Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Static NATs kill Internet 2

Status
Not open for further replies.
Speaker

Speaker

MIS
Sep 5, 2001
72
US
I've done many static NATs on my company's PIX 515 5.3(1). Starting this past Friday, creating a new static NAT prevents the NATed maching from connecting to the Internet. It resolves the IP address, says "connecting to [WWW IP], then gives me a page cannot be displayed error.

If I remove the NAT and restart the PIX, Internet connectivity returns after about 10 minutes.

No canges have been made to the PIX beyond turning off logging last month when it started looping to a machine that was no longer on the network.

Current NATed machines are still able to connect to the Internet, but I haven't tried removing and re-setting the NATs for those machines because I suspect they'll stop working as well.

Any ideas?

TIA
 
Sort by date Sort by votes
HI.

You probably have a problem with the registered IP address.
Check the perimeter router configuration (or ask your ISP if they manage it). Maybe the address you're using is not legitimic, not routed to your pix, is the subnet broadcast address, has a dirty ARP, etc...

Try traceroute to that address from here:
How far can you get?
How far can you go with the other addresses?

Check the pix syslog messages (level 3 or 4), does the pix complain about anything?


Yizhar Hurwitz
 
Upvote 0 Downvote
You'll need to clear the arp cache on the PIX and the internet facing router.
 
Upvote 0 Downvote
I cleared the arp cache on the Internet router and that solved the problem of machines not being able to connect when the NAT is deleted.

I also found that I could ping the public address I was trying to assign, although it doesnt show up anywhere in any configs or documentation (we had another guy here who worked on WAN issues who may have done something with that address and didnt document it, but it doesnt show up in any configs, either).

Anyway, I'm still not able to NAT addresses, but at least I can undo the damage when trying. Thanks for the help. I'll have more time next week to keep plugging away at it.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
311
intel233
intel233
RMurr34
  • Locked
  • Question
No Internet Access if no static map
Replies
0
Views
48
RMurr34
RMurr34
xylax
  • Locked
  • Question
Redirecting HTTP traffic from INSIDE to OUTSIDE using ASA NATs
Replies
0
Views
52
xylax
xylax
ttrsux
  • Locked
  • Question
No internet access on new LAN eth0/2 1
Replies
6
Views
132
iggsterman
iggsterman
tajk
  • Locked
  • Question
Error: Static overlaps on PIX-515e
Replies
0
Views
55
tajk
tajk

Part and Inventory Search

Sponsor

Back
Top