Re: PIX 515E problem!

ha_lh · ‎07-15-2004

Hi all,

My PIX 515E in a customer net with the standard topo (Outside-DMZ-Inside)

192.168.28.xx----(e0 PIX e1) --(INSIDE)--10.30.31.xx

|

(DMZ-10.30.30.xx)

I use static map to translate 30.xx->28.xx for outside access.

I got the following problem:

+> Ping from inside (10.30.31.60) to dmz (10.30.30.5): receive the message "No translation group found for icmp src dmz:10.30.30.5 dst inside:10.30.

31.60 (type 0, code 0)" on logging console of PIX (has enabled debug icmp trace command)

+> Ping from outside to dmz and inside is oK

+> Ping from inside to dmz (10.30.30.3) is oK

dmz 30.5 is running Cluster Database Service (Node 1).

So which problem can I face?

Pls help me soon. Thank in advance

nkhawaja · ‎07-15-2004

You said that you can ping from 10.30.31.60 to 10.30.30.3, so it means you do have the static translation configured. Now the messages is not showing deny from any access-list, so access-list is not an issue either.

are you pining 10.30.30.5? may be you are pinging the cluster IP address and response is coming from 10.30.30.5

can you share the particular static ? and ACL

ha_lh · ‎07-15-2004

Thank for reply me, I don't pine 10.30.30.5

show route:

-------------------------------

outside 0.0.0.0 0.0.0.0 10.30.28.2 1

OTHER static

outside 10.30.28.0 255.255.255.0 10.30.28.1 1 CONNECT static

dmz 10.30.30.0 255.255.255.0 10.30.30.1 1 CONNECT static

inside 10.30.31.0 255.255.255.0 10.30.31.1 1 CONNECT static

show static:

-----------------------

static (dmz,outside) 10.30.28.3 10.30.30.3 netmask 255.255.255.255 0 0

static (dmz,outside) 10.30.28.4 10.30.30.4 netmask 255.255.255.255 0 0

static (dmz,outside) 10.30.28.5 10.30.30.5 netmask 255.255.255.255 0 0

static (dmz,outside) 10.30.28.6 10.30.30.6 netmask 255.255.255.255 0 0

static (dmz,outside) 10.30.28.7 10.30.30.7 netmask 255.255.255.255 0 0

------------------------

(PIX515)---(e1 Inside)---f0/12(Sw2950-vlan31)f0/11--(vlan 31 hosts)

(PIX515)---(e2 DMZ)---f0/10(Sw2950-vlan30)f0/8--(vlan 30 hosts)

HNM-FW51-TT#ping 10.30.31.1 (inside address)-> OK

HNM-FW51-TT# ping 10.30.31.60 (first try)

10.30.31.60 response received -- 0ms

10.30.31.60 NO response received -- 1000ms

from the second try, no response received!!!

host 10.30.31.60>ping 10.30.31.1 -> OK

host outside> ping 10.30.31.60 -> OK

So what happens? I'm sure that no icmp filter is being enable on PIX.

srdja · ‎07-16-2004

With show arp command check if your MAC and IP addresses are paired as they should be (for hosts 10.30.30.5 and 10.30.31.6). You said that 10.30.30.5 is one of cluster addresses. Maybe PIX in its arp table have entry for other node for 10.30.30.5 address. I had this problem with Broadcom team drivers on IBM X445 series (two nodes) cluster.

Good Luck,

Srdja

ha_lh · ‎07-16-2004

Yes,the problem occured due to the misconfiguring of VLAN routing in the Router that connect to PIX.I resolved it and many thank for your help.

During the upgrading phase, some customers want to get the access to Inside hosts (10.30.31.xx, sec=100) from any lower security domains (outside, sec=0)(dmz,10.30.30.xx,sec=30). How can I configure this sitution? Static translation is not scalable at all !!!

Many thanks!

srdja · ‎07-18-2004

Static translations can be scalable. For your example:

static (inside, dmz) 10.30.31.0 10.30.31.0 netmask 255.255.255.0 0 0

static (inside, outside) 10.30.31.0 10.30.31.0 netmask 255.255.255.0 0 0

And with ACLs you can filter users and limit access to the inside zone.

Good Luck,

Srdja

ha_lh · ‎07-18-2004

Done!

Got your directions with many thank!