cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
459
Views
0
Helpful
4
Replies

NAT question

wkho
Level 1
Level 1

I have the following scenerio.

Outside interface address of pix 10.10.10.253 and Inside interface address of pix 192.168.120.253.

If I do the following:

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

global (inside) 2 interface

nat (outside) 2 0.0.0.0 0.0.0.0 outside 0 0

I would like to make it such that the source IP(Lets say 10.10.10.5) of traffic from outside will translate to the inside address (192.168.120.253) of the pix such that the destination device in the inside will think the packet is coming from the PIX inside address instead of 10.10.10.5.

This configuration seems to work however, when I try to test outbound traffic, the PIX created a Dynamic translation between 192.168.120.253 with 10.10.10.253 for the outgoing traffic but the traffic dies with an error of

"No translation group found for icmp src inside:192.168.120.253 dst outside:10.10.10.5 (type 8, code 0)"

Any idea?

4 Replies 4

nkhawaja
Cisco Employee
Cisco Employee

this probably may not work with icmp, because reply is a separate sessions and IP addresses are changing etc. Have you tried http/telnet/ftp etc.

I just tried using telnet and I received the same error. No translation group found.

Can we see your entire configuration

Phil

The IPs are different. But here is a config of what I am trying to accomplish on my test PIX.

PIX Version 6.3(3)107

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security4

enable password

passwd

hostname pixfirewall

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list in-from-outside permit udp any gt 1023 host 192.168.7.253 eq tftp

access-list in-from-inside permit icmp any host 192.168.7.1

access-list in-from-inside permit icmp any host 192.168.7.2

access-list in-from-inside permit icmp any host 192.168.120.2

pager lines 24

logging on

logging timestamp

logging buffered debugging

logging trap informational

logging history warnings

logging facility 6

mtu outside

mtu inside 1500

mtu intf2 1500

ip address outside 192.168.7.253 255.255.255.0

ip address inside 192.168.120.2 255.255.255.0

no ip address intf2

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

global (inside) 2 interface

nat (outside) 2 0.0.0.0 0.0.0.0 outside 0 0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) udp 192.168.7.253 tftp 192.168.120.253 tftp netmask 255.255.255.255 0 0

access-group in-from-outside in interface outside

access-group in-from-inside in interface inside

route outside 0.0.0.0 0.0.0.0 192.168.7.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

: end