PIX 515e with two internal networks; PAT problems

gullevek1 · ‎04-26-2005

Hi,

I have PIX 515e with OS 6.3(4) and I have one outside and two inside networks.

right now I have these settings (config excerpt):

...

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 half security50

...

access-list inside_access_in permit ip any any log interval 1

access-list half_access_in permit ip any any log interval 1

access-list outside_access_in permit ip any any log interval 1

...

global (outside) 10 interface

global (inside) 10 interface

global (half) 10 interface

nat (inside) 10 192.168.0.0 255.255.0.0 0 0

nat (half) 10 172.16.0.0 255.255.0.0 0 0

...

when I have this, I can access the internet from both sides, and I can access half from inside. But when I try to access inside from half it doesn't work (of course lower sec to higher). So I try to add this:

...

nat (half) 10 172.16.0.0 255.255.0.0 outside 0 0

...

but then I can't connect from inside to half anymore and I get "305005 No translation" error messages.

What do I do wrong? How can i have bi-directional PAT for the half interface.

sachinraja · ‎04-27-2005

hello gullevek

for accessing from half to inside, you need to do a nonat for the traffic between these two networks... do the following and try:

nat (inside) 0 access-list nonat

access-list nonat permit ip 192.168.0.0 255.255.0.0 172.16.0.0 255.255.0.0

remove the second nat statement u had added.

no nat (half) 10 172.16.0.0 255.255.0.0 outside 0 0

dont have an ip any any access-list. i hope this is just for testing..

Raj

gullevek1 · ‎04-29-2005

So there is no way, that the traffic from Half to Inside gets also Masqueraded (PAT, with nat ... outside?).