PIX to Netscreen vLAN setup

jwright · ‎08-26-2003

I have a Netscreen25 and a PIX 501 with an unusual setup. Here's how it looks.

-Internet

|

Cisco 2600 Outside routable address

| Inside address 10.0.0.1

|

Netscreen Outside address Port 1 10.0.0.2

| Port 3 Inside address 192.168.1.1

| to 192.168.1.x

|-Vlan

|Port 2 192.168.2.2/24

|

Pix Outside address 192.168.2.1

| Inside address 172.16.0.1

Computer 172.16.0.10

The 172.16.0 addresses can ping 192.168.1.x addresses

but that is it the Pix monitor says:

305005:No translation group found for icmp src inside 172.16.0.10 dst outside:216.239.41.99 (type 8 code 0)

Trying to ping Google. Looks like a routing error of some kind. What is a translation group?

--Jerry

gfullage · ‎08-28-2003

The PIX has to create a translation for all traffic passing through it. It does this with the nat/global and static configuration commands. Basically for any traffic to pass from a higher security interface to a lower (inside to outside), the PIX needs to create a translation for it and to do that it needs to either have a static command or a nat/global pair for the two interfaces.

If you can ping 192.168.1.0 then it means that you probably have a nat/global something like:

> nat (inside) 1 0.0.0.0 0.0.0.0

> global (outside) 1 interface

or something similar. I'm a little confused as to why you're getting this message then because your other traffic is also going from the inside to the outside interface, so it should use the same nat/global.

If you could post your config it would be easy to see where the problem lies, xxxx out your passwords though.