https://community.cisco.com/t5/network-security/nat-processing-query-pix-6-3/m-p/1716668#M534502 <HTML><HEAD></HEAD><BODY><P>Varun </P><P></P><P>Can you just explain why you need that. I ask because if you present addresses to the internet then you do not need to NAT the internet source IPs as they go through the firewall so why do you need the dmz addresses as they go to the inside ? </P><P></P><P>I may just be a bit of brainlock about this and be missing the obvious <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/tiny_mce3/plugins/jiveemoticons/images/spacer.gif"></SPAN></P><P></P><P>Jon</P></BODY></HTML> Mon, 01 Aug 2011 13:57:37 GMT Jon Marshall 2011-08-01T13:57:37Z https://community.cisco.com/t5/network-security/nat-processing-query-pix-6-3/m-p/1716666#M534500 <P>Hi All,</P><P></P><P>I have a query regarding order of NAT processing with the following configuration (as an example):</P><P></P><PRE><SPAN style="font-family: arial,helvetica,sans-serif;">nameif ethernet1 inside security100 nameif ethernet2 dmz1 security50</SPAN></PRE><P>nat (inside) 0 0.0.0.0 0.0.0.0</P><P>static (inside,dmz1) 192.168.0.0 192.168.0.0 netmask 255.255.0.0</P><P>route dmz1 10.10.10.0 255.255.255.0 172.16.1.1</P><P>route inside 192.168.0.0 255.255.0.0 192.168.20.20</P><P></P><P>When I initiate traffic from DMZ1 toward a host on the 192.168.0.0/16 (inside) network, I receive a "No translation group found" error message.</P><P></P><P>I would have expected the static statement to be matched first, and thus allow this translation to be created?</P><P></P><P>What are your thoughts?</P><P></P><P>Thanks,</P><P></P><P>Charlie</P> Mon, 11 Mar 2019 21:06:26 GMT https://community.cisco.com/t5/network-security/nat-processing-query-pix-6-3/m-p/1716666#M534500 charles.coutts 2019-03-11T21:06:26Z https://community.cisco.com/t5/network-security/nat-processing-query-pix-6-3/m-p/1716667#M534501 <HTML><HEAD></HEAD><BODY><P>You would need this nat as well;</P><P></P><P>nat (dmz1) 1 0.0.0.0 0.0.0.0</P><P>global (inside) 1 interface</P><P></P><P>Thanks,</P><P>-Varun</P></BODY></HTML> Mon, 01 Aug 2011 13:47:44 GMT https://community.cisco.com/t5/network-security/nat-processing-query-pix-6-3/m-p/1716667#M534501 varrao 2011-08-01T13:47:44Z https://community.cisco.com/t5/network-security/nat-processing-query-pix-6-3/m-p/1716668#M534502 <HTML><HEAD></HEAD><BODY><P>Varun </P><P></P><P>Can you just explain why you need that. I ask because if you present addresses to the internet then you do not need to NAT the internet source IPs as they go through the firewall so why do you need the dmz addresses as they go to the inside ? </P><P></P><P>I may just be a bit of brainlock about this and be missing the obvious <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/tiny_mce3/plugins/jiveemoticons/images/spacer.gif"></SPAN></P><P></P><P>Jon</P></BODY></HTML> Mon, 01 Aug 2011 13:57:37 GMT https://community.cisco.com/t5/network-security/nat-processing-query-pix-6-3/m-p/1716668#M534502 Jon Marshall 2011-08-01T13:57:37Z https://community.cisco.com/t5/network-security/nat-processing-query-pix-6-3/m-p/1716669#M534503 <HTML><HEAD></HEAD><BODY><P>Varun </P><P></P><P>Is this because you assume there is no default-route within the LAN ie. if the network being accessed on the LAN is not directly connected to the ASA and there is no default-route then traffic would not get back to the ASA from the LAN ? </P><P></P><P>Jon</P></BODY></HTML> Mon, 01 Aug 2011 17:54:15 GMT https://community.cisco.com/t5/network-security/nat-processing-query-pix-6-3/m-p/1716669#M534503 Jon Marshall 2011-08-01T17:54:15Z https://community.cisco.com/t5/network-security/nat-processing-query-pix-6-3/m-p/1716670#M534504 <HTML><HEAD></HEAD><BODY><P>Hi Varun,</P><P></P><P>Are you able to answer the follow-up questions?</P><P></P><P>I agree with Jon's comments, and so am still unclear as to why the config I have is not sufficient.</P><P></P><P>Many thanks,</P><P></P><P>Charlie</P></BODY></HTML> Mon, 15 Aug 2011 09:30:08 GMT https://community.cisco.com/t5/network-security/nat-processing-query-pix-6-3/m-p/1716670#M534504 charles.coutts 2011-08-15T09:30:08Z https://community.cisco.com/t5/network-security/nat-processing-query-pix-6-3/m-p/1716671#M534505 <HTML><HEAD></HEAD><BODY><P>Hi Charles,</P><P></P><P>Yes, I agree with Jon's statement, if the destination network is not in the same network as the ASA, it is good to pat the traffic coming from the dmz to inside. It is not always necessary to create a translation for the source as well, going from lower security to higher security level, but it is just been added as a test to check whether the inside host respond to the firewall inside ip address.</P><P></P><P>-Varun</P></BODY></HTML> Mon, 15 Aug 2011 17:55:14 GMT https://community.cisco.com/t5/network-security/nat-processing-query-pix-6-3/m-p/1716671#M534505 varrao 2011-08-15T17:55:14Z