PIX 515E: from OUT to IN without NAT

Unanswered Question
Jul 30th, 2007
User Badges:

Hello!


On PIX 515E I need access from a real IP x.x.x.x (outside interface) to inside IP 10.1.1.2 (inside interface) without NAT - for test purposes.

When I try to access from the real IP x.x.x.x inside IP 10.1.1.2 PIX sends error messages to syslog: (305005) "No translation group found for icmp src OUT:x.x.x.x dst IN:10.1.1.2 (type 8, code 0)".

I tried 2 configs:

1. access-list nonat_toInside extended permit ip host x.x.x.x 10.1.1.0 255.255.255.0

nat (OUT) 0 access-list nonat_toInside

2. static (OUT,IN) 10.1.1.2 10.1.1.2 netmask 255.255.255.255


But nothing helped... May be there are mistakes? Or what should I do to solve the problem?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (3 ratings)
Loading.
Jon Marshall Mon, 07/30/2007 - 23:06
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


static (inside,outside) 10.1.1.2 10.1.1.2 netmask 255.255.255.255


+ allow icmp on your access-lists


HTH


Jon

abatuyeva Tue, 07/31/2007 - 01:57
User Badges:

The problem is still remaining.


If I write "static (outside,inside) 10.1.1.2 10.1.1.2 netmask 255.255.255.255" I see on "show nat" this:


NAT policies on Interface Out:

match ip Out host 10.1.1.2 IN any

static translation to 10.1.1.2

translate_hits = 0, untranslate_hits = 0



If I write your command "static (inside,outside) 10.1.1.2 10.1.1.2 netmask 255.255.255.255" this rule appears on interface IN and PIX doesn't want to translate again.


Why nat 0 desn't work?..

mattiaseriksson Tue, 07/31/2007 - 02:04
User Badges:
  • Bronze, 100 points or more

nat(0) only works for inside to outside dynamic translations.


In your case you need a static like jon.marshall suggested:


static (inside,outside) 10.1.1.2 10.1.1.2 netmask 255.255.255.255


(outside,inside) is only used if you want to translate the outside source address.

srue Tue, 07/31/2007 - 20:01
User Badges:
  • Blue, 1500 points or more

or add icmp inspection to the global policy.

abatuyeva Wed, 08/01/2007 - 01:26
User Badges:

Sorry, Jon, I wrote wrong IP to my config :[

So, your answer helped me!

Thanks!!


P.S. I've forgotten to check a box that the post resolved my problem. But now I'm not allowed to do this...

Actions

This Discussion