Solved: Translation group problem on PIX 515

davidjkent · ‎03-11-2005

Hi Can anyone help me with this?

I'm trying to configure a PIX 515 to pass icmp messages from the dmz vlan interface configured on the PIX (Vlan 3) interface to the inside interface.

its set up like this

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

interface ethernet2 vlan2 physical

interface ethernet2 vlan3 logical

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 msx security4

nameif vlan3 dmz security7

sh nat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz) 1 0.0.0.0 0.0.0.0 0 0

nat (msx) 1 0.0.0.0 0.0.0.0 0 0

sh global

global (inside) 1 interface

global (dmz) 1 interface

global (msx) 1 interface

At this point i'm not concerened with access-lists as the error message I get is as follows

155: ICMP echo-request from dmz:192.168.3.1 to 10.240.2.2 ID=512 seq=11520 length=40

305005: No translation group found for icmp src dmz:192.168.3.1 dst inside:10.240.2.2 (type 8, code 0)

I'm by no means an expert when it comes to PIX's can anyone help. Two further things may help to shed some light on the problem there is no Routing setup between the Vlan interfaces, could this be an issue? I tried a static command and still got the same error the command was... static (dmz, inside) 192.168.3.1 192.168.3.1

bphan · ‎03-12-2005

Hi David:

Since you are trying to permit host from a low security interface to a high security interface, you need to have

static (high,low) high high

In this case, you would need:

static (inside, dmz) 10.240.2.2 10.240.2.2 netmask 255.255.255.255 0 0

I assume that you already have an access-list to permit icmp echo applied to the DMZ interface. If it's not already there, just add an ACE to permit icmp echo that you should be good to go.

Sincerely,

Binh

View solution in original post

bphan · ‎03-12-2005