Re: Translation sets from VPN pool to DMZ

aalang · ‎10-30-2006

Hello,

I have a client VPNing into the corporate network and in the pool 10.10.100.x. Client is using internal DNS servers since they have to access private servers. They are also setup with split tunneling so as to use their own internet conenction for the internet, plus it precludes them from having to have proxy settings on their web browsers (all http traffic is through a proxy server for our company).

They also have to access the company web server, which using the internal DNS servers, gives them the private ip address of the server.

The problem I am having is, they can not access the web server in the DMZ. The log entry is:

Oct 28 2006 15:10:20: %PIX-3-305005: No translation group found for tcp src outside:10.10.110.2/1221 dst dmz1:10.10.1.3/80

(10.10.1.x is our DMZ range)

Obviously there is already a static translation between the web server and a public address. So, how do I do a translation group for this scenario without breakign the current translation set for the web server? Do I treat it like a normal private address range and the PIX is smart enough to send the packets over the correct translation?

t-heeter · ‎10-30-2006

nat 0 acl from dmz to outside should do the trick.

access-list dmz_nat0_outbound permit ip 10.10.1.3 255.255.255.255 10.10.100.0 255.255.255.0

nat (dmz) 0 access-list dmz_nat0_outbound

aalang · ‎10-30-2006

And the fact I have a static mapping for 10.10.1.3 to the outside (public ip) won't make a difference?

t-heeter · ‎10-30-2006

Nope.

That static is still in effect as it does not match the nat 0 acl. If you want to do this for all servers on dmz, then it would be

access-list dmz_nat0_outbound permit ip 10.10.1.0 255.255.255.0 10.10.100.0 255.255.255.0