Re: Nat issue Pix 525

mlouis · ‎09-05-2008

Hi, I'm having an issue with NAT on a Pix 525 running 6.3.4. I have two IP Address that I'm using a static nat on, one works and one does not.

Here are the static entries

static (inside,vpn) 63.xxx.xxx.37 10.200.100.131 netmask 255.255.255.255 0 0

static (inside,vpn) 63.xxx.xxx.38 10.200.199.131 netmask 255.255.255.255 0 0

The entry for 63.xxx.xxx.37 works fine, .38 will not nat.

pix-525-fw01# show capture fix

9 packets captured

12:01:06.109476 802.1Q vlan#16 P0 10.200.199.131.4184 > 199.xxx.xxx.242.700: S 1627796669:1627796669(0) win 64512 <mss 1260,nop,wscale 0,nop,nop,[|tcp]>

12:01:09.030363 802.1Q vlan#16 P0 10.200.199.131.4184 > 199.xxx.xxx.242.700: S 1627796669:1627796669(0) win 64512 <mss 1260,nop,wscale 0,nop,nop,[|tcp]>

12:01:15.065609 802.1Q vlan#16 P0 10.200.199.131.4184 > 199.xxx.xxx.242.700: S 1627796669:1627796669(0) win 64512 <mss 1260,nop,wscale 0,nop,nop,[|tcp]>

12:04:23.108987 802.1Q vlan#16 P0 10.200.199.131.4208 > 199.xxx.xxx.242.700: S 616249661:616249661(0) win 64512 <mss 1260,nop,wscale 0,nop,nop,[|tcp]>

12:04:26.082698 802.1Q vlan#16 P0 10.200.199.131.4208 > 199.xxx.xxx.242.700: S 616249661:616249661(0) win 64512 <mss 1260,nop,wscale 0,nop,nop,[|tcp]>

12:04:32.017378 802.1Q vlan#16 P0 10.200.199.131.4208 > 199.xxx.xxx.242.700: S 616249661:616249661(0) win 64512 <mss 1260,nop,wscale 0,nop,nop,[|tcp]>

12:20:25.125588 802.1Q vlan#16 P0 10.200.199.131.4330 > 199.xxx.xxx.242.700: S 2700232030:2700232030(0) win 64512 <mss 1260,nop,wscale 0,nop,nop,[|tcp]>

12:20:28.105051 802.1Q vlan#16 P0 10.200.199.131.4330 > 199.xxx.xxx.242.700: S 2700232030:2700232030(0) win 64512 <mss 1260,nop,wscale 0,nop,nop,[|tcp]>

12:20:34.039701 802.1Q vlan#16 P0 10.200.199.131.4330 > 199.xxx.xxx.242.700: S 2700232030:2700232030(0) win 64512 <mss 1260,nop,wscale 0,nop,nop,[|tcp]>

9 packets shown

Looking at the xlate table

pix-525-fw01# show xlate | include 10.200.100.131

Global 63.xxx.xxx.37 Local 10.200.100.131

PAT Global 65.xxx.xxx.146(30539) Local 10.200.100.131(62685)

Global 10.200.100.131 Local 10.200.100.131

pix-525-fw01#

pix-525-fw01# show xlate | include 10.200.199.131

Global 10.200.199.131 Local 10.200.199.131

PAT Global 65.xxx.xxx.146(28971) Local 10.200.199.131(4510)

PAT Global 65.xxx.xxx.146(30551) Local 10.200.199.131(4526)

pix-525-fw01#

The path for both of the sources is the same except the vlan. Has anyone ever seen something like this before?

andrew.prince · ‎09-05-2008

Do you have a vlan interface for the x.x.199.x if not - do you have a route to the 10.200.199.x configured?

mlouis · ‎09-05-2008

Yes I have a route for the 199.x.x.x network directing it to the VPN interface. The traffic gets to the interface for both clients but the NAT never happens for the one 10.200.x.x address, the 63.x.x.37 nat works but the .38 does not. This is for a VPN, the encryption domain is 63.x.x.x and 199.x.x.x so for the one 10. address the VPN works but without the NAT I can not get the other client to connect to the VPN

andrew.prince · ‎09-05-2008

You have these config lines:-

static (inside,vpn) 63.xxx.xxx.37 10.200.100.131 netmask 255.255.255.255 0 0

static (inside,vpn) 63.xxx.xxx.38 10.200.199.131 netmask 255.255.255.255 0 0

Where is 10.200.100.131?

Where is 10.200.199.131?

Are they directly attached?

mlouis · ‎09-05-2008

No, they are clients that sit behind the inside interface.

andrew.prince · ‎09-05-2008

OK - are you natting it again? Of you have a layer 3 routing device that can route to them?

mlouis · ‎09-05-2008

Yes, the 10. address are on my local LAN. they attempt to connect to the 199.x.x.x address, they follow my default route, once they get to the firewall I have a route that directs them to VPN DMZ. Before they get to the VPN interface they should be NAT'ed to the 63.x.x.x address. Then the VPN concentrator will see that as interesting traffic, bring up the VPN and everybody goes home happy.

andrew.prince · ‎09-05-2008

Can you post all of:-

NAT

NO-NAT

Routes

Please?

mlouis · ‎09-05-2008

global (outside) 1 interface

nat (inside) 1 10.0.0.0 255.0.0.0 0 0

nat (guest) 1 10.200.253.48 255.255.255.240 0 0

ip address outside 65.xxx.xxx.xxx 255.255.255.248

andrew.prince · ‎09-05-2008

Confused.....

static (inside,vpn) 63.xxx.xxx.37 10.200.100.131 netmask 255.255.255.255 0 0

static (inside,vpn) 63.xxx.xxx.38 10.200.199.131 netmask 255.255.255.255 0 0

Can you post the entire config - sanitised, there is quite alot of info missing.

mlouis · ‎09-08-2008

Sorry about the confusion. The flow is like this

10.200.100.131 > 199..x.x.x

That traffic gets routed to the VPN DMZ and the 10. address NAT'ed to 63.x.x.38

That traffic flow, 63.x.x.38 > 199.x.x.x should bring up a VPN on my concentrator .

I can run a capture and see the traffic going to the VPN interface but it does not get NAT'ed.

If I source the traffic from 10.200.100.131 the NAT works.

Both 10. address follow the same route.

I have attached a sanitized config.

mlouis · ‎09-08-2008

Attached

andrew.prince · ‎09-08-2008

Are you able to ping 10.200.199.131 from the firewall?

mlouis · ‎09-08-2008

yes

andrew.prince · ‎09-08-2008

I would recommend you remove the config line that is not currently working, then

clear xlate

<>

clear xlate

And re-test?

HTH>