06-24-2008 06:01 AM - edited 03-11-2019 06:03 AM
Dear All,
I am working on a 515e with the following interfaces:
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security4
nameif ethernet3 webside security6
nameif ethernet4 backweb security8
nameif ethernet5 bakweb_domino security7
I have a windows box with 139.128.152.130/27 on the inside, and another windows box with 81.184.174.86/29 on the dmz, both with a tftp client.
I have configured the following static port redirection:
static (dmz,inside) udp 139.128.152.133 tftp 81.184.174.86 tftp netmask 255.255.255.255
In this way the tftp request from the inside network .130 to .133 are redirected to 81.184.174.86.Than I have also configured a:
nat (inside) 0 139.128.152.130 255.255.255.255
to exclude the .130 from traslation.
It works from the inside to dmz, but from dmz 81.184.174.86 to 139.128.152.130 it do not work, I have just added an acl to permit the traffic.
On the pix log i got the following message:
%PIX-3-305005: No translation group found for udp src dmz:81.184.174.86/1038 dst inside:139.128.152.130/69
why?
Best regards,
Igor.
06-24-2008 08:40 AM
You need a translation anytime you go from a lower security interface to a higher one.
static (inside,dmz) 139.128.152.130 139.128.152.130 netmask 255.255.255.255
Hope that helps
06-26-2008 11:35 PM
Many thanks for your reply.
I think you are right, but my porpouse is that when the 81.184.174.86 reply to 139.128.152.130, its src address should be traslated to 139.128.152.133.
I have just tryed to configure an outside nat on dmz interface:
nat(dmz) 2 81.184.174.86 255.255.255.255 outside
global (inside) 2 139.128.152.133
It works, but I lost all the other traslation on the webside interface.
What di you think ?
BR,
Igor.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: