Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
359
Views
0
Helpful
2
Replies

pix nat problem

Go to solution
mickyq
Level 1
Level 1

‎04-07-2014 08:24 AM - edited ‎03-11-2019 09:02 PM

Hi Guys

ive created a policy nat on a pix 515E.

Im trying to nat a group of ip's from the outside to a pat on the inside.

I can see packets hitting a capture on the outside but nothing on an inside capture.

As an example I want 10.1.1.1 to go through from the outside to the inside on pat 172.16.10.10

 

config:

object-group network VMWARE-MGMT
network-object host 10.1.1.1

object-group network VMWARE-HOSTS
network-object host 172.16.5.10

object-group service VMWARE-TCP tcp
port-object eq 902
port-object eq 903
port-object eq 22
port-object eq 443

access-list 101 permit tcp object-group VMWARE-MGMT object-group VMWARE-HOSTS object-group VMWARE-TCP

access-group 101 in interface outside

access-list acl_vmware permit tcp object-group VMWARE-MGMT object-group VMWARE-HOSTS object-group VMWARE-TCP
 

nat (outside) 10 access-list acl_vmware

global (inside) 10 172.16.10.10

route inside 172.16.0.0 255.255.0.0 172.16.1.1

 

172.16.1.1 is the next hop (router). Is there something wrong with the nat?

thanks

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
naveenrawat007
Level 1
Level 1

‎04-07-2014 12:25 PM

Hi michael,

what you are trying to do is dynamic pat, and in this we can't specify the source port.

 

Please try not using port in the ACL 

access-list acl_vmware permit tcp object-group VMWARE-MGMT object-group VMWARE-HOSTS object-group VMWARE-TCP

 

instead of this use ip based classification to classify the source to be patted

It is so because this is dynamic PAT that you are using so you cant specify source port on this.

 

so instead of above use:

 

access-list acl_vmware permit ip object-group VMWARE-MGMT object-group VMWARE-HOSTS

 

Please rate if helpful

 

cheers

Naveen

Hope it helps Cheers, Naveen Please Rate Helpful posts.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
naveenrawat007
Level 1
Level 1

‎04-07-2014 12:25 PM

Hi michael,

what you are trying to do is dynamic pat, and in this we can't specify the source port.

 

Please try not using port in the ACL 

access-list acl_vmware permit tcp object-group VMWARE-MGMT object-group VMWARE-HOSTS object-group VMWARE-TCP

 

instead of this use ip based classification to classify the source to be patted

It is so because this is dynamic PAT that you are using so you cant specify source port on this.

 

so instead of above use:

 

access-list acl_vmware permit ip object-group VMWARE-MGMT object-group VMWARE-HOSTS

 

Please rate if helpful

 

cheers

Naveen

Hope it helps Cheers, Naveen Please Rate Helpful posts.
0 Helpful

Go to solution
mickyq
Level 1
Level 1

‎04-08-2014 03:38 AM

Thanks Naveen, I beleive that fixed the issue.

I did still had problems until I created a no nat for the return traffic. I just couldnt see what was going on with the PIX.

 

Thanks again. much appreciated.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card