Hello, That is a pretty standard way of doing PAT overloading. I use it on 4 or 5 firewalls in this manner. I would suggest double,then triple checking The global for typo's. I suspect that the PAT global might have an incorrect address. Try and see if those uses that have a PAT address can ping outside address's. Start with the next hop address, and work from there.
Let us know if they can ping , or is everything blocked. Thanks Larry -----Original Message----- From: Ufuk Yasibeyli [mailto:[EMAIL PROTECTED]] Sent: Friday, May 24, 2002 10:23 AM To: [EMAIL PROTECTED] Subject: PIX - PAT configuration problem [7:44957] Hello everybody, I have configured a PIX 515E v6.1(2) with following for NAT/PAT address translation : ip address outside x.y.z.2 255.255.255.0 ip address inside 192.168.0.1 255.255.255.0 route outside 0.0.0.0 0.0.0.0 x.y.z.1 1 global (outside) 1 x.y.z.100-x.y.z.253 global (outside) 1 x.y.z.254 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 Inside hosts have necessary permissions for initiating web traffic and all the hosts which gets an address from NAT pool(100-253) can browse the web. However, clients which are allocated from PAT address(254), can not browse the web. These clients can resolve DNS names to IP addresses though. when I issue "show xlat" command, PAT addresses are shown as allocated to some clients, which I verify that they can't access to web. I have used Cisco Output interpretter tool. But it didn't give me any warning or configuration error. And I think the config is pretty straight forward. (Which might be the reason of a mistake I can't see) One friend informed that PIX has a problem in a configuration like this, where outside address is in the same segment with the address used for PAT. Can someone confirm this information, and if so, is this behaviour a bug or a configuration mistake I am making. Best regards, Ufuk Yasibeyli Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=44972&t=44957 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]