02-26-2003 10:08 AM - edited 02-20-2020 10:35 PM
Hi
using PIX 6.2(2)
I am able to translate from the outside to the inside using
static (outside,inside)
but should i be able to NAT using
global (inside) 1 192.168.0.129-192.168.0.253
global (inside) 1 192.168.0.254
nat (outside) 1 0.0.0.0 0.0.0.0 0 0
i get the following errors
305005: No translation group found for icmp src outside:10.12.0.33 dst inside:172.25.16.1 (type 8, code 0)
thanks
02-26-2003 11:02 PM
The commands used for translation in the PIX are determined by comparison of security levels:
1. If traffic travels from a low to a high security level, use static and access-list commands.
2. If traffic travels from a high to a low security level, use nat and global commands.
In your case, you need to match the correct interface with the correct command.
You need - nat (inside) 1 0 0
and - global (outside) 1 (Internet IP address or range assigned to you)
Here is a link for further info
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml.
RJ
02-27-2003 06:47 AM
RJ, according to the link it says;
"Outside NAT
Starting with PIX 6.2, NAT and PAT can be applied to traffic from an outside, or less secure, interface to an inside (more secure) interface. This is sometimes referred to as "bi-directional NAT." "
And also
"Outside NAT/PAT is similar to inside NAT/PAT, but the address translation is applied to addresses of hosts residing on the outer (less secure) interfaces of the PIX. To configure dynamic outside NAT, specify the addresses to be translated on the less secure interface and specify the global address or addresses on the inside (more secure) interface. To configure static outside NAT, use the static command to specify the one-to-one mapping."
I am able to make the static outside nat working as shown in the example
but not the dynamic outside nat . And my question is how to make that works.
The commands you mention refers to inside nat not outside nat.
-Michel
02-28-2003 06:42 AM
You are still backwards though. Regular NAT, where you have legitimate IPs on the outside, and RFC 1918 IPs on the inside, requires global commands on the outside int, and nat on the inside int.
Outside nat is used far less frequently, often for poorly designed networks, or to deal with poorly written applications. That said, outside nat requires the *same* rules for global and nat commands - global on outside int, nat on inside int. Outside nat, as seen in the doc, is achieved through the addition of more static commands.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide