Static Port Redirection on Pix 515E 6.3(5)

ifabrizio · ‎06-24-2008

Dear All,

I am working on a 515e with the following interfaces:

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security4

nameif ethernet3 webside security6

nameif ethernet4 backweb security8

nameif ethernet5 bakweb_domino security7

I have a windows box with 139.128.152.130/27 on the inside, and another windows box with 81.184.174.86/29 on the dmz, both with a tftp client.

I have configured the following static port redirection:

static (dmz,inside) udp 139.128.152.133 tftp 81.184.174.86 tftp netmask 255.255.255.255

In this way the tftp request from the inside network .130 to .133 are redirected to 81.184.174.86.Than I have also configured a:

nat (inside) 0 139.128.152.130 255.255.255.255

to exclude the .130 from traslation.

It works from the inside to dmz, but from dmz 81.184.174.86 to 139.128.152.130 it do not work, I have just added an acl to permit the traffic.

On the pix log i got the following message:

%PIX-3-305005: No translation group found for udp src dmz:81.184.174.86/1038 dst inside:139.128.152.130/69

why?

Best regards,

Igor.

Collin Clark · ‎06-24-2008

You need a translation anytime you go from a lower security interface to a higher one.

static (inside,dmz) 139.128.152.130 139.128.152.130 netmask 255.255.255.255

Hope that helps

ifabrizio · ‎06-26-2008

Many thanks for your reply.

I think you are right, but my porpouse is that when the 81.184.174.86 reply to 139.128.152.130, its src address should be traslated to 139.128.152.133.

I have just tryed to configure an outside nat on dmz interface:

nat(dmz) 2 81.184.174.86 255.255.255.255 outside

global (inside) 2 139.128.152.133

It works, but I lost all the other traslation on the webside interface.

What di you think ?

BR,

Igor.