Static NAT problem

[skot999]

I have a Cisco PIX 515e... and I have successfully used NAT from my private network to the internet without problems... except for 1 certain IP address. The private IP will not translate to this IP when going outside. I have tried changing the private IP a couple of times w/o success...and have verified the outside ip is not in use elsewhere. any ideas why the pix is having a problem with this address only ?? any advice is appreciated. thanks

 

[ChrisAC]

Config?

**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[skot999]

the outside address with the problem is xxx.xxx.163.230 - thanks for any help you give me.






Building configuration...

: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4

domain-name xxxx.xxx.xxx
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names


pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside xxx.xxx.xxx.xxx 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip address intf2 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool RemoteAddresses 192.168.1.150-192.168.1.200

pdm history enable
arp timeout 14400
global (outside) 10 xxx.xxx.163.75-xxx.xxx.163.150 netmask 255.255.255.0
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
nat (intf2) 0 access-list no-nat-list
static (inside,outside) xxx.xxx.163.69 192.168.1.111 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.163.138 192.168.1.112 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.163.139 192.168.1.113 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.163.245 192.168.1.103 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.163.246 192.168.1.104 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.163.247 192.168.1.105 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.163.248 192.168.1.106 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.163.249 192.168.1.107 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.163.250 192.168.1.109 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.163.251 192.168.1.110 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.163.117 192.168.1.114 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.163.99 192.168.1.172 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.163.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.20 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_DES_MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_DES_MD5 mode transport
isakmp enable outside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe 40
vpdn group PPTP-VPDN-GROUP client configuration address local RemoteAddresses
vpdn group PPTP-VPDN-GROUP client configuration dns uriDNS
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username VPNuser password *********
vpdn enable outside
dhcpd address 192.168.1.25-192.168.1.100 inside

dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Cryptochecksum:f8435e7e310ef271056d148d55bfd596
: end
[OK]

 

[ChrisAC]

global (outside) 10 xxx.xxx.163.75-xxx.xxx.163.150 netmask 255.255.255.0
static (inside,outside) xxx.xxx.163.69 192.168.1.111 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.163.138 192.168.1.112 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.163.139 192.168.1.113 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.163.245 192.168.1.103 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.163.246 192.168.1.104 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.163.247 192.168.1.105 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.163.248 192.168.1.106 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.163.249 192.168.1.107 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.163.250 192.168.1.109 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.163.251 192.168.1.110 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.163.117 192.168.1.114 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.163.99 192.168.1.172 netmask 255.255.255.255 0 0

I don't see any translation for xxx.xxx.163.230.

Chris.

**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[skot999]

global (outside) 10 xxx.xxx.163.75-xxx.xxx.163.150 netmask 255.255.255.0
static (inside,outside) xxx.xxx.163.69 192.168.1.111 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.163.138 192.168.1.112 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.163.139 192.168.1.113 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.163.245 192.168.1.103 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.163.246 192.168.1.104 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.163.247 192.168.1.105 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.163.248 192.168.1.106 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.163.249 192.168.1.107 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.163.250 192.168.1.109 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.163.251 192.168.1.110 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.163.117 192.168.1.114 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.163.99 192.168.1.172 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.163.230 192.168.1.144 netmask 255.255.255.255 0 0

 

[ChrisAC]

Okay, so now you've added that static! I presume that it works now?

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[skot999]

Actually no, this was the original problem... it appears there... but doesn't work. Also, when I add the internal ip to the machine the firewall doesn't even let me past it anymore. any ideas ? thoughts ?

 

[ChrisAC]

Do all the other statics work okay? Can you post a "route print" from 192.168.1.144? On this internal machine, can you see the MAC address of the firewall? Can you ping the firewall? When you try to connect, do a "show xlate" on the firewall and post the results.

Chris.

**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[skot999]

Yes, I can ping the firewall from the machine. Here is the route print from 192.168.1.144. Below that is the show xlate from the firewall. Thanks for all your help!!!


IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x30003 ...00 b0 d0 22 5c c6 ...... 3Com 3C920 Integrated Fast Ethernet Controll
er (3C905C-TX Compatible)
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.144 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.144 192.168.1.144 20
192.168.1.144 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.144 192.168.1.144 20
224.0.0.0 240.0.0.0 192.168.1.144 192.168.1.144 20
255.255.255.255 255.255.255.255 192.168.1.144 192.168.1.144 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None



---------------------------------------------


Result of firewall command: "show xlate"

25 in use, 28 most used
Global xxx.xxx.163.251 Local 192.168.1.110
Global xxx.xxx.163.95 Local 192.168.1.33
Global xxx.xxx.163.138 Local 192.168.1.112
Global xxx.xxx.163.246 Local 192.168.1.104
Global xxx.xxx.163.250 Local 192.168.1.109
Global xxx.xxx.163.106 Local 192.168.1.44
Global xxx.xxx.163.90 Local 192.168.1.121
Global xxx.xxx.163.76 Local 192.168.1.45
Global xxx.xxx.163.248 Local 192.168.1.106
Global xxx.xxx.163.99 Local 192.168.1.172
Global xxx.xxx.163.100 Local 192.168.1.31
Global xxx.xxx.163.91 Local 192.168.1.126
Global xxx.xxx.163.80 Local 192.168.1.27
Global xxx.xxx.163.81 Local 192.168.1.25
Global xxx.xxx.163.84 Local 192.168.1.26
Global xxx.xxx.163.245 Local 192.168.1.103
Global xxx.xxx.163.97 Local 192.168.1.34
Global xxx.xxx.163.139 Local 192.168.1.113
Global xxx.xxx.163.75 Local 192.168.1.49
Global xxx.xxx.163.230 Local 192.168.1.144
Global xxx.xxx.163.105 Local 192.168.1.96
Global xxx.xxx.163.249 Local 192.168.1.107
Global xxx.xxx.163.247 Local 192.168.1.105
Global xxx.xxx.163.69 Local 192.168.1.111
Global xxx.xxx.163.117 Local 192.168.1.114

 

[ChrisAC]

Well, it appears to be doing the translation ..

Global xxx.xxx.163.230 Local 192.168.1.144

Can you check on the router in front of the pix and do a "sh arp" to see if the router has the proxy arp address of xxx.xxx.163.230?

Chris.

**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************