PIX to Netscreen vLAN setup

jwright — Fri, 21 Feb 2020 06:57:16 GMT

I have a Netscreen25 and a PIX 501 with an unusual setup. Here's how it looks.

-Internet

Cisco 2600 Outside routable address

| Inside address 10.0.0.1

Netscreen Outside address Port 1 10.0.0.2

| Port 3 Inside address 192.168.1.1

| to 192.168.1.x

|-Vlan

|Port 2 192.168.2.2/24

Pix Outside address 192.168.2.1

| Inside address 172.16.0.1

Computer 172.16.0.10

The 172.16.0 addresses can ping 192.168.1.x addresses

but that is it the Pix monitor says:

305005:No translation group found for icmp src inside 172.16.0.10 dst outside:216.239.41.99 (type 8 code 0)

Trying to ping Google. Looks like a routing error of some kind. What is a translation group?

--Jerry

Re: PIX to Netscreen vLAN setup

gfullage — Fri, 29 Aug 2003 05:24:12 GMT

The PIX has to create a translation for all traffic passing through it. It does this with the nat/global and static configuration commands. Basically for any traffic to pass from a higher security interface to a lower (inside to outside), the PIX needs to create a translation for it and to do that it needs to either have a static command or a nat/global pair for the two interfaces.

If you can ping 192.168.1.0 then it means that you probably have a nat/global something like:

> nat (inside) 1 0.0.0.0 0.0.0.0

> global (outside) 1 interface

or something similar. I'm a little confused as to why you're getting this message then because your other traffic is also going from the inside to the outside interface, so it should use the same nat/global.

If you could post your config it would be easy to see where the problem lies, xxxx out your passwords though.

topic PIX to Netscreen vLAN setup in Network Security

PIX to Netscreen vLAN setup

Re: PIX to Netscreen vLAN setup