ICMP and NAT/PAT

How does PAT/NAT behave on ICMP packets if there is no ports such as udp/tcp?

Best regards

Francesco

Take a look at these documents

http://Tools.ietf.org/WG/behave/draft-ietf-behave-NAT-ICMP/draft-ietf-behave-NAT-ICMP-01-from-00.wdiff.html

http://www.Cisco.com/en/us/Tech/tk648/tk361/technologies_tech_note09186a0080093f96.shtml

Both will help you understand

HTH

Hoogen

Do rates if it help :)

Tags: Cisco Security

Similar Questions

  • Newbie user-NAT, PAT, the two PIX?

    Hello

    I'm test I set up my PIX 515e barriers make the lives of my users living hell, and I don't know I do NAT PAT or both.

    I have an internet connection through a cable modem that is currently connected to a Linksys router. I'll say goodbye to Linksys and use only the PIX.

    So my question is do I need to NAT or PAT from the outside to the inside and don't I need of NAT or PAT on the inside? To make that more complicated things that do, I do with my DMZ?

    A side not I currently use the linksys to the port before MS Office an interior workstation remotely, can I still do?

    Thanks for any help, somebody has.

    Marc

    Hi Marc,

    The document you need is:

    http://www.Cisco.com/warp/public/707/28.html

    Hope this helps and let me know if you need further information/assistance and good luck with CCNA.

    Thank you - Jay.

  • Allowing ICMP and Telnet via a PIX 525

    We are trying to build a new block of distribution to our backbone WAN. We are experiencing a problem when establishing ICMP and Telnet via the PIX. The following is known:

    1 Ping and telnet to the 6509 and internal network works very well for the PIX.

    2 Ping the 7206 for the PIX works just fine.

    3 debug normal to see activity track ICMP for connections ICMP for the PIX of the network 6509 and internal; However, the debug shows nothing - no activity - during attempts to ping at a.b.5.18. (see below).

    In short, all connections seem to be fine between the three devices, however, we can get ICMP and Telnet work correctly through the PIX.

    The layout is:

    6509 (MSFC) - PIX 525-7206

    IP:a.b.5.1 - a.b.5.2 a.b.5.17 - a.b.5.18

    255.255.255.0 255.255.255.240 255.255.255.240

    (both)

    networks: a.b.5.0 a.b.5.16

    255.255.255.240 255.255.255.240

    6509:

    interface VlanX

    Description newwan-bb

    IP address a.b.5.1 255.255.255.0

    no ip redirection

    router ospf

    Log-adjacency-changes

    redistribute static subnets metric 50 metric-type 1

    passive-interface default

    no passive-interface Vlan9

    ((other networks omitted))

    network a.b.5.0 0.0.0.255 area 0

    default information are created

    PIX 525:

    ethernet0 nameif outside security0

    nameif ethernet1 inside the security100

    nameif ethernet2 security10 failover

    hostname XXXXXX

    domain XXX.com

    fixup protocol ftp 21

    fixup protocol http 80

    fixup protocol h323 1720

    fixup protocol rsh 514

    fixup protocol rtsp 554

    fixup protocol smtp 25

    fixup protocol sqlnet 1521

    fixup protocol sip 5060

    fixup protocol 2000 skinny

    names of

    access ip-list 102 permit a whole

    access-list 102 permit icmp any one

    access-list 102 permit icmp any any echo

    access-list 102 permit icmp any any echo response

    access-list 102 permit icmp any any source-quench

    access-list 102 permit everything all unreachable icmp

    access-list 102 permit icmp any one time exceed

    103 ip access list allow a whole

    access-list 103 allow icmp a whole

    access-list 103 permit icmp any any echo

    access-list 103 permit icmp any any echo response

    access-list 103 permit icmp any any source-quench

    access-list 103 allow all unreachable icmp

    access-list 103 allow icmp all once exceed

    pager lines 24

    opening of session

    timestamp of the record

    logging buffered stored notifications

    interface ethernet0 100full

    interface ethernet1 100full

    interface ethernet2 100full

    Outside 1500 MTU

    Within 1500 MTU

    failover of MTU 1500

    IP address outside a.b.5.17 255.255.255.240

    IP address inside a.b.5.2 255.255.255.240

    failover from IP 192.168.230.1 255.255.255.252

    alarm action IP verification of information

    alarm action attack IP audit

    history of PDM activate

    ARP timeout 14400

    Global 1 interface (outside)

    NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

    Access-group 103 in external interface

    Route outside 0.0.0.0 0.0.0.0 a.b.5.18 1

    Route inside a.0.0.0 255.0.0.0 a.b.5.1 1

    Inside a.b.0.0 255.240.0.0 route a.b.5.1 1

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0: 10:00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 sip 0:30:00 sip_media 0:02:00

    Timeout, uauth 0:05:00 absolute

    GANYMEDE + Protocol Ganymede + AAA-server

    RADIUS Protocol RADIUS AAA server

    No snmp server location

    No snmp Server contact

    SNMP-Server Community public

    No trap to activate snmp Server

    enable floodguard

    No sysopt route dnat

    Telnet a.0.0.0 255.0.0.0 outdoors

    Telnet a.0.0.0 255.0.0.0 inside

    Telnet a.b.0.0 255.240.0.0 inside

    Telnet a.b.5.18 255.255.255.255 inside

    Telnet timeout 5

    SSH timeout 5

    Terminal width 80

    Recognizing any help on proper routing through a PIX 525, given that all this is for a network internal.

    on the 6509, why the int has a 24 subnet mask, when everything has a 28? If you try the 6500 ping.18, he thinks that it is on a local network, and there no need to route through the pix

    Your access lists are confusing.

    access-list # ip allowed any one should let through, and so everything that follows are redundant statements.

    for the test,.

    alloweverything ip access list allow a whole

    Access-group alloweverything in interface outside

    should the pix act as a router - you are effectively disabling all firewall features.

  • client ipSec VPN and NAT on the router Cisco = FAIL

    I have a Cisco 3825 router that I have set up for a Cisco VPN ipSec client.  The same router is NAT.

    ipSec logs, but can not reach the internal network unless NAT is disabled on the inside interface.  But I need both at the same time.

    Suggestions?

    crypto ISAKMP policy 3

    BA 3des

    preshared authentication

    Group 2

    !

    ISAKMP crypto client configuration group myclient

    key password!

    DNS 1.1.1.1

    Domain name

    pool myVPN

    ACL 111

    !

    !

    Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT

    !

    Crypto-map dynamic dynmap 10

    Set transform-set RIGHT

    market arriere-route

    !

    !
    list of card crypto clientmap client VPN - AAA authentication
    card crypto clientmap AAA - VPN isakmp authorization list
    client configuration address map clientmap crypto answer
    10 ipsec-isakmp crypto map clientmap Dynamics dynmap
    !

    interface Loopback0
    IP 10.88.0.1 255.255.255.0
    !
    interface GigabitEthernet0/0
    / / DESC it's external interface

    IP 192.168.168.5 255.255.255.0
    NAT outside IP
    IP virtual-reassembly
    automatic duplex
    automatic speed
    media type rj45
    clientmap card crypto
    !
    interface GigabitEthernet0/1

    / / DESC it comes from inside interface
    10.0.1.10 IP address 255.255.255.0
    IP nat inside<=================ipSec client="" connects,="" but="" cannot="" reach="" interior="" network="" unless="" this="" is="">
    IP virtual-reassembly
    the route cache same-interface IP
    automatic duplex
    automatic speed
    media type rj45

    !

    IP local pool myVPN 10.88.0.2 10.88.0.10

    p route 0.0.0.0 0.0.0.0 192.168.168.1
    IP route 10.0.0.0 255.255.0.0 10.0.1.4
    !

    IP nat inside source list 1 interface GigabitEthernet0/0 overload
    !
    access-list 1 permit 10.0.0.0 0.0.255.255
    access-list 111 allow ip 10.0.0.0 0.0.255.255 10.88.0.0 0.0.0.255
    access-list 111 allow ip 10.88.0.0 0.0.0.255 10.0.0.0 0.0.255.255

    Hello

    I think that you need to configure the ACL default PAT so there first statemts 'decline' for traffic that is NOT supposed to be coordinated between the local network and VPN pool

    For example, to do this kind of configuration, ACL and NAT

    Note access-list 100 NAT0 customer VPN

    access-list 100 deny ip 10.0.1.0 0.0.0.255 10.88.0.0 0.0.0.255

    Note access-list 100 default PAT for Internet traffic

    access-list 100 permit ip 10.0.1.0 0.0.0.255 ay

    overload of IP nat inside source list 100 interface GigabitEthernet0/0


    EDIT:     seem to actually you could have more than 10 networks behind the router

    Then you could modify the ACL on this

    Note access-list 100 NAT0 customer VPN

    access-list 100 deny ip 10.0.1.0 0.0.255.255 10.88.0.0 0.0.0.255

    Note access-list 100 default PAT for Internet traffic

    access-list 100 permit ip 10.0.1.0 0.0.255.255 ay

    Don't forget to mark the answers correct/replys and/or useful answers to rate

    -Jouni

  • Cisco ASA Site to Site VPN IPSEC and NAT question

    Hi people,

    I have a question about the two Site to Site VPN IPSEC and NAT. basically what I want to achieve is to do the following:

    ASA2 is at HQ and ASA1 is a remote site. I have no problem setting a static static is a Site to IPSEC VPN between sites. Guests residing in 10.1.0.0/16 are able to communicate with hosts in 192.168.1.0/24, but what I want is to configure the NAT with IPSEC VPN for this host to 10.1.0.0/16 will communicate with hosts in 192.168.1.0/24 with translated addresses

    Just an example:

    N2 host (10.1.0.1/16) contacted N1 192.168.1.5 with destination host say 10.23.1.5 No 192.168.1.5 (notice the last byte is the same in the present case,.5)

    The translation still for the rest of the communication (host pings ip destination host 10.23.1.6 N3 N2 not 192.168.1.6 new last byte is the same)

    It sounds a bit confusing to me, but I've seen this type of configuration before when I worked for the supplier of managed services where we have given our customers (Ipsec Site to Site VPN with NAT, don't know how it was setup)

    Basically we contact the customer via site-to-site VPN hosts but their real address were hidden and we used as translated address more high 10.23.1.0/24 instead of (real) 192.168.1.0/24, last byte must be the same.

    Grateful if someone can shed some light on this subject.

    Hello

    OK so went with the old format of NAT configuration

    It seems to me that you could do the following:

    • Configure the ASA1 with static NAT strategy

      • access-list L2LVPN-POLICYNAT allowed ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
      • public static 10.23.1.0 (inside, outside) access-list L2LVPN-POLICYNAT
    • Because the above is a static NAT of the policy, this means that the translation will be made only when the destination network is 10.1.0.0/16
    • If you have for example a PAT basic configuration to inside-> external traffic, the above NAT configuration and the custom of the actual configuration of PAT interfere with eachother
    • ASA2 side, you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network
      • Note of the INTERIOR-SHEEP access-list SHEEP L2LVPN
      • the permitted INSIDE SHEEP 10.1.0.0 ip access list 255.255.0.0 10.23.1.0 255.255.255.0
      • NAT (inside) 0-list of access to the INTERIOR-SHEEP
    • You will need to consider that your access-list defining the VPN encrypted L2L traffic must reflect the new NAT network
      • ASA1: allowed to access-list L2LVPN-ENCRYPTIONDOMAIN ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
      • ASA2: list L2LVPN-ENCRYPTIONDOMAIN allowed ip 10.1.0.0 access 255.255.0.0 10.23.1.0 255.255.255.0

    I could test this configuration to work tomorrow but I would like to know if it works.

    Please rate if this was helpful

    -Jouni

  • interesting question of the vpn site to site NAT/PAT traffic config

    I have an ASA 8.4.2 running code and am just checking the Site to site configs before migration of tunnel. more precisely if the NAT/PAT and ACL is correct. Phase 1 is already defined and work, as well as cryptographic maps and tunnel groups.

    When you set the traffic interesting in the ACL are you using NAT or the real IP? The order of the ACL is correct?

    First of all:

    The vedor network is a 192.168.1.10 and must be coordinated to 10.1.0.2

    name 5.6.7.8 VendorName object-group network VendorName-R network-object host 192.168.1.10 object-group network VendorName-NAT-R network-object host 10.1.0.2 object-group network VendorName-L network-object host 10.1.1.3 access-list VendorName-crypto extended permit ip object-group VendorName-L object-group VendorName-NAT-R nat (inside,outside) 1 source static VendorName-L VendorName-NAT-R destination static VendorName-R VendorName-R

    Second:

    Sellers network is 192.168.1.0 to 192.168.2.0, these must be PATed 10.1.0.2 and 10.1.0.3

    192.168.1.20 and 168.1.21 must be staticly using a NAT 10.1.0.4 and 10.1.0.5

    Name the SupplierName 5.6.7.8

    object-group network VendorName-R-1

    network-object subnet 192.168.1.0 255.255.255.0

    object-group network VendorName-R-2

    network-object subnet 192.168.2.0 255.255.255.0

    object-group network VendorName-R-3

    network-object host 192.168.1.20

    object-group network VendorName-R-4

    network-object host 192.168.1.21

    object-group network VendorName-NAT-R-1

    network-object host 10.1.0.2

    object-group network VendorName-NAT-R-2

    network-object host 10.1.0.3

    object-group network VendorName-NAT-R-3

    network-object host 10.1.0.4

    object-group network VendorName-NAT-R-4

    network-object host 10.1.0.5

    object-group network VendorName-R

    network-object VendorName-NAT-R-1

    network-object VendorName-NAT-R-2

    network-object VendorName-NAT-R-3

    network-object VendorName-NAT-R-4

    object-group network VendorName-L

    network-object host 10.1.1.3

    the object-Network 10.1.1.6 host

    VendorName-crypto allowed extended ip access-list object-VendorName-L Group VendorName-R

    NAT (inside, outside) 1 dynamic source VendorName-l VendorName-NAT-R-1 static destination VendorName-R-1 VendorName-R-1

    NAT (inside, outside) 1 dynamic source VendorName-l VendorName-NAT-R-2 static destination VendorName-R-2 VendorName-R-2

    NAT (inside, outside) 1 static source VendorName-l VendorName-NAT-R-3 of destination VendorName-R-3 static VendorName-R-3

    NAT (inside, outside) 1 static source VendorName-l VendorName-NAT-R-4 static destination VendorName-R-4 VendorName-R-4

    Your valuable traffic acl MUST be the IP NAT address.

  • VPN IPSec with no. - Nat and Nat - No.

    On a 6.3 (5) PIX 515 that I currently have an IPSec VPN configured with no. - nat, using all public IPs internally and on the remote control. Can I add two hosts to the field of encryption that have private IP addresses and NAT to the same public IP in the address card Crypto? What commands would be involved in this?

    Current config:

    -------

    ipsectraffic_boston list of allowed access host ip host PublicIP11 PublicIP1

    ipsectraffic_boston list of allowed access host ip host PublicIP22 PublicIP2

    outside2_outbound_nat0_acl list of allowed access host ip host PublicIP PublicIP

    card crypto mymap 305 correspondence address ipsectraffic_boston
    mymap 305 peer IPAdd crypto card game.
    mymap 305 transform-set ESP-3DES-SHA crypto card game
    life card crypto mymap 305 set security-association seconds 86400 4608000 kilobytes

    ---------

    I would add two IP private to the 'ipsectraffic_boston access-list' and have NAT to a public IP address, as the remote site asks that I don't use the private IP. This would save the effort to add a public IP address to my internal host.

    Thank you

    Dan

    Hello

    If for example you have an internal host 192.168.1.1 and you want NAT public IP 200.1.1.1 it address

    You can make a static NAT:

    (in, out) static 200.1.1.1 192.168.1.1

    And include the 200.1.1.1 in crypto ACL.

    Federico.

  • By PAT and NAT VPN

    We have a place where you want to set up a tunnel VPN to our headquarters.

    In this place, there is a router that PAT (NAT overloading), and then a few jumps more, there is a firewall that makes the NAT.

    Is this could pose a problem for the VPN tunnel?

    Here's a "pattern" of what looks like the connection.

    Customer--> PAT - router-->--> Internet--> CVPN3005 NAT firewall

    I hope you can provide me with an answer.

    VPN tunnel will not work in your scenario. NAT second change address and the ports you want to use for the vpn tunnel. So the port 500 wil be translated to top port and will be rejected at HQ.

  • Remote access ASA, VPN and NAT

    Hello

    I try to get access to remote VPN work using a Cisco VPN client and ASA with no split tunneling. The VPN works a little, I can access devices inside when I connect, but I can't access the Internet. I don't see any errors in the log ASA except these:

    1 Jul 04:59:15 % ASA-3-305006 gatekeeper: failed to create translation portmap for udp src outside:192.168.47.200/137 dst outside:192.168.47.255/137
    1 Jul 04:59:15 % ASA-3-305006 gatekeeper: failed to create translation portmap for udp src outside:192.168.47.200/54918 dst outsidexx.xxx.xxx.xxx/53

    There is only one address public IP that is assigned to the external interface of DHCP. The Interior is 192.168.1.0/24 network which is PAT'ed to the external interface and the VPN network is 192.168.47.X.

    I think my problem is that the net.47 is not NAT'ed out properly and I don't know how to put in place exactly. I can't understand how this is supposed to work since the net VPN technically provenance from the outside already.

    Here are all the relevant config:

    list of vpn access extended permits all ip 192.168.47.0 255.255.255.0
    Within 1500 MTU
    Outside 1500 MTU
    IP local pool vpnpool 192.168.47.200 - 192.168.47.220 mask 255.255.255.0
    IP verify reverse path to the outside interface
    IP audit info alarm drop action
    IP audit attack alarm drop action
    ICMP unreachable rate-limit 1 burst-size 1
    ICMP allow all outside
    Global interface (2 inside)
    Global 1 interface (outside)
    NAT (inside) 0-list of access vpn
    NAT (inside) 1 0.0.0.0 0.0.0.0
    NAT (outside) 2 192.168.47.0 255.255.255.0 outside
    static (inside, outside) tcp 3074 XBOX360 3074 netmask 255.255.255.255 interface
    static (inside, outside) udp 3074 XBOX360 3074 netmask 255.255.255.255 interface
    public static (inside, outside) udp interface 88 88 XBOX360 netmask 255.255.255.255
    public static tcp (indoor, outdoor) https someids netmask 255.255.255.255 https interface

    I can post more of the configuration if necessary.

    Change ' nat (outside) 2 192.168.47.0 255.255.255.0 apart ' "NAT (2-list of vpn access outdoors outside)" gives these:

    1 Jul 06:18:35 % gatekeeper ASA-3-305005: no group of translation not found for udp src outside:192.168.47.200/56003 dst outside:66.174.95.44/53

    So, how I do right NAT VPN traffic so it can access the Internet?

    A few things that needs to be changed:

    (1) NAT exemption what ACL must be modified to be more specific while the traffic between the internal subnets and subnet pool vpn is not coordinated. NAT exemption takes precedence over all other statements of NAT, so your internet traffic from the vpn does not work.

    This ACL:

    list of vpn access extended permits all ip 192.168.47.0 255.255.255.0

    Should be changed to:

    extensive list of access vpn ip 192.168.47.0 255.255.255.0 allow

    (2) you don't need statement "overall (inside) 2. Here's what to be configured:

    no nat (outside) 2 192.168.47.0 255.255.255.0 outside

    no global interface (2 inside)

    NAT (outside) 1 192.168.47.0 255.255.255.0

    (3) and finally, you must activate the following allow traffic back on the external interface:

    permit same-security-traffic intra-interface

    And don't forget to clear xlate after the changes described above and connect to your VPN.

    Hope that helps.

  • Problem with the VPN and NAT configuration

    Hi all

    I have a VPN tunnel and NATing participates at the remote site.

    I have the VPN tunnel from the absolutely perfect traffic from users, but I am struggling to manage the device via SNMP through the VPN tunnel.

    Remote subnet is 192.168.10.0/24

    That subnet gets PAT'd to 192.168.4.254/32

    The subnet to HQ is 10.0.16.0/24

    IP address of the ASA remote is 192.168.10.10

    Of course, as this subnet is NAT would have I created a static NAT so that the 192.168.4.253 translates 192.168.10.10.

    I can see that packets destined to the 192.168.4.253 device address comes to the end of the tunnel as long as the number of packets decrypted increases when you run a continuous ping to the device.

    However, the unit will not return these packages. The wristwatch that 0 packets encrypted.

    Please let me know if you need more information, or the output of the configuration complete.

    When I start a capture on the ASA remote, I don't see ICMP packets to reach the ASA REAL ip (192.168.10.10). Maybe I set my NAT evil?

    Also, there is no Interface inside, only an Interface outside. And the default route points to the next router ISP Hop on the external Interface.

    Hope that all of the senses.

    Thank you

    Mario Rosa

    No, unfortunately you can not NAT the ASA outside the IP of the interface itself.

  • ASA5505 SSL AnyConnect VPN and NAT Reverse Path failure

    I worked on it for a while and just have not found a solution yet.

    I have a Cisco ASA5505 Setup at home and I try to use the AnyConnect VPN client to it.  I followed the example of ASA 8.x split Tunnel but still miss me something.

    My home network is 10.170.x.x and I install the VPN address to 10.170.13.x pool I have a Windows workstation running at 10.170.0.6, printers 10.170.0.20 and 21 and inside the router itself is 10.170.0.1

    I can connect from the outside and am assigned an IP address of 10.170.13.10, but when I try to access network resources via ICMP or open a web page, the newspaper of the ASDM shows a bunch of this:

    5. January 27, 2010 | 10: 33:37 | 305013 | 10.170.255.255 | 137. Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 refused due to path failure reverse that of NAT
    5. January 27, 2010 | 10: 33:36 | 305013 | 10.170.255.255 | 137. Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 refused due to path failure reverse that of NAT
    5. January 27, 2010 | 10: 33: 35 | 305013 | 10.170.255.255 | 137. Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 refused due to path failure reverse that of NAT
    5. January 27, 2010 | 10: 33:34 | 305013 | 10.170.0.6 | Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.170.13.10 inside: 10.170.0.6 (type 8, code 0) rejected due to the failure of reverse path of NAT
    5. January 27, 2010 | 10:33:30 | 305013 | 10.170.255.255 | 137. Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 refused due to path failure reverse that of NAT
    5. January 27, 2010 | 10: 33:29 | 305013 | 10.170.255.255 | 137. Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 refused due to path failure reverse that of NAT
    5. January 27, 2010 | 10: 33:28 | 305013 | 10.170.255.255 | 137. Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 refused due to path failure reverse that of NAT
    5. January 27, 2010 | 10: 33:28 | 305013 | 10.170.0.6 | Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.170.13.10 inside: 10.170.0.6 (type 8, code 0) rejected due to the failure of reverse path of NAT
    5. January 27, 2010 | 10:33:23 | 305013 | 10.170.0.6 | Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.170.13.10 inside: 10.170.0.6 (type 8, code 0) rejected due to the failure of reverse path of NAT
    5. January 27, 2010 | 10:33:17 | 305013 | 10.170.0.6 | Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.170.13.10 inside: 10.170.0.6 (type 8, code 0) rejected due to the failure of reverse path of NAT
    5. January 27, 2010 | 10: 33: 13 | 305013 | 10.170.0.6 | Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.170.13.10 inside: 10.170.0.6 (type 8, code 0) rejected due to the failure of reverse path of NAT
    5. January 27, 2010 | 10:33:07 | 305013 | 10.170.0.6 | Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.170.13.10 inside: 10.170.0.6 (type 8, code 0) rejected due to the failure of reverse path of NAT

    I tried several things with NAT, but were not able to go beyond that.  Does anyone mind looking at my config running and help me with this?  Thanks a bunch!

    -Tim

    Couple to check points.

    name 10.17.13.0 UFP-VPN-pool looks like it should be the name 10.170.13.0 UFP-VPN-pool

    inside_nat0_outbound to access extended list ip allow list zero 255.255.0.0 255.255.255.0 UFP-VPN-pool

    Looks like that one

    inside_nat0_outbound to list extended ip access list zero UFP-VPN-pool 255.255.255.0 255.255.255.0 allow

  • Destination NAT/PAT pix

    I have a pix 506 (ver 6.3) running PAT for internet access. Now, I must create a VPN to a third party and need to NAT source ip addresses. Is it possible to have separate NAT basin which is only used when the destination is the third network (that uses private address). Basically, NAT based on destination ip address.

    You can also one-third have a vpn 3 k. Can they NAT my source ip when packets are decrypted at their end before sending them to the final destination with a LAN-to-LAN NAT rule. I don't know that I read somewhere that even if a static mapping on the NAT of LAN-to-LAN rule suggests for this, it won't work.

    Thanks in advance

    Jon

    You want "Policy NAT", which is described in the documentation for PIX 6.3 here:

    http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/PIX/pix_sw/v_63/config/bafwcfg.htm#1113601

    The VPN 3000 not NAT in this sense, to do it in the PIX is your best option (only).

    HTH - good luck!

  • IPSEC and NAT

    I have a client that uses NAT to connect to the web. He wants to connect to a server on the web using IPSEC. This server has a static NAT entry.

    I fear that, due to the NAT process sitting between the hosts that the IPSEC tunnel will not work.

    Please notify.

    Assuming you are using ESP encapsulation, static NAT should work. PAT will have problems and encapsulation AH will not work. You will also need to open a conduit for incoming ESP and IKE (UDP 500) on the firewall.

  • Crossed, VPN and NAT

    Having a few problems and looking for suggestions.  Working document (http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_cli.pdf) on Pages 3-24 and 3-25.  In my lab configuration everything works except for be able to ping the management vpn for network bethind the second ASA.

    I exceeded the configs and checked vs examples, but of course miss me something.

    In the ASA2 VPN client.

    My configs are attached with a few parts cleaned.

    An ICMP trace says:

    Outside ICMP echo request: 10.10.120.1 outside: 192.168.16.50 ID = seq 2 = 12582 len = 32

    Run a trace of the package (entry packet - map out icmp 10.10.120.1 0 192.168.15.50 0) shows:

    Phase: 1

    Type:-ROUTE SEARCH

    Subtype: entry

    Result: ALLOW

    Config:

    Additional information:

    in 0.0.0.0 0.0.0.0 outdoors

    Phase: 2

    Type: ACCESS-LIST

    Subtype: Journal

    Result: ALLOW

    Config:

    Access-group OUTSIDE_IN in interface outside

    OUTSIDE_IN list extended access permit icmp any one

    Additional information:

    Phase: 3

    Type: NAT

    Subtype:

    Result: ALLOW

    Config:

    network retail_vpn object

    dynamic NAT interface (outdoors, outdoor)

    Additional information:

    Phase: 4

    Type: NAT

    Subtype: volatile

    Result: ALLOW

    Config:

    Additional information:

    Phase: 5

    Type: IP-OPTIONS

    Subtype:

    Result: ALLOW

    Config:

    Additional information:

    Result:

    input interface: outdoors

    entry status: to the top

    entry-line-status: to the top

    output interface: outside

    the status of the output: to the top

    output-line-status: to the top

    Action: drop

    Drop-reason: unable to NAT (nat-xlate-failure)

    Something is either not properly natted or the way back is a problem, but I can't put my finger on it.

    Anyone with suggestions

    Thank you

    Jerry

    Hello

    I guess there a typing error in the destination IP address "packet - trace" because I can't find a reference to this subnet/IP configuration.

    You can try the "package Tracker" in a slightly different format

    entry Packet-trace out icmp 10.10.120.1 8 192.168.16.50 0

    The difference are the Type and Code numbers after the source IP address. Now, it simulates an echo ICMP message. The previous format of the order could have caused the failure NAT result.

    I guess you try to convey the L2L VPN connection traffic.

    Then you are already seem to have the right configuration of NAT. But it seems to me that you are missing also those source/destination configuration VPN L2L network.

    permit access list extended ip object retail_vpn object riverroad_inside vpn_inside

    Even on the ASA1

    permit access list extended ip object riverroad_inside object retail_vpn vpn_inside

    Can check you the above things and let me know if those who helped with the situation.

    -Jouni

  • PIX 501 NAT / PAT problem

    Have a 501 for a client configuration. All works well for a few minutes and they the PC can't get out the firewall. Looks like the NAT works very well but the PAT do not hit.

    This part of the config, I received an example of cisco.

    Can someone help me?

    Thank you

    Fred

    With less than 25 PCs behind the PIX you won't have to worry about memory problems. You will have to look for good of licensing issues. The default 501 supoprts 10 users license and can be upgraded to support 50 users - still no need to worry about memory.

    Regarding the counters on the PIX, I usually recommend to leave all timers with settings by default unless you are having problems and TAC allows you to change them.

    -Mark

Maybe you are looking for