https://community.cisco.com/t5/network-security/static-nat-pix-command/m-p/1081617#M878550 <HTML><HEAD></HEAD><BODY><P>That did it. I was missing the 2nd static.</P><P></P><P>Thanks.</P></BODY></HTML> Mon, 22 Dec 2008 20:23:13 GMT ajohnson 2008-12-22T20:23:13Z https://community.cisco.com/t5/network-security/static-nat-pix-command/m-p/1081611#M878538 <P>Running PIX 6.3(5)</P><P></P><P>Goal is to translate a outside external src IP 12.12.12.10 to a internal ip 172.16.1.200 on the inside of the PIX.</P><P></P><P>Tried to use static (outside,inside) 172.16.1.200 12.12.12.10 without any luck get </P><P></P><P>305005: No translation group found for icmp src outside:12.12.12.10 dst inside:1</P><P>72.16.1.200 (type 8, code 0)</P><P></P><P>This should work, what am I missing?</P> Mon, 11 Mar 2019 14:28:30 GMT https://community.cisco.com/t5/network-security/static-nat-pix-command/m-p/1081611#M878538 ajohnson 2019-03-11T14:28:30Z https://community.cisco.com/t5/network-security/static-nat-pix-command/m-p/1081612#M878539 <HTML><HEAD></HEAD><BODY><P>try it in other direction, to map 12.12.12.10 towards 172.16.1.200 your identity nat must be in this format.</P><P></P><P></P><P>static (inside, outside) 12.12.12.10 172.16.1.200 netmask 255.255.255.255</P></BODY></HTML> Mon, 22 Dec 2008 18:24:00 GMT https://community.cisco.com/t5/network-security/static-nat-pix-command/m-p/1081612#M878539 JORGE RODRIGUEZ 2008-12-22T18:24:00Z https://community.cisco.com/t5/network-security/static-nat-pix-command/m-p/1081613#M878545 <HTML><HEAD></HEAD><BODY><P>I get this error:</P><P></P><P>305006: regular translation creation failed for icmp src outside:12.12.12.10 dst</P><P> inside:172.16.1.200 (type 8, code 0)</P></BODY></HTML> Mon, 22 Dec 2008 18:35:20 GMT https://community.cisco.com/t5/network-security/static-nat-pix-command/m-p/1081613#M878545 ajohnson 2008-12-22T18:35:20Z https://community.cisco.com/t5/network-security/static-nat-pix-command/m-p/1081614#M878547 <HTML><HEAD></HEAD><BODY><P>clear xlate or local host and try again</P><P></P><P>either do pix#<B>clear xlate</B></P><P></P><P>or </P><P></P><P>pix#clear local-host 172.16.1.200</P><P></P><P></P><P>btw you will need icmp acl to allow pings from outside ot inside , create an acl to allow different service such as rdp and test through that port instead of icmp by rdping from outside to 12.12.12.10 </P><P></P><P>icmp</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml" target="_blank">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml</A></P><P></P><P></P><P></P><P></P></BODY></HTML> Mon, 22 Dec 2008 18:45:58 GMT https://community.cisco.com/t5/network-security/static-nat-pix-command/m-p/1081614#M878547 JORGE RODRIGUEZ 2008-12-22T18:45:58Z https://community.cisco.com/t5/network-security/static-nat-pix-command/m-p/1081615#M878548 <HTML><HEAD></HEAD><BODY><P>Yes already have a permit any any on outside interface and have done clear xlate.</P></BODY></HTML> Mon, 22 Dec 2008 19:15:43 GMT https://community.cisco.com/t5/network-security/static-nat-pix-command/m-p/1081615#M878548 ajohnson 2008-12-22T19:15:43Z https://community.cisco.com/t5/network-security/static-nat-pix-command/m-p/1081616#M878549 <HTML><HEAD></HEAD><BODY><P>Andrew,</P><P></P><P>After you configure the above statement, where are you sourcing the ICMP packets from and what is the destination. </P><P></P><P>I believe below statement will translate the outside IP 12.12.12.10 to 172.16.1.200 and then you need a translation for whatever destination the IP Address is. </P><P></P><P>For example:</P><P></P><P>Router 1.1.1.1 - Inside ASA - Outside - 12.12.12.10</P><P></P><P>static (outside,inside) 172.16.1.200 12.12.12.10 netmask 255.255.255.255</P><P>static (inside,outside) 1.1.1.1 1.1.1.1 netmask 255.255.255.255</P><P></P><P>ciscoasa(config)# sh xlate</P><P>2 in use, 2 most used</P><P>Global 1.1.1.1 Local 1.1.1.1</P><P>Global 172.16.1.200 Local 12.12.12.10</P><P></P><P>So, if I telnet to 1.1.1.1 from the outside with 12.12.12.10, the packets get translated to 172.16.1.200 on the ASA and then the ASA looks for the regular inside/outside translation for the destination. That is why I have a static (inside,outside) for 1.1.1.1. </P><P></P><P>Router that is configured with IP 1.1.1.1</P><P></P><P>interface Loopback101</P><P> ip address 1.1.1.1 255.255.255.0</P><P></P><P>7140#sh users</P><P> Line User Host(s) Idle Location</P><P>* 0 con 0 idle 00:00:00</P><P> 2 vty 0 idle 00:02:27 172.16.1.200</P><P></P><P>I hope it helps.</P><P></P><P>Regards,</P><P>Arul</P><P></P><P>*Pls rate all helpful posts*</P><P></P></BODY></HTML> Mon, 22 Dec 2008 19:23:21 GMT https://community.cisco.com/t5/network-security/static-nat-pix-command/m-p/1081616#M878549 ajagadee 2008-12-22T19:23:21Z https://community.cisco.com/t5/network-security/static-nat-pix-command/m-p/1081617#M878550 <HTML><HEAD></HEAD><BODY><P>That did it. I was missing the 2nd static.</P><P></P><P>Thanks.</P></BODY></HTML> Mon, 22 Dec 2008 20:23:13 GMT https://community.cisco.com/t5/network-security/static-nat-pix-command/m-p/1081617#M878550 ajohnson 2008-12-22T20:23:13Z https://community.cisco.com/t5/network-security/static-nat-pix-command/m-p/1081618#M878552 <HTML><HEAD></HEAD><BODY><P>Why not a single command</P><P></P><P>static (inside,outside) 12.12.12.10 172.16.1.200 0 0</P></BODY></HTML> Tue, 23 Dec 2008 07:57:23 GMT https://community.cisco.com/t5/network-security/static-nat-pix-command/m-p/1081618#M878552 mohsin.khan 2008-12-23T07:57:23Z