Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
418
Views
5
Helpful
5
Replies

PIX 515E 6.3(3) Without NAT or PAT

schelec
Level 1
Level 1

‎04-26-2004 12:21 AM - edited ‎02-20-2020 11:21 PM

Hello

I have the following Configuration:

Inside interface: 10.55.28.254 255.255.255.0 (Subnet 10.55.28.0)

Outside interface: 193.222.100.5 255.255.255.0 (Subnet 193.222.100.0)

The route outside 0.0.0.0 0.0.0.0 193.222.100.26 1 is set to my router.

The required routes at my router are set.

Now my question:

If i try the command 'nat (inside) 0 193.222.100.5 255.255.255.0' as described in the sample configuration, step 10, the following error is generated: WARNING: IP adress <193.222.100.3> and netmask <255.255.255.0> are inconsistent nat 0 193.222.100.0 will be identity translated for outbound.

Which commands are required for my configuration?

Thanks

Felix

0 Helpful
5 Replies 5

jagb
Level 1
Level 1

‎04-26-2004 01:13 AM

I think that the warning you receive is because the nat 0 range specified in your statement does not fall on a subnet boundary. On the assumption that you want to allow traffic out from the entire class C 193.222.100.0 network untranslated, you should use the command:

nat (inside) 0 193.222.100.0 255.255.255.0

This should not produce the warning above.

0 Helpful

ehirsel
Level 6
Level 6

‎04-26-2004 12:26 PM

Is your goal to have the 10.55.28/24 hosts appear on the outside with their inside ip address? If so, you should code nat (inside) 0 10.55.28.0 255.255.255.0

0 Helpful

schelec
Level 1
Level 1
In response to ehirsel

‎04-27-2004 03:59 AM

Thats right. I need the 10.55.28/24 hosts untranslated at the outside. If the above code is the solution, then the documentation - or at least the samples - seem to be not correct. They point to the outside address. Its a little bit confusing...

Thanks!

0 Helpful

ehirsel
Level 6
Level 6
In response to schelec

‎04-27-2004 08:45 AM

The doc is confusing. The way config my firewalls is not to do identity nat (nat (intf) 0 ip mask) but rather do this: nat (inside) 0 access-list acl-xxxx

to not translate the inside addresses.

How about trying this:

access-list acl_inside_nonat permit ip 10.55.28.0 255.255.0.0 193.222.100.0 255.255.255.0

and then coding nat (inside) 0 access-list acl_inside_nonat

and removing the nat (inside) 0 193.222.100.0 255.255.255.0

Then do a clear xlate. Note you should do the clear xlate even if you change to nat (inside) 0 10.55.28.0 255.255.255.0

This ought to work, and the examples on cisco are much more clear on the access-list or exception nat.

Let me know how it goes.

schelec
Level 1
Level 1
In response to ehirsel

‎04-28-2004 04:35 AM

Great - it works! Thank you very much!

The only little problem is now, that the PDM 3.0 tells me, that there ist no translation rule for any host or network, if i add a access rule via this tool. What can we do here?

Thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card