Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Another PAT question...

Status
Not open for further replies.
ignorante

ignorante

IS-IT--Management
May 11, 2001
8
0
0
MX
Hi all,
Hope you can help me.... I have a problem with PAT on a PIX 515. The configuration includes the following lines:
ip address inside 172.20.1.1 255.255.255.0
ip address dmz 172.25.1.1 255.255.255.0
ip address outside 192.168.1.2 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 0 172.25.1.0 255.255.255.0 0 0
static (inside,dmz) 172.20.1.0 172.20.1.0 netmask 255.255.255.0 0 0
static (dmz,outside) 192.168.1.4 172.25.1.2 netmask 255.255.255.255 0 0
global (outside) 1 192.168.1.3
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
The mail server on the dmz is receiving normally, and users on the inside netwok can browse any site but in some cases browsing at specific sites like they got a permanent "Not found" error. In other words, there is no traffic of any type from my inside network to those specific sites. Before this configuration, i have PAT on the router (192.168.1.1) and nat (inside) 0 0 0 0 0 with no problems. My dns is resolving correctly.
Browsing at cisco.com, i found the following:
"IP addresses in the pool of global addresses specified with the global command require reverse DNS entries to ensure that all external network addresses are accessible through the PIX. To create reverse DNS mappings, use a DNS Pointer (PTR) record in the address-to-name mapping file for each global address. Without the PTR entries, sites can experience slow or intermittent Internet connectivity and FTP requests fail consistently."
The ptr entries for the global address were created, but the problem stills.
Any suggestions?
Thanks in advance!
 
Sort by date Sort by votes
HI.

It seems like you're having dual PAT - one at the pix and another PAT at the router. Am I correct?
If so, I highly recommend that you'll get registered ip addressese from your ISP for the network between the router and the pix.

Did you try implementing an internal DNS server on one of your servers?

Can you post here a diagram of your network and TCP/IP addressing?

Bye

Yizhar Hurwitz
 
Upvote 0 Downvote
Hi Yizhar, thanks for your answer.
Yesterday i've tested the same config with another ISP, and the problem simply dissapears. Anyway, that was just a test... the problem stills with the original ISP. There is no PAT at the router, only at PIX, and the IP addresses for router and pix are registered IP addresses from my ISP's in both cases (the ip's listed in the first post are just for illustration). I have an internal DNS, and this one asks to my primary DNS, using a third ISP. Then, there is no problems of resolution. The routing at the internal network is ok too. The diference was that the PTR records for the global pix IP addreses were not modified before the test with the second ISP....
|
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
149
intel233
intel233
markd885
  • Locked
  • Question
PAC file redirect web page to another gateway
Replies
0
Views
45
markd885
markd885
NoCoolHandle
  • Locked
  • Question
TLS 1.0 vrs TLS 1.1 vrs 1.2 connection strategy question
Replies
1
Views
44
ChrisHirst
ChrisHirst
J001
  • Locked
  • Question
Checkpoint Upgrade Question
Replies
0
Views
29
J001
J001
nosebreaker
  • Locked
  • Question
8.4 PAT/NAT question
Replies
1
Views
35
burtsbees
burtsbees

Part and Inventory Search

Sponsor

Back
Top