https://community.cisco.com/t5/network-security/policy-nat-issue/m-p/1229572#M859443 <HTML><HEAD></HEAD><BODY><P>Sorry. I wasn't aware of this bug but, I am glad I gave you the work around listed in this bug as a work around.</P><P></P><P></P></BODY></HTML> Thu, 11 Jun 2009 16:16:52 GMT Kureli Sankar 2009-06-11T16:16:52Z https://community.cisco.com/t5/network-security/policy-nat-issue/m-p/1229569#M859425 <P>I have setup a L2L VPN for a customer in which the vendor requires their IPs to be natted when they come across. So, I have setup policy nat on their pix for the L2L VPN. Here is a snip of the NAT config:</P><P> </P><P>access-list nat-to-vendor permit ip 192.168.10.0 255.255.255.0 172.22.1.0 255.255.255.0 </P><P>access-list nat-to-vendor permit ip 192.168.20.0 255.255.255.0 172.22.1.0 255.255.255.0 </P><P>access-list nat-to-vendor permit ip 192.168.30.0 255.255.255.0 172.22.1.0 255.255.255.0 </P><P>access-list nat-to-vendor permit ip 10.4.224.0 255.255.255.0 172.22.1.0 255.255.255.0</P><P>global (outside) 100 10.11.46.33-10.11.46.62 netmask 255.255.255.224</P><P>global (outside) 1 interface</P><P>global (outside) 2 x.x.x.x</P><P>global (outside) 3 y.y.y.y</P><P>global (dmz) 1 interface</P><P>nat (inside) 0 access-list nonatvpn</P><P>nat (inside) 100 access-list nat-to-vendor 0 0</P><P>nat (inside) 2 192.168.10.7 255.255.255.255 0 0</P><P>nat (inside) 3 192.168.10.40 255.255.255.255 0 0</P><P>nat (inside) 1 0.0.0.0 0.0.0.0 0 0</P><P> </P><P>The policy nat works, however, once a machine attempts a connection to the vendor using a 172.22.1.x destination address, it can no longer get to the internet. Checking the xlate table, there are 2 entries for the machine, one for the policy nat (ID 100) and one for the regular nat (ID 1). And, if I clear the xlate entry for the policy nat, the machine can then get to the internet. But, one ping to the 172.22.1.x network and internet access is lost. It is a PIX running 6.3(3).</P><P> </P><P>Am I doing this wrong or does anyone have any other suggestions?</P> Mon, 11 Mar 2019 15:40:42 GMT https://community.cisco.com/t5/network-security/policy-nat-issue/m-p/1229569#M859425 f00f1ter 2019-03-11T15:40:42Z https://community.cisco.com/t5/network-security/policy-nat-issue/m-p/1229570#M859431 <HTML><HEAD></HEAD><BODY><P>I would try to replace this below line</P><P>nat (inside) 1 0.0.0.0 0.0.0.0 0 0 </P><P></P><P>nat (inside) 1 access-list www-traffic</P><P></P><P>access-list www-traffic deny ip 192.168.10.0 255.255.255.0 172.22.1.0 255.255.255.0</P><P>access-list www-traffic deny ip 192.168.20.0 255.255.255.0 172.22.1.0 255.255.255.0</P><P>access-list www-traffic deny ip 192.168.30.0 255.255.255.0 172.22.1.0 255.255.255.0</P><P>access-list www-traffic deny ip 10.4.224.0 255.255.255.0 172.22.1.0 255.255.255.0 </P><P>access-list www-traffic permit ip any any</P><P></P><P>Sorry, I am not in a position to try this out in the lab.</P><P></P><P>Give it a shot and let us know.</P><P></P><P>-KS</P><P></P><P></P></BODY></HTML> Tue, 09 Jun 2009 01:46:10 GMT https://community.cisco.com/t5/network-security/policy-nat-issue/m-p/1229570#M859431 Kureli Sankar 2009-06-09T01:46:10Z https://community.cisco.com/t5/network-security/policy-nat-issue/m-p/1229571#M859438 <HTML><HEAD></HEAD><BODY><P>Thanks for the reply. However, I found that this issue is a bug in PIX version 6.3.3. The bug ID is CSCec63822. The work around is to use policy nat for the internet traffic, or upgrade. I used the workaround, somewhat similar to what you have proposed, and the issue was resolved.</P></BODY></HTML> Thu, 11 Jun 2009 15:59:22 GMT https://community.cisco.com/t5/network-security/policy-nat-issue/m-p/1229571#M859438 f00f1ter 2009-06-11T15:59:22Z https://community.cisco.com/t5/network-security/policy-nat-issue/m-p/1229572#M859443 <HTML><HEAD></HEAD><BODY><P>Sorry. I wasn't aware of this bug but, I am glad I gave you the work around listed in this bug as a work around.</P><P></P><P></P></BODY></HTML> Thu, 11 Jun 2009 16:16:52 GMT https://community.cisco.com/t5/network-security/policy-nat-issue/m-p/1229572#M859443 Kureli Sankar 2009-06-11T16:16:52Z