PIX 515E: from OUT to IN without NAT

Unanswered Question
Jul 30th, 2007

Hello!

On PIX 515E I need access from a real IP x.x.x.x (outside interface) to inside IP 10.1.1.2 (inside interface) without NAT - for test purposes.

When I try to access from the real IP x.x.x.x inside IP 10.1.1.2 PIX sends error messages to syslog: (305005) "No translation group found for icmp src OUT:x.x.x.x dst IN:10.1.1.2 (type 8, code 0)".

I tried 2 configs:

1. access-list nonat_toInside extended permit ip host x.x.x.x 10.1.1.0 255.255.255.0

nat (OUT) 0 access-list nonat_toInside

2. static (OUT,IN) 10.1.1.2 10.1.1.2 netmask 255.255.255.255

But nothing helped... May be there are mistakes? Or what should I do to solve the problem?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (3 ratings)
Loading.
Jon Marshall Mon, 07/30/2007 - 23:06

Hi

static (inside,outside) 10.1.1.2 10.1.1.2 netmask 255.255.255.255

+ allow icmp on your access-lists

HTH

Jon

abatuyeva Tue, 07/31/2007 - 01:57

The problem is still remaining.

If I write "static (outside,inside) 10.1.1.2 10.1.1.2 netmask 255.255.255.255" I see on "show nat" this:

NAT policies on Interface Out:

match ip Out host 10.1.1.2 IN any

static translation to 10.1.1.2

translate_hits = 0, untranslate_hits = 0

If I write your command "static (inside,outside) 10.1.1.2 10.1.1.2 netmask 255.255.255.255" this rule appears on interface IN and PIX doesn't want to translate again.

Why nat 0 desn't work?..

mattiaseriksson Tue, 07/31/2007 - 02:04

nat(0) only works for inside to outside dynamic translations.

In your case you need a static like jon.marshall suggested:

static (inside,outside) 10.1.1.2 10.1.1.2 netmask 255.255.255.255

(outside,inside) is only used if you want to translate the outside source address.

srue Tue, 07/31/2007 - 20:01

or add icmp inspection to the global policy.

abatuyeva Wed, 08/01/2007 - 01:26

Sorry, Jon, I wrote wrong IP to my config :[

So, your answer helped me!

Thanks!!

P.S. I've forgotten to check a box that the post resolved my problem. But now I'm not allowed to do this...

Actions

This Discussion