Having trouble nat'ing outside addresses to inside network

Unanswered Question
Dec 13th, 2007
User Badges:

Using a pix501, have servers on the outside interface that need to be able to access servers on the inside interface. I can ping from the inside out, but when attempting to ping from the outside in, getting a 305005: No translation group found for icmp src server2 dst inside:server1 (type 8, code0) message in the log. The inside network is 10.100.3.x and the outside is 10.25.143.x. I would really just like the pix to function more like a router with an acl in this situation since I need each side to see the real IP address of the other server. The translation rule nat (inside) 0 0 0 is working to allow traffic inside out, but any other rules I try adding result in a configuration error.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Collin Clark Thu, 12/13/2007 - 10:55
User Badges:
  • Purple, 4500 points or more

Since you need to go from an unsecure interface to a more secure interface, you need a NAT translation. Since you would like to 'route' between these two, you'll really be NATing all addresses.

static (inside,outside) netmask

When the PIX sees a packet destined for 10.100.3.x on the outside interface, it will forward it to the inside interface with the same IP.

HTH and please rate.

srue Thu, 12/13/2007 - 12:44
User Badges:
  • Blue, 1500 points or more

dont forget to allow inbound traffic using an ACL.

access-list outside_acl permit icmp any any

access-group outside_acl in interface outside

JJost Fri, 12/14/2007 - 04:59
User Badges:

I believe I already have both the necessary translation rule and acl's applied. What I just found out was once I ping from the inside server to the outside server, the outside server can then ping and communicate fine with the inside server. However, this only seems to last for so long before the outside to inside ping stops working, and then I have to ping from the inside out to jumpstart the connection. Is there a time out somewhere that can be adjusted so this doesn't happen?


This Discussion