Re: PIX does not allow traffic from DMZ to Inside

nvamvakas · ‎10-07-2004

We have 3 zones: out (0), in (100) and dmz (80)

I want to permit specific traffic from a server in DMZ to enter inside but whatever I do I receive the following error

"305005: No translation group found for udp src dns_zone:192.168.20.10..."

I created a translation group and I added access list to permit everything from that zone to enter inside zone.

Config:

ip address inside 132.0.0.10 255.255.0.0

ip address dns_zone 192.168.20.1 255.255.255.0

global (inside) 1 132.0.0.101

nat (dns_zone) 1 192.168.20.0 255.255.255.0 outside

static (inside,dns_zone) 192.168.20.10 192.168.20.10 netmask 255.255.255.255

static (dns_zone,inside) 192.168.20.10 192.168.20.10 netmask 255.255.255.255

access-list from_dns_zone permit icmp host 192.168.20.10 any

access-list from_dns_zone permit tcp host 192.168.20.10 any

access-list from_dns_zone permit udp host 192.168.20.10 any

Any solution? We need to initiate traffic from dmz zone to inside. How this can be accompished???

j-barrett · ‎10-07-2004

you need to add "access-group from_dns_zone in interface dns_zone"

You do not need "static (inside,dns_zone) 192.168.20.10 192.168.20.10 netmask 255.255.255.255"

There should be a global statement on the outside not the inside interface ! and for users on the inside to get internet access you need to add a nat 1 statement to the inside.

j-barrett · ‎10-07-2004

whoops meant to say, you do not need "static (dns_zone,inside) 192.168.20.10 192.168.20.10 netmask 255.255.255.255"

nvamvakas · ‎10-07-2004

Exactly I didnt need that statement, so I removed it!

the problem solved by adding static statements, from inside to dmz, for all those servers we need to access from the dmz zone! simple as that!

Oh god! Sorry goes problem solved!

I have to read the PIX documentation once more to understand it better!!!

edugger · ‎10-12-2004

you can also exclude the int network to the dmz network in your NAT .