03-15-2005 01:55 AM - edited 02-21-2020 12:00 AM
Hi All,
Really need help with this.
I have a switch that has a public ip address (192.168.0.2), that I would like to manage from the private ip address (10.0.0.5).
I would like to be able to telnet to 10.0.1.5 which would be the NATed ip address of the switch.
Here is the config:
nameif ethernet0 outside security0
nameif ethernet1 inside security100
name 10.0.1.5 Switch_A_NAT
name 192.168.0.2 Switch_A
access-list outside_access_in deny ip any any log
access-list inside_access_in permit tcp 10.0.0.0 255.255.255.0 host 10.0.1.5 eq telnet
access-list inside_access_in permit tcp 10.0.0.0 255.255.255.0 host 192.168.0.2 eq telnet
ip address outside 192.168.0.1 255.255.255.224
ip address inside 10.0.1.15 255.255.255.192
static (outside,inside) 10.0.1.5 192.168.0.2 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
Error received:
305005: No translation group found for tcp src inside:10.0.0.5/3534 dst outside:10.0.1.5/23
03-15-2005 05:57 AM
Even with "outside nat" you still need a translation from inside to outside plus an ACL, and the outside nat will be unnecessary in this case.
Try removing the outside static, and translate inside to outside:
nat (inside) 1 10.0.0.5 255.255.255.255
global (outside) 1 192.168.0.30
or, identity nat translation
static (inside, outside) 10.0.0.5 10.0.0.5 netmask 255.255.255.255 0 0
or:
static (inside, outside) 192.168.0.30 10.0.0.5 netmask 255.255.255.255 0 0
ACL outside_access_in is redundant (except for logging behaviour)
Regards,
Mustafa
03-15-2005 06:57 AM
use outside nat
03-17-2005 07:42 PM
First I assume the IP addresses you are giving are not the actual addresses, since they are all from the RFC 1918 group. Assuming that and looking at your config, a first glance shows one problem.
Your static NAT mapping is incorrectly stated.
Try these commands
no static (outside,inside) 10.0.1.5 192.168.0.2 netmask 255.255.255.255 0 0
static (inside,outside) 10.0.1.5 192.168.0.2 netmask 255.255.255.255
You have the (inside,outside) statement reveresed.Nothing will work until that is corrected.
Chris Weber CCDP
Chris
03-17-2005 07:55 PM
Also what is with the Inside Access List? Are you trying to deny certain systems on your network from accessing the Internet?
An access-list applied to the inside Interface of a PIX, Ethernet 1 which has the highest security level is in most cases a moot command, and causes problems in most cases. Traffic from the inside is already by default permitted to the outside, from the higher security interface to the lower is always permitted on the PIX. Applying an access list to this interface can restrict outbound traffic and cause all sorts of headaches. Unless you absolutely have to restrict certain users from accessing the Internet (and even then there are better ways to do this) I would remove the access-list inside from the PIX altoghether.
You basically have the whole thing backwards, not to be critical of course. Your access-list inside is set to permit telnet to the Switch, but it is applied to the INSIDE interface. It needs to be applied to the OUTSIDE interface.
Also you applied an access list to the OUTSIDE interface blocking EVERYTHING!
Type these commands or copy them from here and apply them in Global Config mode.
1. No access-group outside_access_in in interface outside
2. No access-group inside_access_in in interface inside
3. access-group inside_access_in in interface outside
Do this AFTER doing what I told you to do in my first post. You need to correct the STATIC NAT statements first, then set the Access-lists. You can cut and paste my commands from this message directly into your PIX from Global Config Mode.
Regards
Chris Weber CCDP
03-17-2005 08:04 PM
Oh no, it's me again. You have another problem.
You have your access-lists written incorrectly. You are applying them as if you were permitting the NAT address to the Internal address. You don't need to do this.
If your outside address, the address you have set as the external NAT address of the switch is 10.0.1.5 then your access-list would read as follows.
access-list mysamplelist permit tcp any host 10.0.1.5 eq 23
Then you apply the access list to the outside interface
access-group mysamplelist in interface outside
There, we just rebuilt your PIX in 3 posts.
Regards
Chris Weber CCDP
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide