03-25-2005 02:32 AM - edited 02-21-2020 01:41 PM
hi all,
i've some problems with nat/nonat on a pix 515e.
the pix is connected to a site2site tunnel on the outside interface.
the problem is to ping over the vpn tunnel to dmz hosts.
i think it must be work with an static entrie like the following:
static (outside,dmz) 10.43.26.0 10.43.26.0 netmask 255.255.254.0
but in the log i get always the message:
305005: No translation group found for icmp src outside:10.43.27.250 dst dmz:10.43.100.3 (type 8, code 0)
i've also tried a nat 0 rule with no success.
next enclosed a cuted config:
access-list nonat permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0
access-list nonat permit ip 10.0.0.0 255.0.0.0 192.168.0.0 255.255.0.0
access-list nonat permit ip 10.0.0.0 255.0.0.0 200.1.58.0 255.255.255.0
access-list nonat permit ip 10.0.0.0 255.0.0.0 172.16.0.0 255.255.0.0
ip address outside 199.99.99.2 255.255.254.0
ip address inside 10.43.8.12 255.255.240.0
ip address dmz 10.43.100.2 255.255.255.0
global (outside) 1 199.99.99.11 netmask 255.255.255.255
global (outside) 1 199.99.99.14 netmask 255.255.255.255
global (dmz) 1 10.43.100.50-10.43.100.98 netmask 255.255.255.0
global (dmz) 1 10.43.100.99 netmask 255.255.255.0
nat (inside) 0 access-list nonat
nat (inside) 1 10.43.0.44 255.255.255.255 0 0
nat (inside) 1 10.43.8.0 255.255.255.0 0 0
nat (inside) 1 10.43.9.0 255.255.255.0 0 0
static (inside,outside) tcp 199.99.99.2 telnet 10.43.8.52 telnet netmask 255.255.255.255 0 0
static (inside,dmz) 10.43.8.29 10.43.8.29 netmask 255.255.255.255 0 0
static (inside,dmz) 10.43.8.20 10.43.8.20 netmask 255.255.255.255 0 0
static (dmz,outside) 199.99.99.6 10.43.100.6 netmask 255.255.255.255 0 0
static (inside,outside) 199.99.99.7 10.43.9.56 netmask 255.255.255.255 0 0
static (inside,outside) 199.99.99.5 10.43.8.53 netmask 255.255.255.255 0 0
static (dmz,outside) 199.99.99.4 10.43.100.4 netmask 255.255.255.255 0 0
static (dmz,outside) 199.99.99.3 10.43.100.3 netmask 255.255.255.255 0 0
static (outside,dmz) 10.43.26.0 10.43.26.0 netmask 255.255.254.0 0 0
access-group acl_out in interface outside
access-group acl_in in interface inside
access-group acl_dmz in interface dmz
any hints?
thanks
Armin
Solved! Go to Solution.
03-28-2005 07:09 PM
Without seeing the rest of the config its hard to tell you exactly what is happening (IE acls, sysopt connection permit-ipsec etc)
You will however need to have a nonat for the DMZ traffic to go back across the VPN:
access-list nonat-dmz permit ip 10.43.100.0 255.255.255.0 10.43.27.0 255.255.255.0
nat (dmz) access-list nonat-dmz
Also remove the static (outside,dmz) 10.43.26.0 10.43.26.0 netmask 255.255.254.0 0 0. I dont see any reason for you to be doing destination NAT.
HTH
03-28-2005 07:09 PM
Without seeing the rest of the config its hard to tell you exactly what is happening (IE acls, sysopt connection permit-ipsec etc)
You will however need to have a nonat for the DMZ traffic to go back across the VPN:
access-list nonat-dmz permit ip 10.43.100.0 255.255.255.0 10.43.27.0 255.255.255.0
nat (dmz) access-list nonat-dmz
Also remove the static (outside,dmz) 10.43.26.0 10.43.26.0 netmask 255.255.254.0 0 0. I dont see any reason for you to be doing destination NAT.
HTH
03-29-2005 05:03 AM
I've added a nat 0 on the dmz interface and now it works!
On the basis of the error message, I meant the problem covers nat on the outside interface.
the traffic is iniated on the other site behind the outside interface, so in my opinion the nat 0 rule must be configured on the outside interface.and not on the dmz side.
Many Thanks!
Reagards
Armin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide