I had a similar issue using NAT 0 0 0 (5.3.1) between three PIX's. It
would work for a while and then it wouldn't, very sporadic!!! After much
hair pulling I ended up keeping the same code but going with the static
(inside,outside) command. Lesson learned, do NOT use NAT 0!!!
Thanks!
-g
--
........The truth shall set you free........
...Success is a journey not a destination...
George Harper
Network Engineer, Sr
CCDP, CCNP
On Tue, 4 Sep 2001, Bill Carter stated:
BC>Date: Tue, 4 Sep 2001 15:55:36 -0400
BC>From: Bill Carter
BC>To: [EMAIL PROTECTED]
BC>Subject: PIX - NAT 0 problems this weekend [7:18471]
BC>
BC>Last week I talked with some TAC engineers about running NAT 0 on a PIX.
BC>This weekend I upgraded a customers site by placing Web servers in a DMZ.
BC>For various reasons, I did not want to privately address the web servers
and
BC>use static translations. Some TAC engineers said there are ongoing
BC>discussions about whether to use NAT 0 or Static translations to the real
BC>addresses.
BC>
BC>During our cutover I learned what they were talking about...;>
BC>
BC>This involved a PIX 515 running 5.3(1).
BC>
BC>10:15pm - nat (DMZ) 0 0 0. I threw in the command, moved to my PC on the
BC>outside segment, typed in http://X.X.X.10. Viola!! Up came my web page.
BC>Done, I'm ready to head for the hotel!!! But first, the client ordered
BC>take out (Free Dinner!!) and it was time to eat. Had some pretty good
BC>Vietnamese food while discussing how smooth everything went...
BC>
BC>10:45pm - After dinner. From my PC I try to hit the web page. DDOOOHH!!!
No
BC>web page!!! Try some pings (Access-list allowed ping for the time-being),
BC>nothing. A show xlate reveals there is no xlating going on :~ Piece of
BC>#$@&. Can I get some water, dinner was hot!!
BC>
BC>11:15pm - Using my keen sense of recall, I try the TAC suggestion of
BC>static (DMZ,outside) X.X.X.0 X.X.X.0 255.255.255.128. From outside try
the
BC>web page, viola!!! works.
BC>
BC>11:45pm - Start packing the bag, ask the customer to try. DDOOOHHHH!!! No
BC>web page. Walk from customer desk to Computer room, shut door, let
BC>explicatives fly (for 5 minutes)!!!!
BC>
BC>12:01am - Its tomorrow gggrrr!! Call TAC, ticktickticktick.
BC>
BC>12:50am - Finally hear from TAC. 3 day weekend, everyone is doing upgrades
BC>tonight. Oohhh the glamourous life of a consultant!!! TAC says config is
BC>right, do some dinking around, it works!!!
BC>
BC>1:45am - Pack the bags, ask the customer to try..(you guessed it)
BC>DDDOOOOHHHH!!! stopped working!!!@#$@@#! Enough of this @#$%.
BC>http://www.cisco.com/kobayashi/sw-center/sw-ciscosecure.shtml
BC>
BC>2:00am - Start upgrading..Since the customer has so wisely chosen the
BC>failover bundle we get to upgrade 2X.
BC>
BC>2:30am - PIX's are rebooted after upgrade, test the web pages.
BC>Excellent!!!!! Pack the bags, ask customer to test...Everything
works..Time
BC>to go home..
BC>
BC>
BC>Moral of the story.
BC>NAT when you can, but if you can't,
BC>static (DMZ,outside) X.X.X.0 X.X.X.0 255.255.255.128
BC>is better than
BC>nat (DMZ) 0 0 0
BC>and
BC>PIX code 6.0(1) is much better than 5.3(1)
BC>
BC>ps. TAC support was excellent. I don't intend for this to be derogatory
BC>against TAC.
BC>
BC>
BC>
BC>
BC>
BC>^-^-^-^-^-^-^-^-^-^-^
BC>Bill Carter
BC>CCIE 5022
BC>^-^-^-^-^-^-^-^-^-^-^
BC>
BC>
BC>
BC>
BC>
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=18481&t=18471
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
