Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
765
Views
0
Helpful
5
Replies

NAT Processing Query - PIX 6.3

charles.coutts
Level 1
Level 1

‎08-01-2011 06:42 AM - edited ‎03-11-2019 02:06 PM

Hi All,

I have a query regarding order of NAT processing with the following configuration (as an example):

nameif ethernet1 inside security100
nameif ethernet2 dmz1 security50

nat (inside) 0 0.0.0.0 0.0.0.0

static (inside,dmz1) 192.168.0.0 192.168.0.0 netmask 255.255.0.0

route dmz1 10.10.10.0 255.255.255.0 172.16.1.1

route inside 192.168.0.0 255.255.0.0 192.168.20.20

When I initiate traffic from DMZ1 toward a host on the 192.168.0.0/16 (inside) network, I receive a "No translation group found" error message.

I would have expected the static statement to be matched first, and thus allow this translation to be created?

What are your thoughts?

Thanks,

Charlie

Labels:
0 Helpful
5 Replies 5

varrao
Level 10
Level 10

‎08-01-2011 06:47 AM

You would need this nat as well;

nat (dmz1) 1 0.0.0.0 0.0.0.0

global (inside) 1 interface

Thanks,

-Varun

Thanks,
Varun Rao
0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to varrao

‎08-01-2011 06:57 AM

Varun

Can you just explain why you need that. I ask because if you present addresses to the internet then you do not need to NAT the internet source IPs as they go through the firewall so why do you need the dmz addresses as they go to the inside ?

I may just be a bit of brainlock about this and be missing the obvious

Jon

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to varrao

‎08-01-2011 10:54 AM

Varun

Is this because you assume there is no default-route within the LAN ie. if the network being accessed on the LAN is not directly connected to the ASA and there is no default-route then traffic would not get back to the ASA from the LAN ?

Jon

0 Helpful

charles.coutts
Level 1
Level 1
In response to varrao

‎08-15-2011 02:30 AM

Hi Varun,

Are you able to answer the follow-up questions?

I agree with Jon's comments, and so am still unclear as to why the config I have is not sufficient.

Many thanks,

Charlie

0 Helpful

varrao
Level 10
Level 10
In response to charles.coutts

‎08-15-2011 10:55 AM

Hi Charles,

Yes, I agree with Jon's statement, if the destination network is not in the same network as the ASA, it is good to pat the traffic coming from the dmz to inside. It is not always necessary to create a translation for the source as well, going from lower security to higher security level, but it is just been added as a test to check whether the inside host respond to the firewall inside ip address.

-Varun

Thanks,
Varun Rao
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card