Static NAT PIX Command

Answered Question

Running PIX 6.3(5)


Goal is to translate a outside external src IP 12.12.12.10 to a internal ip 172.16.1.200 on the inside of the PIX.


Tried to use static (outside,inside) 172.16.1.200 12.12.12.10 without any luck get


305005: No translation group found for icmp src outside:12.12.12.10 dst inside:1

72.16.1.200 (type 8, code 0)


This should work, what am I missing?

Correct Answer by ajagadee about 8 years 6 months ago

Andrew,


After you configure the above statement, where are you sourcing the ICMP packets from and what is the destination.


I believe below statement will translate the outside IP 12.12.12.10 to 172.16.1.200 and then you need a translation for whatever destination the IP Address is.


For example:


Router 1.1.1.1 - Inside ASA - Outside - 12.12.12.10


static (outside,inside) 172.16.1.200 12.12.12.10 netmask 255.255.255.255

static (inside,outside) 1.1.1.1 1.1.1.1 netmask 255.255.255.255


ciscoasa(config)# sh xlate

2 in use, 2 most used

Global 1.1.1.1 Local 1.1.1.1

Global 172.16.1.200 Local 12.12.12.10


So, if I telnet to 1.1.1.1 from the outside with 12.12.12.10, the packets get translated to 172.16.1.200 on the ASA and then the ASA looks for the regular inside/outside translation for the destination. That is why I have a static (inside,outside) for 1.1.1.1.


Router that is configured with IP 1.1.1.1


interface Loopback101

ip address 1.1.1.1 255.255.255.0


7140#sh users

Line User Host(s) Idle Location

* 0 con 0 idle 00:00:00

2 vty 0 idle 00:02:27 172.16.1.200


I hope it helps.


Regards,

Arul


*Pls rate all helpful posts*


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
JORGE RODRIGUEZ Mon, 12/22/2008 - 10:24
User Badges:
  • Green, 3000 points or more

try it in other direction, to map 12.12.12.10 towards 172.16.1.200 your identity nat must be in this format.



static (inside, outside) 12.12.12.10 172.16.1.200 netmask 255.255.255.255

JORGE RODRIGUEZ Mon, 12/22/2008 - 10:45
User Badges:
  • Green, 3000 points or more

clear xlate or local host and try again


either do pix#clear xlate


or


pix#clear local-host 172.16.1.200



btw you will need icmp acl to allow pings from outside ot inside , create an acl to allow different service such as rdp and test through that port instead of icmp by rdping from outside to 12.12.12.10


icmp

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml





Correct Answer
ajagadee Mon, 12/22/2008 - 11:23
User Badges:
  • Cisco Employee,

Andrew,


After you configure the above statement, where are you sourcing the ICMP packets from and what is the destination.


I believe below statement will translate the outside IP 12.12.12.10 to 172.16.1.200 and then you need a translation for whatever destination the IP Address is.


For example:


Router 1.1.1.1 - Inside ASA - Outside - 12.12.12.10


static (outside,inside) 172.16.1.200 12.12.12.10 netmask 255.255.255.255

static (inside,outside) 1.1.1.1 1.1.1.1 netmask 255.255.255.255


ciscoasa(config)# sh xlate

2 in use, 2 most used

Global 1.1.1.1 Local 1.1.1.1

Global 172.16.1.200 Local 12.12.12.10


So, if I telnet to 1.1.1.1 from the outside with 12.12.12.10, the packets get translated to 172.16.1.200 on the ASA and then the ASA looks for the regular inside/outside translation for the destination. That is why I have a static (inside,outside) for 1.1.1.1.


Router that is configured with IP 1.1.1.1


interface Loopback101

ip address 1.1.1.1 255.255.255.0


7140#sh users

Line User Host(s) Idle Location

* 0 con 0 idle 00:00:00

2 vty 0 idle 00:02:27 172.16.1.200


I hope it helps.


Regards,

Arul


*Pls rate all helpful posts*


Actions

This Discussion