Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
965
Views
0
Helpful
2
Replies

Syslog message 106011 vs 106023 with PAT/NAT

rj
Level 1
Level 1

‎06-17-2003 12:05 PM - edited ‎03-09-2019 03:42 AM

Observations:

When a packet from the Internet is destined to a PAT global address and is blocked by an ACL, a syslog error message of PIX-3-106011 is generated. This is because the packet originated from the host on the outside and is directed to a host on the outside subnet of the PIX, IP redirect, which the PIX does not allow.

When a packet from the Internet is destined to a NAT global address and is blocked by an ACL, a syslog warning message of PIX-4-106023 is generated. This is because the packet originated from the host on the outside and is destined to a global NAT address which is interpreted by the PIX as the global address being on the inside interface. So a normal warning instead of an error is generated because the packet is seen to be travelling from the outside interface to the inside interface.

1. Is this normal behavior?

2. Why is the NAT global address seen as being on the inside instead of the outside interface like the PAT address?

3. I thought if the IP address of a host was in the same subnet as a particular PIX interface, then syslog would always see that host as on that interface. I have noticed this not to be the case on IPSEC site to site hub and spoke topologies.

Example PIX setup:

inside - 192.168.1.1/24

DMZ - 172.16.1.1/24

outside -10.10.10.1/24

route inside 172.17.1.0 255.255.255.0 192.168.1.3

When a packet is travelling from 172.17.1.10 (remote subnet via a VPN tunnel) to 10.10.10.10, sometimes it will be denied because the PIX sees the 10.10.10.10 host as on the inside as well. This causes a no xlate 106011 error message and denies the packet. I have seen this when doing traceroutes in VPN setups. Do I need to involve addtional routes to another internal router to overcome this problem?

Can someone help with this scenario?

Thanks,

RJ

Labels:
0 Helpful
2 Replies 2

b.hsu
Level 5
Level 5

‎06-23-2003 10:29 AM

The following document elaborates the Syslog messages. Might help you.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/syslog/pixemsgs.htm

0 Helpful

rj
Level 1
Level 1
In response to b.hsu

‎06-23-2003 11:45 PM

Thanks for the response.

I have read all the docs on syslogs. But I do not understand why a global NAT address is considered to reside on the inside interface and a global PAT address is considered to reside on the outside interface. Is it because PAT does not know what particular internal IP address to translate?

0 Helpful
Customers Also Viewed These Support Documents