cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
358
Views
0
Helpful
2
Replies

pix nat problem

mickyq
Level 1
Level 1

Hi Guys

ive created a policy nat on a pix 515E.

Im trying to nat a group of ip's from the outside to a pat on the inside.

I can see packets hitting a capture on the outside but nothing on an inside capture.

As an example I want 10.1.1.1 to go through from the outside to the inside on pat 172.16.10.10

 

config:

object-group network VMWARE-MGMT
network-object host 10.1.1.1

object-group network VMWARE-HOSTS
network-object host 172.16.5.10

object-group service VMWARE-TCP tcp
port-object eq 902
port-object eq 903
port-object eq 22
port-object eq 443

access-list 101 permit tcp object-group VMWARE-MGMT object-group VMWARE-HOSTS object-group VMWARE-TCP

access-group 101 in interface outside

access-list acl_vmware permit tcp object-group VMWARE-MGMT object-group VMWARE-HOSTS object-group VMWARE-TCP
 

nat (outside) 10 access-list acl_vmware

global (inside) 10 172.16.10.10

route inside 172.16.0.0 255.255.0.0 172.16.1.1

 

172.16.1.1 is the next hop (router). Is there something wrong with the nat?

thanks

 

1 Accepted Solution

Accepted Solutions

naveenrawat007
Level 1
Level 1

Hi michael,

what you are trying to do is dynamic pat, and in this we can't specify the source port.

 

Please try not using port in the ACL 

access-list acl_vmware permit tcp object-group VMWARE-MGMT object-group VMWARE-HOSTS object-group VMWARE-TCP

 

instead of this use ip based classification to classify the source to be patted

It is so because this is dynamic PAT that you are using so you cant specify source port on this.

 

so instead of above use:

 

access-list acl_vmware permit ip object-group VMWARE-MGMT object-group VMWARE-HOSTS

 

Please rate if helpful

 

cheers

Naveen

Hope it helps Cheers, Naveen Please Rate Helpful posts.

View solution in original post

2 Replies 2

naveenrawat007
Level 1
Level 1

Hi michael,

what you are trying to do is dynamic pat, and in this we can't specify the source port.

 

Please try not using port in the ACL 

access-list acl_vmware permit tcp object-group VMWARE-MGMT object-group VMWARE-HOSTS object-group VMWARE-TCP

 

instead of this use ip based classification to classify the source to be patted

It is so because this is dynamic PAT that you are using so you cant specify source port on this.

 

so instead of above use:

 

access-list acl_vmware permit ip object-group VMWARE-MGMT object-group VMWARE-HOSTS

 

Please rate if helpful

 

cheers

Naveen

Hope it helps Cheers, Naveen Please Rate Helpful posts.

mickyq
Level 1
Level 1

Thanks Naveen, I beleive that fixed the issue.

I did still had problems until I created a no nat for the return traffic. I just couldnt see what was going on with the PIX.

 

Thanks again. much appreciated.

Review Cisco Networking for a $25 gift card