PIX, Vlans and two outside interfaces

davehartburn · ‎02-19-2008

Hi,

My ISP currently suppies me two VLANs over ethernet, one tagged and one untagged. Until now, I've not used the tagged one.

On a PIX 515E, IOS 6.3, I have created a vlan interface mapped to ethernet0 and called it outsidetwo with security 1. ethernet0 has the role of outside with security 0.

I'm having problems with the NAT translations. I have set up a static translation between the new outsidetwo interface and my DMZ:

global (outside) 1 interface

global (DMZ) 1 interface

global (outsidetwo) 1 interface

static (DMZ,outsidetwo) W.X.Y.Z 192.168.50.100 netmask 255.255.255.255 0 0

However, I get the following error when sending traffic from 192.168.50.100:

No translation group found for udp src DMZ:192.168.50.100/32768 dst outside:SOTA_Secondary_DNS/53

The default route is specified as:

route outside 0.0.0.0 0.0.0.0 X.X.X.X 1

I suspect the error is caused because the PIX wants to route the outgoing traffic via the outside interface and as such can not find a valid translation rule.

Is there any way I can specify two outside interfaces, so traffic listed as being NATted to outsidetwo will go out this VLAN interface and other traffic will go out outside (the untagged vlan interface)?

Any other way I can get this to work, with essentially two outside interfaces?

acomiskey · ‎02-19-2008

What if you add...

nat (DMZ) 1 192.168.50.100 255.255.255.255

abinjola · ‎02-19-2008

You must be receiving the error %PIX-3-305005:No translation group found for udp..

This is because you are missing the translation rule when you are trying to go outside

So add

nat (dmz) 1 0 0

The above statement would provide the nat rules for source that originates from inside and tries to access anything on outside Interface