Here it is -

nat (inside) 1 access-list pat
nat (DMZ) 1 access-list pat_dmz

access-list pat extended permit ip 192.168.254.0 255.255.255.0 any
access-list pat extended permit ip 192.168.248.0 255.255.254.0 any
access-list pat extended permit ip 198.199.241.64 255.255.255.224 any
access-list pat extended permit ip 198.199.241.96 255.255.255.224 any
access-list pat extended permit ip 172.16.3.0 255.255.255.0 any
access-list pat extended permit ip 172.16.4.0 255.255.255.0 any
access-list pat extended permit ip 172.16.5.0 255.255.255.0 any
access-list pat extended permit ip 172.16.27.0 255.255.255.0 any
access-list pat extended permit ip 172.16.30.0 255.255.255.0 any
access-list pat extended permit ip 172.16.31.0 255.255.255.0 any
access-list pat extended permit ip 172.16.34.0 255.255.255.0 any
access-list pat extended permit ip 172.16.37.0 255.255.255.0 any
access-list pat extended permit ip 172.16.39.0 255.255.255.0 any
access-list pat extended permit ip 172.16.40.0 255.255.255.0 any
access-list pat extended permit ip 172.16.75.0 255.255.255.0 any
access-list pat extended permit ip 172.16.230.0 255.255.255.0 any
access-list pat extended permit ip 172.16.108.0 255.255.252.0 any
access-list pat extended permit ip 172.16.107.0 255.255.255.0 any
access-list pat extended permit ip host 192.168.1.20 any
access-list pat extended permit ip 100.37.0.0 255.255.0.0 any
access-list pat extended permit ip 100.34.0.0 255.255.0.0 any
access-list pat extended permit ip 100.66.0.0 255.255.0.0 any
access-list pat extended permit ip 192.168.249.0 255.255.255.0 any
access-list pat extended permit ip 192.168.250.0 255.255.255.0 any
access-list pat extended permit ip 100.78.0.0 255.255.0.0 any
access-list pat extended permit ip 100.104.0.0 255.255.0.0 any
access-list pat extended permit ip 100.42.0.0 255.255.0.0 any
access-list pat extended permit ip 100.16.0.0 255.255.0.0 any
access-list pat extended permit ip 100.60.0.0 255.255.0.0 any
access-list pat extended permit ip 100.8.0.0 255.255.0.0 any
access-list pat extended permit ip 100.47.0.0 255.255.0.0 any
access-list pat extended permit ip 10.10.14.0 255.255.255.0 any
access-list pat extended permit ip 172.17.15.0 255.255.255.128 any
access-list pat extended permit ip 100.2.0.0 255.255.0.0 any
access-list pat extended permit ip 10.10.23.0 255.255.255.0 any
access-list pat extended permit ip 10.10.233.0 255.255.255.0 any
access-list pat extended permit ip 172.17.0.0 255.255.240.0 any
access-list pat extended permit ip 201.0.0.0 255.255.255.0 any
access-list pat extended permit ip 100.4.0.0 255.255.0.0 any
access-list pat extended permit ip 100.134.0.0 255.255.0.0 any
access-list pat extended permit ip 172.16.38.0 255.255.255.0 any
access-list pat extended permit ip 192.168.40.0 255.255.255.192 any
access-list pat extended permit ip 192.168.40.64 255.255.255.192 any
access-list pat extended permit ip 192.168.40.128 255.255.255.192 any

access-list pat_dmz extended permit ip host 192.168.128.26 any
access-list pat_dmz extended permit ip host 192.168.128.28 any

Thanks!!

Hello,

EDIT:

I noticed you didn't post the output of 'show run global', so please check that as well. If you don't have anything that starts with global (OUTSIDE) 1, you can follow the config I mentioned below.

The reason you are seeing that message is because there is no valid NAT config for packets that will flow from the inside interface to the outside interface. Try adding this:

nat (inside) 2 0.0.0.0 0.0.0.0

global (OUTSIDE) 2 interface

That will allow the firewall to translate any source address on the inside to the outside interface IP using PAT. That should stop the messages you are seeing.

Hope that helps.

-Mike

Message was edited by: mirober2

So this is what I have for the global statement:

global (OUTSIDE) 1 interface

All the internal IP's that are being referenced in the error message are covered under the pat access-l. So they should definately be PAT'd, since there are other hosts on the same network that connect to the internet.

So I don't think I need to add another NAT statement. Any other ideas?

Thanks!

It's possible that you might be running out of PAT slots if you have a lot of connections going through the firewall. What does 'show xlate count' say?

-Mike

XLATE count is 2611, most used is 6466

Conn count is 2647, most used is 3712

Hello,

The PAT pool is actually split up into 3 smaller pools, so you may be running out of slots in one of the 3 pools. The pools are split up as follows:

Port 1-511

Port 512-1023

Port 1024-65535

As you can see, the first 2 pools only have 511 slots in them and you have over 2k xlates. Can you check the full output of 'show xlate' and see what the ports being used in the translations are? If you have more than 511 xlates in the 1-511 or 512-1023 ranges, you'll see these messages.

-Mike

None of the addresses referenced in the error message appear in the xlate table. This is the expected behavior since the error message states that it is unable to create a NAT translation for the host in question.

Still scratching my head on this one.....

Hello,

I agree that the addresses in the syslogs shouldn't show up in the 'show xlate' output. However, what you want to look for in 'show xlate' is an indication of what ports actually are being successfully allocated. This will help you determine why some connections cannot be allocated.

For example, you may see many xlates being built with ports in the 512-1023 range. If this is the case, new connections trying to use ports in this same range may be denied with this syslog message since we are out of translation slots in that pool.

You can also try to add a second global (OUTSIDE) 1 statement with another PAT address and see if this alleviates the problem. If it does, you'll know you were running out of translation slots in one of the 3 pools.

-Mike