10-13-2006 06:53 AM - edited 02-21-2020 01:14 AM
Machine A
192.168.1.11(real ip) 10.15.10.11 (nat ip)
|
|
|
|
|
(outside)192.168.1.25
PIX 1
(inside)10.15.10.25
|
|
Router------------------ Machine C 10.1.57.23 (real IP)
|
|
(inside)10.3.10.25
PIX 2
(outside)192.168.1.25
|
|
|
|
|
Machine B 192.168.1.11(real ip)10.3.10.11 (nat ip)
PIX 1
access-list acl_in permit ip host 10.1.57.23 10.15.10.0 255.255.255.0
access-list acl_in permit ip 10.3.10.0 255.255.255.0 10.15.10.0 255.255.255.0
access-list acl_out permit ip 192.168.1.0 255.255.255.0 10.3.10.0 255.255.255.0
ip address outside 192.168.1.25 255.255.255.0
ip address inside 10.15.10.25 255.255.0.0
global (outside) 1 interface
nat (inside) 1 10.0.0.0 255.0.0.0 0 0
static (outside,inside) 10.15.10.11 192.168.1.11 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group acl_in in interface inside
PIX 2
access-list acl_in permit ip host 10.1.57.23 10.3.10.0 255.255.255.0
access-list acl_in permit ip 10.15.10.0 255.255.255.0 10.3.10.0 255.255.255.0
access-list acl_out permit ip 192.168.1.0 255.255.255.0 10.15.10.0 255.255.255.0
ip address outside 192.168.1.25 255.255.255.0
ip address inside 10.3.10.25 255.255.0.0
global (outside) 1 interface
nat (inside) 1 10.0.0.0 255.0.0.0 0 0
static (outside,inside) 10.3.10.11 192.168.1.11 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group acl_in in interface inside
Above is a small "drawing" to try to illustrate my setup. Also above are what I think is the relevant PIX configs. The purpose of these 2 firewalls is to protect machines on the 192.168.1.x network from machines on the 10.x.x.x network and vice versa. Subnet masks for 192 machines is 255.255.255.0 and for the 10 network is 255.255.0.0.
Right now, I am able to connect to both machine A and machine B from machine C using the natted IP addresses. The problem I'm having, is that when I try to establish a connection from machine A to machine B I get a syslog error message from PIX 1 that reads "no translation group found for tcp src outside:192.168.1.11 dst inside:10.3.10.11"
I'm a little confused at this point. Do I need to add some sort of global command for the inside interfaces? and a nat for the outside? I will need both Machine A to be able to talk to machine B, and vice versa. Any help is greatly appreciated.
10-13-2006 09:03 AM
Hi,
I think it will save you a lot of headache if you swop the security levels of each interface of both PIXs... i.e. swop the interface. Interface Outside faces the router of each side of the PIXs... then you can let machine A talk to machine B by typing static (inside,outside) which is the proper way of doing the static translation... also make sure your route statements are reaching the translated subnet (i.e. the outside subnet)...
I hope this helps!
10-16-2006 09:33 AM
Thanks. It does require me visiting the other sites. I will let you know if it works. Makes sense though.
10-13-2006 10:00 AM
This config is a bit confusing.
If you are trying to get to 10.3.10.11 from the outside you need
static(inside,outside)10.3.10.11 192.168.1.1 netmask 255.255.255.255 0 0
Your static is backwards on pix 2..
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide