07-30-2007 08:56 PM - edited 03-11-2019 03:51 AM
Hello!
On PIX 515E I need access from a real IP x.x.x.x (outside interface) to inside IP 10.1.1.2 (inside interface) without NAT - for test purposes.
When I try to access from the real IP x.x.x.x inside IP 10.1.1.2 PIX sends error messages to syslog: (305005) "No translation group found for icmp src OUT:x.x.x.x dst IN:10.1.1.2 (type 8, code 0)".
I tried 2 configs:
1. access-list nonat_toInside extended permit ip host x.x.x.x 10.1.1.0 255.255.255.0
nat (OUT) 0 access-list nonat_toInside
2. static (OUT,IN) 10.1.1.2 10.1.1.2 netmask 255.255.255.255
But nothing helped... May be there are mistakes? Or what should I do to solve the problem?
07-30-2007 11:06 PM
Hi
static (inside,outside) 10.1.1.2 10.1.1.2 netmask 255.255.255.255
+ allow icmp on your access-lists
HTH
Jon
07-31-2007 01:57 AM
The problem is still remaining.
If I write "static (outside,inside) 10.1.1.2 10.1.1.2 netmask 255.255.255.255" I see on "show nat" this:
NAT policies on Interface Out:
match ip Out host 10.1.1.2 IN any
static translation to 10.1.1.2
translate_hits = 0, untranslate_hits = 0
If I write your command "static (inside,outside) 10.1.1.2 10.1.1.2 netmask 255.255.255.255" this rule appears on interface IN and PIX doesn't want to translate again.
Why nat 0 desn't work?..
07-31-2007 02:04 AM
nat(0) only works for inside to outside dynamic translations.
In your case you need a static like jon.marshall suggested:
static (inside,outside) 10.1.1.2 10.1.1.2 netmask 255.255.255.255
(outside,inside) is only used if you want to translate the outside source address.
07-31-2007 07:30 AM
Also, if you are testing with ping, make sure you are allowing ICMP echo replies into the outside interface.
Ex. access-list outside_in extended permit icmp any any eq echo-reply
access-group outside_in in interface outside
07-31-2007 08:01 PM
or add icmp inspection to the global policy.
08-01-2007 01:26 AM
Sorry, Jon, I wrote wrong IP to my config :[
So, your answer helped me!
Thanks!!
P.S. I've forgotten to check a box that the post resolved my problem. But now I'm not allowed to do this...
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: