2 static NATs work. 3rd static NAT doesn't.

Hello all,

I have spent a lot of time on this and seem to be missing something.
Any technical knowledge and help will be greatly appreciated.

I have pasted our PIX config below. You see three static NATs
configured. The first two work great. The 3rd static NAT is new, and
the config below isn't working right, and actually causes the internal
host to lose Internet connectivity. The new static NAT is the one for
global IP 216.xxx.xxx.243. What is wrong?


PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password o6XhYX4TSmjifHY0 encrypted
passwd o6XhYX4TSmjifHY0 encrypted
hostname PIX
domain-name xxx
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
no fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.2.2 server
access-list inetACL permit tcp any host 66.xxx.xxx.150 eq smtp
access-list inetACL permit tcp any host 66.xxx.xxx.150 eq 3389
access-list inetACL permit tcp any host 66.xxx.xxx.150 eq pop3
access-list inetACL permit tcp any host 66.xxx.xxx.150 eq www
access-list inetACL permit udp any host 66.xxx.xxx.150 eq domain
access-list inetACL permit tcp any host 66.xxx.xxx.150 eq domain
access-list inetACL permit icmp any host 66.xxx.xxx.150
access-list inetACL permit tcp any host 66.xxx.xxx.187 eq 3389
access-list inetACL permit tcp any host 66.xxx.xxx.150 eq https
access-list inetACL permit tcp any host 216.xxx.xxx.243 eq 3389
access-list inetACL permit icmp any host 216.xxx.xxx.243
pager lines 24
logging on
logging buffered informational
logging trap debugging
logging facility 16
logging device-id hostname
logging host inside server 17/1025 format emblem
mtu outside 1500
mtu inside 1500
ip address outside 66.xxx.xxx.186 255.255.255.0
ip address inside 192.168.2.253 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location server 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 66.xxx.xxx.150 server netmask 255.255.255.255
0 0
static (inside,outside) 66.xxx.xxx.187 192.168.2.9 netmask
255.255.255.255 0 0
static (inside,outside) 216.xxx.xxx.243 192.168.2.7 netmask
255.255.255.255 0 0
access-group inetACL in interface outside
route outside 0.0.0.0 0.0.0.0 66.xxx.xxx.193 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80

 

Where are you getting the 216.X..243 address from? Did your ISP just give it
to you? If they just gave it to you are you routing it on your internet
router to the Pix? There is nothing wrong with the Pix config IF that is
your address and is being routed properly to the Pix.