10-30-2006 09:36 AM - edited 02-21-2020 02:41 PM
Hello,
I have a client VPNing into the corporate network and in the pool 10.10.100.x. Client is using internal DNS servers since they have to access private servers. They are also setup with split tunneling so as to use their own internet conenction for the internet, plus it precludes them from having to have proxy settings on their web browsers (all http traffic is through a proxy server for our company).
They also have to access the company web server, which using the internal DNS servers, gives them the private ip address of the server.
The problem I am having is, they can not access the web server in the DMZ. The log entry is:
Oct 28 2006 15:10:20: %PIX-3-305005: No translation group found for tcp src outside:10.10.110.2/1221 dst dmz1:10.10.1.3/80
(10.10.1.x is our DMZ range)
Obviously there is already a static translation between the web server and a public address. So, how do I do a translation group for this scenario without breakign the current translation set for the web server? Do I treat it like a normal private address range and the PIX is smart enough to send the packets over the correct translation?
10-30-2006 10:01 AM
nat 0 acl from dmz to outside should do the trick.
access-list dmz_nat0_outbound permit ip 10.10.1.3 255.255.255.255 10.10.100.0 255.255.255.0
nat (dmz) 0 access-list dmz_nat0_outbound
10-30-2006 11:52 AM
And the fact I have a static mapping for 10.10.1.3 to the outside (public ip) won't make a difference?
10-30-2006 06:18 PM
Nope.
That static is still in effect as it does not match the nat 0 acl. If you want to do this for all servers on dmz, then it would be
access-list dmz_nat0_outbound permit ip 10.10.1.0 255.255.255.0 10.10.100.0 255.255.255.0
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide