Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
378
Views
0
Helpful
2
Replies

Problem with NAPT on PIX 525

ole-martin.refvik
Level 1
Level 1

‎08-19-2004 04:07 AM - edited ‎02-20-2020 11:34 PM

I have a PIX-525-UR, PIX OS 6.2(2) with several interfaces.

Having problem to get one IP on a DMZ to be able to use to different NAT rules, one to a DMZ with a lower security and another one to the outside.

like this:

nameif ethernet0 outside security0

nameif ethernet1 dmz1 security30

nameif ethernet2 dmz2 security25

nat (dmz1) 2 10.0.0.3 netmask 255.255.255.255 0 0

nat (dmz1) 1 10.0.0.0 netmask 255.255.255.0 0 0

global (outside) 1 interface

global (dmz2) 2 interface

NAT traversal to the outside works fine for all hosts on the 10.0.0.0/24 except those IP's specified in the NAT rule to the dmz2 interface, It seems like the pix can not handle more than one NAT rule for each source adress.

Has anyone seen this before, it seems to me that it is a limitation in the PIX OS on how many NAT rules can be used for the same source address.

Thanks in advance.

This is the SYSLOG message generated from the PIX:

%PIX-3-305006: portmap translation creation failed for tcp src dmz1:10.0.0.x/yyyyy dst outside:<some-address>/<port>

However reading the explanation to the message type at: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/syslog/pixemsgs.htm#wp1020540

doesn't help me so much.

0 Helpful
2 Replies 2

scoclayton
Level 7
Level 7

‎08-19-2004 06:09 AM

This will work fine actually. The problem is that you do not have a corresponding 'global (outside) 2 ' statement. The sequence number listed in the NAT command ties to the sequence number in the global command. Try adding:

global (outside) 2 interface

and see if that helps. It is important to remember that translations are created using the source and destination interfaces so you can have multiple translations for one source provided they have different destination interfaces.

Let me know if this is not clear.

Scott

0 Helpful

ole-martin.refvik
Level 1
Level 1
In response to scoclayton

‎08-19-2004 11:14 PM

Thanks.

That make sense to me, and is also how i expected it to be. However it doesn't work exactly that way, maybe I have misunderstod something. But anyway this is what i get typing the command you suggested:

pix1(config)# global (outside) 2 interface

Usage: [no] global [()] {[-] [netmask ]} | interface

The pix just doesn't accept the command, if I change the command to another interface, (dmz3) wich have security level 20, it works:

nameif ethernet4 dmz3 security20

pix1(config)# global (dmz3) 2 interface

dmz3 interface address added to PAT pool

Please let me know if you have some suggestions, and thanks again for helping.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card