08-23-2007 06:24 AM - edited 03-11-2019 04:01 AM
I have two interfaces that I am trying to communicate. VPNaccess is security level 100 and DMZ-50 is a SL50. Default rules. Below are the NATs currently in place. When I try to ping 172.16.50.21 I get the following 305005 No translation group for icmp src VPNaccess:CyndiWS dst DMZ-50:syslog1.
when I try to ping 10.11.2.121 - nothing
TAC told me to put in 'static (VPNaccess,DMZ-50) 10.0.0.0 10.0.0.0'
that didn't work either.
Any ideas?
interface Ethernet0/2
description vpn access for technicians
nameif VPNaccess
security-level 100
ip address 10.11.2.111 255.255.255.0
!
interface Ethernet0/3
description Logging servers
nameif DMZ-50
security-level 50
ip address 172.16.50.1 255.255.255.0
name 172.16.50.21 syslog1
name 10.31.103.86 CyndiWS
nat-control
global (outside) 15 66.x.x.190 netmask 255.255.255.255
global (inside) 5 172.16.11.190 netmask 255.255.255.255
global (VPNaccess) 10 10.11.2.120 netmask 255.255.255.255
global (DMZ-50) 20 172.16.50.2 netmask 255.255.255.255
static (DMZ-50,outside) 66.x.x.132 inspector netmask 255.255.255.255
static (DMZ-50,VPNaccess) 10.11.2.121 syslog1 netmask 255.255.255.255
static (VPNaccess,DMZ-50) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
08-23-2007 06:38 AM
Try using this static instead of the one the TAC told you:
static (VPNaccess,DMZ-50) 10.11.2.0 10.11.2.0
08-23-2007 06:54 AM
That's not the problem. 10.0.0.0/8 and 10.11.2.0/16 would both include the inside host in question.
The problem is you have a destination nat for the host you are pinging in the dmz.
static (DMZ-50,VPNaccess) 10.11.2.121 syslog1 netmask 255.255.255.255
To ping syslog1 via it's dmz address (172.16.50.21) you would have to remove that destination nat.
Otherwise you have to ping it by 10.11.2.121.
The static that TAC gave you will allow you to ping any other dmz address.
Please rate helpfulp posts.
08-23-2007 07:09 AM
OK, so i removed the static 10.11.2.121 and ping 172.16.50.21 and it works.
I put the static back in and ping 10.11.2.121 and the packet doesn't go through. I have scopes on both sides and it is never presented in the DMZ. Should it work that way?
08-23-2007 07:17 AM
"OK, so i removed the static 10.11.2.121 and ping 172.16.50.21 and it works."
-Good.
"I put the static back in and ping 10.11.2.121 and the packet doesn't go through."
-Did you try a clear xlate?
"I have scopes on both sides and it is never presented in the DMZ. Should it work that way?"
-Could you explain what you mean?
08-23-2007 01:01 PM
Make sure 10.11.2.121 is not used by any machine in vpnaccess interface. 10.11.2.121 has to be a free public IP address, otherwise when you try to ping 10.11.2.121, the packets may go to the actual machine rather than going to the PIX.
If if it is indeed a free IP address, then do "debug icmp trace" or collect syslogs as you try to ping 10.11.2.121 and see if the ICMP requests are even reaching the PIX or not.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide