cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
520
Views
0
Helpful
3
Replies

PIX Firewall - Accessing multiple internal networks

cpartsenidis
Level 1
Level 1

Hi everyone,

I have a PIX Firewall which I'd like to configure to allow IP addresses from the external interface (private IP range) to access multiple networks that exist on the internal network.

For example:

The internal network has a layer 3 switch with multiple vlans and I'd like to allow some IP addresses on the external lan access these internal networks. I've added the necessary 'route' commands on the pix and it can properly ping these internal networks/hosts. However, when trying to access them from the external network, I receive the 'no translation group found' error.

Assume the following setup:

192.168.10.x---pix---192.168.11.x

Where 192.168.10.x is the internal network and 192.168.11.x the external.

I've also added:

route inside 192.168.14.0 255.255.255.0 192.168.10.5 so that the pix can reach the 192.168.14.0 network.

I need to access the 192.168.14.0 network from the external network.

Many thanks for any input or suggestions.

3 Replies 3

vantipov
Level 1
Level 1

If you already permited 192.168.10.x with an ACL attached to outside interface then the only thing left to add is either a static no NAT statement or a policy based no NAT (Assume mask /24):

static (inside,outside) 192.168.11.0 192.168.11.0 netmask 255.255.255.0

Or you can do:

access-list nonat extended permit ip 192.168.11.0 255.255.255.0 192.168.10.0 255.255.255.0

nat (inside) 0 access-list nonat

Either one of those will tell Pix to not translate the return traffic.

vantipov,

I have already tried your suggestion and the debugging shows the original error I mentioned: "no translation group found" for 192.168.14.0.

Again, this error occurs when 192.168.11.x (outside) tries to access 192.168.14.x which is an internal network that's not directly attached to the pix inside interface (the pix has an internal IP as a gateway in order to get to the 192.168.14.x network).

Perhaps a static (inside,outside) 192.168.14.0 192.168.14.0 netmask 255.255.255.0 would do the job ?

Yes, if you are trying to reach 192.168.14.0/24 on the inside then I would rewrite the static and give that a shot.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: