The problem with the static command and nat/global command

xiexfrocky · ‎09-16-2006

The config about NAT GLOBAL AND STATIC :

global (outside) 1 interface

global (inside) 1 10.1.1.1

nat (outside) 1 access-list acl1 outside 0 0

nat (inside) 1 10.1.1.0 255.255.255.0 0 0

static (inside,outside) 192.168.1.3 10.1.1.3 netmask 255.255.255.255 0 0

It is known that we can config "static" and "ACL" together to permit the traffic from outside into inside. It is work well before I add nat (outside) and global (inside) configurations .

xiexfrocky · ‎09-16-2006

ACL1:

access-list acl1 permit any host 192.168.1.1

I found that if the traffic NOT MATCH acl1, the outside host can not connect to 192.168.1.3 although STATIC/ACL has been configured.

And , PIX error message is display:

%PIX-3-305005: No translation group found for protocol src

interface_name:dest_address/dest_port dst

interface_name:source_address/source_port

huynhkhay · ‎09-17-2006

Hi,

I don't know exactly what you want to do but:

INSIDE --> OUTSIDE

------------------

use the nat and global command only:

nat (inside) 1 10.1.1.0 255.255.255.0 0 0

global (outside) 1 interface

--> Your network 10.1.0.0/24 will be translated into the IP address of your outside interface when it goes to outside

access-list inside_access_in permit ip 10.1.0.0 255.255.0.0 any

access-group outside_access_in in interface outside

--> the ACL which permits traffic from inside to outside

OUTSIDE-->INSIDE

------------------

use the static command:

static (inside,outside) 192.168.1.3 10.1.1.3 netmask 255.255.255.255 0 0

--> The address 10.1.1.3 in your Network has a "public" address (192.168.1.3), which makes possible the outside to reach it.

access-list outside_access_in permit ip any host 192.168.1.3

access-group outside_access_in in interface outside

--> An ACL which permits traffic from any host in the Outside to your local address 10.1.1.3

With this configuration:

1/ The inside hosts can go outside

2/ The outside hosts can connect to 10.1.1.3