https://community.cisco.com/t5/network-security/error-pating-on-a-pix515e/m-p/1253538#M810703 <HTML><HEAD></HEAD><BODY><P>It works with that ver</P></BODY></HTML> Mon, 24 Aug 2009 12:48:18 GMT andrew.prince 2009-08-24T12:48:18Z https://community.cisco.com/t5/network-security/error-pating-on-a-pix515e/m-p/1253531#M810696 <P>Greetings,</P><P>My client has a need to PAT via a L2L tunnel on a PIX515E 6.3(5. Allusers on the inside should be able to connect to 2 VLSM IP scopes and one test machine via a VPN tunnel. The remote site is allowing all connections to appear comming from a single IP address.</P><P>I created the access lists for PATing but I am getting an error message whaen I try to nat the single IP to an access list. Here is my configration and the error message:</P><P>name 10.254.1.1 partners_tunneltest</P><P>name 10.254.1.128 partners_portal</P><P>name 10.254.11.80 partners_meditech</P><P>name x.x.x.x PHS_router</P><P>!</P><P>object-group network PARTNERS_OUT </P><P> network-object partners_tunneltest 255.255.255.255 </P><P> network-object partners_portal 255.255.255.128 </P><P> network-object partners_meditech 255.255.255.240 </P><P>!</P><P>access-list outside_cryptomap_51 permit ip host 10.255.11.62 object-group PARTNERS_OUT </P><P>access-list PARTNERS permit ip any object-group PARTNERS_OUT </P><P>crypto map mymap 51 ipsec-isakmp</P><P>crypto map mymap 51 match address outside_cryptomap_51</P><P>crypto map mymap 51 set pfs group2</P><P>crypto map mymap 51 set peer PHS_router</P><P>crypto map mymap 51 set transform-set ESP-3DES-SHA</P><P>crypto map mymap 51 set security-association lifetime seconds 28800 kilobytes 86400</P><P>!</P><P>PIX-515(config)#static (inside,outside) 10.255.11.62 access-list PARTNERS</P><P>ERROR: invalid netmask 255.0.0.0 with global address 10.255.11.62</P><P>Usage: [no] static [(real_ifc, mapped_ifc)]</P><P> {&lt;mapped_ip&gt;|interface}</P><P> {&lt;real_ip&gt; [netmask &lt;mask&gt;]} | {access-list &lt;acl_name&gt;}</P><P> [dns] [norandomseq] [&lt;max_conns&gt; [&lt;emb_lim&gt;]]</P><P> [no] static [(real_ifc, mapped_ifc)] {tcp|udp}</P><P> {&lt;mapped_ip&gt;|interface} &lt;mapped_port&gt;</P><P> {&lt;real_ip&gt; &lt;real_port&gt; [netmask &lt;mask&gt;]} |</P><P> {access-list &lt;acl_name&gt;}</P><P> [dns] [norandomseq] [&lt;max_conns&gt; [&lt;emb_lim&gt;]]</P><P>pix-515(config)# static (inside,outside) 10.255.11.62 netmask 255.255.255.255 access-list PARTNERS</P><P>ERROR: invalid local IP address netmask</P><P>Usage: [no] static [(real_ifc, mapped_ifc)]</P><P> {&lt;mapped_ip&gt;|interface}</P><P> {&lt;real_ip&gt; [netmask &lt;mask&gt;]} | {access-list &lt;acl_name&gt;}</P><P> [dns] [norandomseq] [&lt;max_conns&gt; [&lt;emb_lim&gt;]]</P><P> [no] static [(real_ifc, mapped_ifc)] {tcp|udp}</P><P> {&lt;mapped_ip&gt;|interface} &lt;mapped_port&gt;</P><P> {&lt;real_ip&gt; &lt;real_port&gt; [netmask &lt;mask&gt;]} |</P><P> {access-list &lt;acl_name&gt;}</P><P> [dns] [norandomseq] [&lt;max_conns&gt; [&lt;emb_lim&gt;]]</P><P></P><P></P><P>Thanks for the help</P> Mon, 11 Mar 2019 16:08:52 GMT https://community.cisco.com/t5/network-security/error-pating-on-a-pix515e/m-p/1253531#M810696 ramzi-kotob 2019-03-11T16:08:52Z https://community.cisco.com/t5/network-security/error-pating-on-a-pix515e/m-p/1253532#M810697 <HTML><HEAD></HEAD><BODY><P>try this instead:-</P><P></P><P>global (outside) 99 10.255.11.62</P><P></P><P>nat (inside) 99 access-list PARTNERS </P><P></P><P>HTH&gt;</P></BODY></HTML> Mon, 24 Aug 2009 11:52:49 GMT https://community.cisco.com/t5/network-security/error-pating-on-a-pix515e/m-p/1253532#M810697 andrew.prince 2009-08-24T11:52:49Z https://community.cisco.com/t5/network-security/error-pating-on-a-pix515e/m-p/1253533#M810698 <HTML><HEAD></HEAD><BODY><P>I also tried this policy NAT and did not work. I was able to create it using CLI but PDM reported as an invalid configuration and I had to remove it. The configurastion I listed in my initial post works for another client but they have an ASA instead.</P><P></P><P>Thanks,</P><P>Ramzi</P><P></P></BODY></HTML> Mon, 24 Aug 2009 12:09:45 GMT https://community.cisco.com/t5/network-security/error-pating-on-a-pix515e/m-p/1253533#M810698 ramzi-kotob 2009-08-24T12:09:45Z https://community.cisco.com/t5/network-security/error-pating-on-a-pix515e/m-p/1253534#M810699 <HTML><HEAD></HEAD><BODY><P>I have this as a workking config on multiple sites, what testing did you perform to confirm it did not work?</P></BODY></HTML> Mon, 24 Aug 2009 12:17:40 GMT https://community.cisco.com/t5/network-security/error-pating-on-a-pix515e/m-p/1253534#M810699 andrew.prince 2009-08-24T12:17:40Z https://community.cisco.com/t5/network-security/error-pating-on-a-pix515e/m-p/1253535#M810700 <HTML><HEAD></HEAD><BODY><P>Testing is browsing to 10.254.1.1. I just realized my tunnel is no longer up, I have to fix that. Attached is the error from PDM regarding the policy NAT</P><P></P><P> </P><P></P></BODY></HTML> Mon, 24 Aug 2009 12:27:28 GMT https://community.cisco.com/t5/network-security/error-pating-on-a-pix515e/m-p/1253535#M810700 ramzi-kotob 2009-08-24T12:27:28Z https://community.cisco.com/t5/network-security/error-pating-on-a-pix515e/m-p/1253536#M810701 <HTML><HEAD></HEAD><BODY><P>OK - I see one potential issue, my testing (lab) and my working config, my firewalls are running ios 7.x &amp; 8.x - what version are you running?</P></BODY></HTML> Mon, 24 Aug 2009 12:33:20 GMT https://community.cisco.com/t5/network-security/error-pating-on-a-pix515e/m-p/1253536#M810701 andrew.prince 2009-08-24T12:33:20Z https://community.cisco.com/t5/network-security/error-pating-on-a-pix515e/m-p/1253537#M810702 <HTML><HEAD></HEAD><BODY><P>6.3(5)</P></BODY></HTML> Mon, 24 Aug 2009 12:35:30 GMT https://community.cisco.com/t5/network-security/error-pating-on-a-pix515e/m-p/1253537#M810702 ramzi-kotob 2009-08-24T12:35:30Z https://community.cisco.com/t5/network-security/error-pating-on-a-pix515e/m-p/1253538#M810703 <HTML><HEAD></HEAD><BODY><P>It works with that ver</P></BODY></HTML> Mon, 24 Aug 2009 12:48:18 GMT https://community.cisco.com/t5/network-security/error-pating-on-a-pix515e/m-p/1253538#M810703 andrew.prince 2009-08-24T12:48:18Z https://community.cisco.com/t5/network-security/error-pating-on-a-pix515e/m-p/1253539#M810704 <HTML><HEAD></HEAD><BODY><P>I don't know why PDM rejects the Policy NAT and disable PDM configuration until these 2 lines are removed. My client depends on PDM for simple configurations so PDM configuration must be available. Did you see the attached error earlier?</P><P></P><P>Thanks</P></BODY></HTML> Mon, 24 Aug 2009 12:51:37 GMT https://community.cisco.com/t5/network-security/error-pating-on-a-pix515e/m-p/1253539#M810704 ramzi-kotob 2009-08-24T12:51:37Z https://community.cisco.com/t5/network-security/error-pating-on-a-pix515e/m-p/1253540#M810705 <HTML><HEAD></HEAD><BODY><P>I personally do not use the PDM. Just becuase the PDM does not recongnise/like the config - does not mean it is not working. The fact the PDM only configures about 10% of the availble commands in the PIX says it all.</P><P></P><P>I suggest your client upgrades the IOS to a version that supports the ASDM.</P></BODY></HTML> Mon, 24 Aug 2009 12:58:31 GMT https://community.cisco.com/t5/network-security/error-pating-on-a-pix515e/m-p/1253540#M810705 andrew.prince 2009-08-24T12:58:31Z https://community.cisco.com/t5/network-security/error-pating-on-a-pix515e/m-p/1253541#M810706 <HTML><HEAD></HEAD><BODY><P>I figured the static works for one to one and does it errors on one to many, the mask error). I used the policy nat and told the client he needs to upgrade.</P><P></P><P>Thanks for the help, I appreciate it</P></BODY></HTML> Mon, 24 Aug 2009 16:33:13 GMT https://community.cisco.com/t5/network-security/error-pating-on-a-pix515e/m-p/1253541#M810706 ramzi-kotob 2009-08-24T16:33:13Z https://community.cisco.com/t5/network-security/error-pating-on-a-pix515e/m-p/1253542#M810707 <HTML><HEAD></HEAD><BODY><P>np - glad to help</P></BODY></HTML> Tue, 25 Aug 2009 05:34:21 GMT https://community.cisco.com/t5/network-security/error-pating-on-a-pix515e/m-p/1253542#M810707 andrew.prince 2009-08-25T05:34:21Z