NAT is the problem ?

Posted on 2004-10-18
Last Modified: 2010-04-10
I have the following configuration:

ADSL-----RouterVPN ( PIX501 ( (
                                                    PcB (

All subnet masks are 24 bits.
RouterVPN has proper configuration.

I need PcA to be able to go outside and to be reachable from outside, hence i decided a static NAT by entering:

static (inside,outside) netmask

Also I set the following default gateways:
For PcA:
For PcB:
For PIX:

After setting all the IP I performed some connectivity tests and got what follows:

From PcB:
ping : OK
ping : OK

From PcA:
ping : OK

From PIX:
ping outside : OK
ping outside : ? I need to verify
ping inside : OK

My questions are:
1)Is it enough to use only the "static (...,..)..."  command or should I use it after entering:
nat (inside) 1 netmask
global (outside) 1 netmask

2)Why can't I reach from PcA the router ?

Thx in advance

Question by:minicuc
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +2
LVL 43

Expert Comment

ID: 12339679
Are you allowing ICMP traffic on the PIX outside interface?  If ICMP is not permitted, you won't be able to ping anything beyond the PIX from PcA or ping through the PIX from the outside interface.

Expert Comment

ID: 12339709
can you ping the internet form your  pix  ?

if you can the its not routing the segment 192.168.1.xx

Accepted Solution

Felix2000 earned 250 total points
ID: 12339973
Doing the static is fine but you also need to make an access list to allow traffic in. Otherwise the traffic is still denied.
Statics only make the translation for traffic allowed in.

This is an example access access list to allow traffic in from your natted ip and icmp

### Permit Access from anybody to host
access-list acloutin permit ip any

### If you want specific access you can do something like this for a website
# access-list acloutin permit tcp any eq 80

### Permit Things like Ping / Traceroute through the pix
access-list acloutin permit icmp any interface outside unreachable
access-list acloutin permit icmp any interface outside time-exceeded
access-list acloutin permit icmp any interface outside echo-reply
access-list acloutin permit icmp any interface outside echo

### Apply the access list to the interface
access-group acloutin in interface outside

Hope that helps.

-= Felix =-
Secure Your WordPress Site: 5 Essential Approaches

WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:

Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users


Expert Comment

ID: 12340634
Your router can't connect to PC-A because the router doesn't know that 192.168.1.xx is handled by PIX501.  It assumes that the only addresses on its internal network are in the subnet (whatever the netmask is), and that everything else must be on the external side.  If your RouterVPN supports it, you will need to add a route/gateway to via  Since 192.168.x.x addresses are technically considered "non-routable," this might present a problem.  Also, if your RouterVPN doesn't support static routes, you are in trouble.

Since RouterVPN does not know how to get to PC-A, it can not return the pings, even if your firewall rules are correct.  If you were to put a network sniffer (like Ethereal on a hub, not a switch) right in front of, then you should see the packets from PC-A, each one followed by "Destination Unreachable" packets from the router.

If that doesn't work, then one troubleshooting step is to try everything using routable addresses on PC-A and the PIX, and then change them to non-routable addresses once things are working, in case your router/PIX refuses to route the non-routable addresses.

- Will

Expert Comment

ID: 12341287
RouterVPN or PC-B doesn't need routers for the 192.168.x.x it's being natted... to anyone infront of the nat he needs to try to connect to

-= Felix =-

Author Comment

ID: 12368866
Thx all, i'll check and get back to you shortly

Expert Comment

ID: 12369509
Good point, Felix2000.  Somehow I must have been thinking that the NAT was on the other end.  In that case, disregard most of my previous post.

Author Comment

ID: 12381331
Felix  solution works fine.Thx.
Only couple of doubts:

1) It seems the ICMP access-list lines are not needed, PcA is able to ping RouterVPN even without them. Is it correct ?

2) Are these ICMP access-list lines equivalent to the following ICMp commands ?

icmp permit any echo-reply outside
icmp permit any echo outside


Expert Comment

ID: 12384505
I believe the ICMP lines are for the PIX itself  not things being or being NAT'ed by it.

PC A is allowed out since he is inside. The access lists should also help people coming from the outside to ping / traceroute to the router/nat ip's.
Traceroute's time-exceeded might not normally be allowed back through the pix by default.

Glad it helped
-= Felix =-

Featured Post

SharePoint Admin?

Enable Your Employees To Focus On The Core With Intuitive Onscreen Guidance That is With You At The Moment of Need.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question