07-30-2007 08:56 PM - edited 03-11-2019 03:51 AM
Hello!
On PIX 515E I need access from a real IP x.x.x.x (outside interface) to inside IP 10.1.1.2 (inside interface) without NAT - for test purposes.
When I try to access from the real IP x.x.x.x inside IP 10.1.1.2 PIX sends error messages to syslog: (305005) "No translation group found for icmp src OUT:x.x.x.x dst IN:10.1.1.2 (type 8, code 0)".
I tried 2 configs:
1. access-list nonat_toInside extended permit ip host x.x.x.x 10.1.1.0 255.255.255.0
nat (OUT) 0 access-list nonat_toInside
2. static (OUT,IN) 10.1.1.2 10.1.1.2 netmask 255.255.255.255
But nothing helped... May be there are mistakes? Or what should I do to solve the problem?
07-30-2007 11:06 PM
Hi
static (inside,outside) 10.1.1.2 10.1.1.2 netmask 255.255.255.255
+ allow icmp on your access-lists
HTH
Jon
07-31-2007 01:57 AM
The problem is still remaining.
If I write "static (outside,inside) 10.1.1.2 10.1.1.2 netmask 255.255.255.255" I see on "show nat" this:
NAT policies on Interface Out:
match ip Out host 10.1.1.2 IN any
static translation to 10.1.1.2
translate_hits = 0, untranslate_hits = 0
If I write your command "static (inside,outside) 10.1.1.2 10.1.1.2 netmask 255.255.255.255" this rule appears on interface IN and PIX doesn't want to translate again.
Why nat 0 desn't work?..
07-31-2007 02:04 AM
nat(0) only works for inside to outside dynamic translations.
In your case you need a static like jon.marshall suggested:
static (inside,outside) 10.1.1.2 10.1.1.2 netmask 255.255.255.255
(outside,inside) is only used if you want to translate the outside source address.
07-31-2007 07:30 AM
Also, if you are testing with ping, make sure you are allowing ICMP echo replies into the outside interface.
Ex. access-list outside_in extended permit icmp any any eq echo-reply
access-group outside_in in interface outside
07-31-2007 08:01 PM
or add icmp inspection to the global policy.
08-01-2007 01:26 AM
Sorry, Jon, I wrote wrong IP to my config :[
So, your answer helped me!
Thanks!!
P.S. I've forgotten to check a box that the post resolved my problem. But now I'm not allowed to do this...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide