Showing results for 
Search instead for 
Did you mean: 

Accessing server on other network throught NAToutside

Level 1
Level 1

OK, I need some ideas how to solve this problem. This will be a quite brainstorming for you ;).

IP addresses are not real, but as in my real situation they are public IANA addresses :).

I will describe network situation:

PIX running PIXOS6.3 with three interfaces:

1.inside - (sec-level 100)

2.outside - x.x.x.x (sec-level 0) - Internet

3.projectVLAN - (sec-level 60)

On inside network is another subnet behind router. PIX has route to this subnet

"route inside" (this is ROUTER2 IP)

Users from projectVLAN can access inside

servers using configured static(s) with ACLpermits on projectVLAN interface.

Problem is when users wants to access servers on subnet trought static. Communication is not successfull, because traffic is not returning correctly. ROUTER2 on is on other WAN location and do not have route to hosts on throught PIX IP

Therefore I have used static with conjuction "nat outside". Translates destIP and also sourceIP, of which ROUTER2 is aware of(know route to it). Connect to server(tested throught ping is now successfull), but all other communication from inside to projectVLAN do not pass(is blocked) with this syslog message on PIX:

"%PIX-3-305005: no translation group found for ICMP ..."

Here is short cut-out from config(I hope you will be able to see all needed stuff - sry for mistakes, this is not pasted but manually written - hope syntax is good :)

name ROUTER2

name NATaddforSERVER

nameif outside ethernet0 security-level 0

nameif inside ethernet1 security-level 100

nameif projectVLAN ethernet2 security-level 60

ip address outside

ip address inside

ip address projectVLAN

route outside 0 0

route inside

nat (inside) 5 0 0

nat (pVLAN) 10

nat (pVLAN) 20 access-list TEST outside

global (outside) 10 -

global (outside) 10

global (outside) 5 interface

global (pVLAN) 5

global (inside) 20 interface

static (inside,projectVLAN) NATaddforSERVER netmask 0 0

access-list TEST permit ip host NATaddforSERVER

access-group TEST in interface projectVLAN

Any good ideas are greeeaaatly appreciated =P.

If you solve this I will say that you are a quite network proffesional :))).


1 Reply 1

Jon Marshall
Hall of Fame
Hall of Fame