto=0x1 chksum = 0xc603</P><P></P><P> -- ICMP --</P><P> type = 0x8 code = 0x0 checksum=0xf5da</P><P> identifier = 0x1124 seq = 0x0</P><P> -- DATA --</P><P> 00000018: 00 01 02 03 04 05 06 07 08 09 0a 0b | ............</P><P> 00000028: 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b | ................</P><P> 00000038: 1c 1d 1e 1f 59 | ....Y</P><P></P><P>--------- END OF PACKET ---------</P><P>but i want to say that packets from network 10.20.18.0/24 comes to interface branches, not inside.</P></BODY></HTML> Thu, 12 Apr 2007 04:40:15 GMT https://community.cisco.com/t5/network-security/nat-question/m-p/808779#M1007947 rmv72 2007-04-12T04:40:15Z