NAT issue

joseph.yuffa · ‎04-18-2008

Looks like my PIX501 not doing what I told it to do. I want my internal LAN traffic to be NATed and crypted to all remote private LAN, except destination specified in ACL:

access-list toJoseph permit ip 10.1.1.0 255.255.255.0 192.168.200.0 255.255.255.0

access-list toJoseph permit ip 10.1.1.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list toJoseph permit ip 10.1.1.0 255.255.255.0 host 192.168.101.1

access-list toJoseph permit ip 10.1.1.0 255.255.255.0 host 192.168.42.11

access-list toJoseph permit ip 10.1.1.0 255.255.255.0 host 192.168.75.5

------------

nat (inside) 0 access-list toJoseph

nat (inside) 1 10.1.1.0 255.255.255.0 0 0

---------------

crypto map cmTest 10 match address toJoseph

-----------

When I ping remote side private LAN address 192.168.1.x I don't see matching increase on ACL rule from 10.1.1.0 to 192.168.0.0

When I ping 192.168.200.10 (another excluded IP from nat 1 rule) ACL matching number from 10.1.1.0 to 192.168.200.10 goes up.

Whole PIX config is attached.

ROBERTO TACCON · ‎04-19-2008

you tell:

When I ping remote side private LAN address 192.168.1.x I don't see matching increase on ACL rule from 10.1.1.0 to 192.168.0.0

on the config:

access-list toJoseph permit ip 10.1.1.0 255.255.255.0 192.168.0.0 255.255.255.0

it's correct the subnet id is

192.168.0.0 mask /24 !

maybe you need:

access-list toJoseph permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

rkalia1 · ‎04-25-2008

I think u shouldn't see it as your rule in the ACL is : access-list toJoseph permit ip 10.1.1.0 255.255.255.0 192.168.0.0 255.255.255.0

as u r pinging 192.168.1.x so there won't be any hits as ur rule above is for 192.168.0.0 with a mask of 255.255.255.0