Having trouble nat'ing outside addresses to inside network

JJost · ‎12-13-2007

Using a pix501, have servers on the outside interface that need to be able to access servers on the inside interface. I can ping from the inside out, but when attempting to ping from the outside in, getting a 305005: No translation group found for icmp src server2 dst inside:server1 (type 8, code0) message in the log. The inside network is 10.100.3.x and the outside is 10.25.143.x. I would really just like the pix to function more like a router with an acl in this situation since I need each side to see the real IP address of the other server. The translation rule nat (inside) 0 10.0.0.0 255.0.0.0 0 0 is working to allow traffic inside out, but any other rules I try adding result in a configuration error.

Collin Clark · ‎12-13-2007

Since you need to go from an unsecure interface to a more secure interface, you need a NAT translation. Since you would like to 'route' between these two, you'll really be NATing all addresses.

static (inside,outside) 10.100.3.0 10.100.3.0 netmask 255.255.255.0

When the PIX sees a packet destined for 10.100.3.x on the outside interface, it will forward it to the inside interface with the same IP.

HTH and please rate.

srue · ‎12-13-2007

dont forget to allow inbound traffic using an ACL.

access-list outside_acl permit icmp any any

access-group outside_acl in interface outside

JJost · ‎12-14-2007

I believe I already have both the necessary translation rule and acl's applied. What I just found out was once I ping from the inside server to the outside server, the outside server can then ping and communicate fine with the inside server. However, this only seems to last for so long before the outside to inside ping stops working, and then I have to ping from the inside out to jumpstart the connection. Is there a time out somewhere that can be adjusted so this doesn't happen?