Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
535
Views
0
Helpful
8
Replies

NAT question

rmv72
Level 1
Level 1

‎04-09-2007 04:13 AM - edited ‎03-11-2019 02:57 AM

i have next config for pix515e-

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 branches security50

global (outside) 2 interface

nat (inside) 0 access-list vpn_outside_1

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (branches) 2 10.20.18.0 255.255.255.0 0 0

i tryed to ping public address from network 10.20.18.0 and i see not NATed packets at the outside interface-

--------- PACKET ---------

-- IP --

10.20.18.3 ==> 1.1.119.28

ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0x64

id = 0x239 flags = 0x0 frag off=0x0

ttl = 0xfb proto=0x1 chksum = 0x547b

-- ICMP --

type = 0x8 code = 0x0 checksum=0x2f9e

identifier = 0x22 seq = 0x1

-- DATA --

00000010: 00 00 00 00 | ....

00000020: 5c 33 f2 55 ab cd ab cd ab cd ab cd ab cd ab cd | \3.U............

00000030: ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd | ................

00000040: ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd | ................

00000050: ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd | ................

00000060: ab cd ab cd 03 | .....

--------- END OF PACKET ---------

when i do the same from PIX - it's ok-

--------- PACKET ---------

-- IP --

Public_address_VPNgate ==> 1.1.119.28

ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0x3c

id = 0xa407 flags = 0x0 frag off=0x0

ttl = 0xff proto=0x1 chksum = 0x8629

-- ICMP --

type = 0x8 code = 0x0 checksum=0xf5d8

identifier = 0x1124 seq = 0x2

-- DATA --

00000018: 00 01 02 03 04 05 06 07 08 09 0a 0b | ............

00000028: 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b | ................

00000038: 1c 1d 1e 1f 18 | .....

--------- END OF PACKET ---------

where is a problem?

Labels:
0 Helpful
8 Replies 8

fzamora
Cisco Employee
Cisco Employee

‎04-09-2007 08:43 PM

Hi,

Did you add the access list in order to permit the incoming ICMP traffic on the outside interface? If you can ping from the PIX that means it has connectivity so one of the first things one needs to check is the ACL. Please add the following:

access-list inbound permit icmp any any

access-group inbound in interface outside

If you already added it, please let me know so we can continue with the troubleshooting

Hope it helps,

Franco Zamora

0 Helpful

rmv72
Level 1
Level 1
In response to fzamora

‎04-09-2007 10:29 PM

Hi!

yes,i've ACL.

i think the problem is that packets goes from outside interface with private source (which is certainly is not routed in public internet :) ).

Seems they don't NATed - maybe here problem?

0 Helpful

fzamora
Cisco Employee
Cisco Employee
In response to rmv72

‎04-10-2007 06:54 AM

Could you please add your config to the conversation so I can check it out.

Franco

0 Helpful

rmv72
Level 1
Level 1
In response to fzamora

‎04-11-2007 01:19 AM

Here config.

Preview file
7 KB
0 Helpful

jmia
Level 7
Level 7
In response to rmv72

‎04-11-2007 04:03 AM

Take out...

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

Save with: write mem and also issue: clear xlate

0 Helpful

rmv72
Level 1
Level 1
In response to jmia

‎04-11-2007 04:21 AM

i've it already

0 Helpful

jbeltrame
Level 1
Level 1

‎04-11-2007 09:58 AM

try the following:

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

clear xlate

0 Helpful

rmv72
Level 1
Level 1
In response to jbeltrame

‎04-11-2007 09:40 PM

i've done it.

same problem.

from network 10.20.18.0/24-

debug packet outside dst A.177.119.28 netmask 255.255.255.255

ping from network 10.20.18.0/24

-- IP --

10.20.18.3 ==> A.177.119.28

ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0x64

id = 0x2aa flags = 0x0 frag off=0x0

ttl = 0xfb proto=0x1 chksum = 0x540a

-- ICMP --

type = 0x8 code = 0x0 checksum=0x41e9

identifier = 0x25 seq = 0x8

-- DATA --

00000010: 00 00 00 00 | ....

00000020: 6a 3d d1 f6 ab cd ab cd ab cd ab cd ab cd ab cd | j=..............

00000030: ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd | ................

00000040: ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd | ................

00000050: ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd | ................

00000060: ab cd ab cd 6e | ....n

--------- END OF PACKET ---------

ping from PIX-

PIX2# ping A.177.119.28

--------- PACKET ---------

-- IP --

VPNgate (ip address of outside interface) ==> A.177.119.28

ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0x3c

id = 0x642d flags = 0x0 frag off=0x0

ttl = 0xff proto=0x1 chksum = 0xc603

-- ICMP --

type = 0x8 code = 0x0 checksum=0xf5da

identifier = 0x1124 seq = 0x0

-- DATA --

00000018: 00 01 02 03 04 05 06 07 08 09 0a 0b | ............

00000028: 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b | ................

00000038: 1c 1d 1e 1f 59 | ....Y

--------- END OF PACKET ---------

but i want to say that packets from network 10.20.18.0/24 comes to interface branches, not inside.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card