Solved: Nat VPN outside -> dmz

akundigraber · ‎03-25-2005

hi all,

i've some problems with nat/nonat on a pix 515e.

the pix is connected to a site2site tunnel on the outside interface.

the problem is to ping over the vpn tunnel to dmz hosts.

i think it must be work with an static entrie like the following:

static (outside,dmz) 10.43.26.0 10.43.26.0 netmask 255.255.254.0

but in the log i get always the message:

305005: No translation group found for icmp src outside:10.43.27.250 dst dmz:10.43.100.3 (type 8, code 0)

i've also tried a nat 0 rule with no success.

next enclosed a cuted config:

access-list nonat permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0

access-list nonat permit ip 10.0.0.0 255.0.0.0 192.168.0.0 255.255.0.0

access-list nonat permit ip 10.0.0.0 255.0.0.0 200.1.58.0 255.255.255.0

access-list nonat permit ip 10.0.0.0 255.0.0.0 172.16.0.0 255.255.0.0

ip address outside 199.99.99.2 255.255.254.0

ip address inside 10.43.8.12 255.255.240.0

ip address dmz 10.43.100.2 255.255.255.0

global (outside) 1 199.99.99.11 netmask 255.255.255.255

global (outside) 1 199.99.99.14 netmask 255.255.255.255

global (dmz) 1 10.43.100.50-10.43.100.98 netmask 255.255.255.0

global (dmz) 1 10.43.100.99 netmask 255.255.255.0

nat (inside) 0 access-list nonat

nat (inside) 1 10.43.0.44 255.255.255.255 0 0

nat (inside) 1 10.43.8.0 255.255.255.0 0 0

nat (inside) 1 10.43.9.0 255.255.255.0 0 0

static (inside,outside) tcp 199.99.99.2 telnet 10.43.8.52 telnet netmask 255.255.255.255 0 0

static (inside,dmz) 10.43.8.29 10.43.8.29 netmask 255.255.255.255 0 0

static (inside,dmz) 10.43.8.20 10.43.8.20 netmask 255.255.255.255 0 0

static (dmz,outside) 199.99.99.6 10.43.100.6 netmask 255.255.255.255 0 0

static (inside,outside) 199.99.99.7 10.43.9.56 netmask 255.255.255.255 0 0

static (inside,outside) 199.99.99.5 10.43.8.53 netmask 255.255.255.255 0 0

static (dmz,outside) 199.99.99.4 10.43.100.4 netmask 255.255.255.255 0 0

static (dmz,outside) 199.99.99.3 10.43.100.3 netmask 255.255.255.255 0 0

static (outside,dmz) 10.43.26.0 10.43.26.0 netmask 255.255.254.0 0 0

access-group acl_out in interface outside

access-group acl_in in interface inside

access-group acl_dmz in interface dmz

any hints?

thanks

Armin

jasobrown · ‎03-28-2005

Without seeing the rest of the config its hard to tell you exactly what is happening (IE acls, sysopt connection permit-ipsec etc)

You will however need to have a nonat for the DMZ traffic to go back across the VPN:

access-list nonat-dmz permit ip 10.43.100.0 255.255.255.0 10.43.27.0 255.255.255.0

nat (dmz) access-list nonat-dmz

Also remove the static (outside,dmz) 10.43.26.0 10.43.26.0 netmask 255.255.254.0 0 0. I dont see any reason for you to be doing destination NAT.

HTH

View solution in original post

jasobrown · ‎03-28-2005

Without seeing the rest of the config its hard to tell you exactly what is happening (IE acls, sysopt connection permit-ipsec etc)

You will however need to have a nonat for the DMZ traffic to go back across the VPN:

access-list nonat-dmz permit ip 10.43.100.0 255.255.255.0 10.43.27.0 255.255.255.0

nat (dmz) access-list nonat-dmz

Also remove the static (outside,dmz) 10.43.26.0 10.43.26.0 netmask 255.255.254.0 0 0. I dont see any reason for you to be doing destination NAT.

HTH

akundigraber · ‎03-29-2005

I've added a nat 0 on the dmz interface and now it works!

On the basis of the error message, I meant the problem covers nat on the outside interface.

the traffic is iniated on the other site behind the outside interface, so in my opinion the nat 0 rule must be configured on the outside interface.and not on the dmz side.

Many Thanks!

Reagards

Armin