03-11-2005 04:14 AM - edited 02-21-2020 12:00 AM
Hi Can anyone help me with this?
I'm trying to configure a PIX 515 to pass icmp messages from the dmz vlan interface configured on the PIX (Vlan 3) interface to the inside interface.
its set up like this
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet2 vlan2 physical
interface ethernet2 vlan3 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 msx security4
nameif vlan3 dmz security7
sh nat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
nat (msx) 1 0.0.0.0 0.0.0.0 0 0
sh global
global (inside) 1 interface
global (dmz) 1 interface
global (msx) 1 interface
At this point i'm not concerened with access-lists as the error message I get is as follows
155: ICMP echo-request from dmz:192.168.3.1 to 10.240.2.2 ID=512 seq=11520 length=40
305005: No translation group found for icmp src dmz:192.168.3.1 dst inside:10.240.2.2 (type 8, code 0)
I'm by no means an expert when it comes to PIX's can anyone help. Two further things may help to shed some light on the problem there is no Routing setup between the Vlan interfaces, could this be an issue? I tried a static command and still got the same error the command was... static (dmz, inside) 192.168.3.1 192.168.3.1
Solved! Go to Solution.
03-12-2005 11:55 PM
Hi David:
Since you are trying to permit host from a low security interface to a high security interface, you need to have
static (high,low) high high
In this case, you would need:
static (inside, dmz) 10.240.2.2 10.240.2.2 netmask 255.255.255.255 0 0
I assume that you already have an access-list to permit icmp echo applied to the DMZ interface. If it's not already there, just add an ACE to permit icmp echo that you should be good to go.
Sincerely,
Binh
03-12-2005 11:55 PM
Hi David:
Since you are trying to permit host from a low security interface to a high security interface, you need to have
static (high,low) high high
In this case, you would need:
static (inside, dmz) 10.240.2.2 10.240.2.2 netmask 255.255.255.255 0 0
I assume that you already have an access-list to permit icmp echo applied to the DMZ interface. If it's not already there, just add an ACE to permit icmp echo that you should be good to go.
Sincerely,
Binh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide