Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
441
Views
0
Helpful
4
Replies

Problem with PAT

scottholwerda
Level 1
Level 1

‎10-28-2003 06:41 AM - edited ‎03-02-2019 11:18 AM

We are running PAT for the internal network host. However, we are unable to connect to one paticular website using any PC that uses PAT. The Servers that have a static NAT translation are able to connect without a problem. The issue is not related to DNS. If we ping from a PC that is unable to see the website we receive replys that state "Destination net unreachable". The PAT and NAT translations are taking place on a PIX 525 firewall. Has anyone else ever had a similar problem?

Labels:
0 Helpful
4 Replies 4

thisisshanky
Level 11
Level 11

‎10-28-2003 07:12 AM

Scott,

For ping replies to come back, have you allowed icmp inbound? What response do you get when you ping reachable websites. Can you input partial traces of your configs ? When you try to access this website, give a show xlate on the pix and see if the PAT translation is taking place or not.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus
0 Helpful

scottholwerda
Level 1
Level 1
In response to thisisshanky

‎10-28-2003 12:15 PM

thisishanky,

Yes, icmp is allowed inbound:

access-list 101 permit icmp any any echo

access-list 101 permit icmp any any source-quench

access-list 101 permit icmp any any unreachable

access-list 101 permit icmp any any time-exceeded

access-list 101 permit icmp any any echo-reply

When I ping reachable websites I recieve a good responce. I ran the show xlate command after accessing both reachable websites and the unreachable website and the PAT translation looks sucessful.

global (outside) 1 interface

nat (inside) 0 access-list 100

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

.

.

access-group 101 in interface outside

access-group inside in interface inside

.

.

timeout xlate 1:30:00

0 Helpful

preddyi
Level 3
Level 3

‎10-28-2003 02:50 PM

1.From where you are getting message "Destination net unreachable" messages ?

2.Wether Stattically NATed servers, and the pc's getting PATed in PIX are hosted in same zone?

3.PAT, NAT IP address are they from same pool?

0 Helpful

scottholwerda
Level 1
Level 1
In response to preddyi

‎10-28-2003 04:33 PM

1. The "Destination net unreachable" messages seem to come from the router at the destination network. I can trace the route out to our Internet cloud past the firewall before I lose it on the PATed PCs, but the NATed PCs can trace to the destination.

2. All the PCs are in the same zone wether they are NATed or PATed.

3. The PAT addresses are using one ip address that is the same as the outside interface of the Pix. The statically NATed servers use external addesses from the rest of our range of external ip addresses.

0 Helpful
Customers Also Viewed These Support Documents