NAT only occuring in one direction

watcher60 · ‎12-12-2006

PIX running 6.3(4)

All,

I have tried to NAT out an internal IP using (ip's slightly changed):

static (inside,outside) 12.15.27.24 172.16.251.251 netmask 255.255.255.255 0 0

to allow access to a external PPTP server. When I run a debug icmp trace (after starting a ping to a external IP)I can see the packets are not being natted to the above rather the hider ip, yet when I ping the external IP I can see it does translate correctly. The external and internal IP in the NAT statement are not specified anywhere else in the config. The translation is show in a show xlate output:

Global 12.15.27.24 Local 172.16.251.251

The internal host which is behind a core switch is locally firewalled so does not allow icmp traffic not that I can see this impacting. Has anyone else come across this or any suggestions on why the NAT would only be occuring in one direction?

many thanks

a.kiprawih · ‎12-12-2006

The static nat looks ok.

Do you have ACL on outside interface permitting ping/icmp to the 12.15.27.24?

Can you ping the IP from your internet router?

HTH

AK

Fernando_Meza · ‎12-12-2006

Hi .. the description of your issue seems to contradict .. can youb please elaborate a bit further ..?

Are you saying that when you try to ping the external device .. you can's see a translation ..?

Please be aware that to allow icmp trhought a firewall you need to enable icmp inspection .. on code 6.X fixup protocol icmp fixup protocol icmp-error

Also make sure icmp is allowed in both directions ..

I hope it helps .. please rate it if does !!!