No difference if I take it off.

What debugs should I run to watch the NAT translation? Keep in mind this is a live system.

Dave

Being a production system, I wouldn't use debug unless it came to that, and then only out-of-hours.

You could set buffer logging to warn -

logging buffered warnings

and then use -

sho logg | inc "ip address of bad box"

to see entries for your specific box only.

I was able to see that my routed network wasn't getting nat'ed at one point because it was logging something about no translation available.

I also used this to see that it was eating the traffic going in.

If that doesn't give enough info set buffer logging to debug and use the same filtered search of the logs.

Ok so when I do the debug it shows the packets from 10.7.4.1 trying to get to 204.50.209.51, BUT when 10.7.4.1 tries to hit that address it actually goes out the firewall. It is being translated to 204.50.200.250 which is the public that all the others on our network use. If I put in this command:

nat (inside) 20 10.7.4.0 255.255.255.0

which means 10.7.4.1 will be translated to 204.50.200.27 the same as anyone on the 10.7.7.0 network or the same as the web server I am trying to get to (10.7.7.27) then it works.

So basically what we are saying here is that if you use the outside address of your FW as the PAT address for everyone, then you cannot do hairpinning.

Make sense? Comments?

Dave

Hi Dave,

This is a little bit interesting, so why user A can access Server,it should have same behavior with user B (only difference is source IP),right? when u saying

User A 10.7.7.20

Server 10.7.7.27=204.50.200.51=site.intweb.com

User B 10.7.4.20

User A can now get to http://site.intweb.com but user B cannot.

1. Did u put " global (inside) 10 interface " when user A can get to http://site.intweb.com ?

2. If not, that means firewall doesn't do NAT at Inside interface. Can you do the same debug for User A to see if it been PATted to 204.50.200.250 ?

Yeah sorry my response was a mouthful and hard to understand.

User A is setup to go out as 204.50.200.27

User B is setup to go out as 204.50.200.250 which is also the IP of the Outside interface.

global (Outside) 10 interface

global (Outside) 20 204.50.200.227 netmask 255.255.255.255

global (inside) 10 interface

nat (inside) 20 10.7.7.0 255.255.255.0

nat (inside) 10 0.0.0.0 0.0.0.0

With this config user B cannot get to http://site.intweb.com but A can. This is because he is not going out as the Outside interface of the PIX.

So if I add in this command:

nat (inside) 20 10.7.4.0 255.255.255.0

then it works from the 10.7.4.0 LAN as his new public (nat) is 204.50.200.27

So I think the hairpinning will not work when you are nat'd to the IP of the Outside interface.

To answer question 2. the user A is translated to 204.50.200.27.

Dave

So I have confirmed that if the users are going out as the public IP of the Outside interface or the PIX then the same-security-traffic permit intra-interface or hair pinning will not work.

Once I changed all the users to go out with a different IP than the Outside interface everyone internal can access the web page.

Hope this helps someone else!

Dave

That is great, in this case , I think "global (inside) 10 interface" is not functioning, if you remove this code, you should get same result.

Yep removed that line as it is not doing anything.

Dave