Static NAT PIX Command

Answered Question

Running PIX 6.3(5)

Goal is to translate a outside external src IP 12.12.12.10 to a internal ip 172.16.1.200 on the inside of the PIX.

Tried to use static (outside,inside) 172.16.1.200 12.12.12.10 without any luck get

305005: No translation group found for icmp src outside:12.12.12.10 dst inside:1

72.16.1.200 (type 8, code 0)

This should work, what am I missing?

Correct Answer by ajagadee about 8 years 2 months ago

Andrew,

After you configure the above statement, where are you sourcing the ICMP packets from and what is the destination.

I believe below statement will translate the outside IP 12.12.12.10 to 172.16.1.200 and then you need a translation for whatever destination the IP Address is.

For example:

Router 1.1.1.1 - Inside ASA - Outside - 12.12.12.10

static (outside,inside) 172.16.1.200 12.12.12.10 netmask 255.255.255.255

static (inside,outside) 1.1.1.1 1.1.1.1 netmask 255.255.255.255

ciscoasa(config)# sh xlate

2 in use, 2 most used

Global 1.1.1.1 Local 1.1.1.1

Global 172.16.1.200 Local 12.12.12.10

So, if I telnet to 1.1.1.1 from the outside with 12.12.12.10, the packets get translated to 172.16.1.200 on the ASA and then the ASA looks for the regular inside/outside translation for the destination. That is why I have a static (inside,outside) for 1.1.1.1.

Router that is configured with IP 1.1.1.1

interface Loopback101

ip address 1.1.1.1 255.255.255.0

7140#sh users

Line User Host(s) Idle Location

* 0 con 0 idle 00:00:00

2 vty 0 idle 00:02:27 172.16.1.200

I hope it helps.

Regards,

Arul

*Pls rate all helpful posts*

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
JORGE RODRIGUEZ Mon, 12/22/2008 - 10:24

try it in other direction, to map 12.12.12.10 towards 172.16.1.200 your identity nat must be in this format.

static (inside, outside) 12.12.12.10 172.16.1.200 netmask 255.255.255.255

JORGE RODRIGUEZ Mon, 12/22/2008 - 10:45

clear xlate or local host and try again

either do pix#clear xlate

or

pix#clear local-host 172.16.1.200

btw you will need icmp acl to allow pings from outside ot inside , create an acl to allow different service such as rdp and test through that port instead of icmp by rdping from outside to 12.12.12.10

icmp

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

Correct Answer
ajagadee Mon, 12/22/2008 - 11:23

Andrew,

After you configure the above statement, where are you sourcing the ICMP packets from and what is the destination.

I believe below statement will translate the outside IP 12.12.12.10 to 172.16.1.200 and then you need a translation for whatever destination the IP Address is.

For example:

Router 1.1.1.1 - Inside ASA - Outside - 12.12.12.10

static (outside,inside) 172.16.1.200 12.12.12.10 netmask 255.255.255.255

static (inside,outside) 1.1.1.1 1.1.1.1 netmask 255.255.255.255

ciscoasa(config)# sh xlate

2 in use, 2 most used

Global 1.1.1.1 Local 1.1.1.1

Global 172.16.1.200 Local 12.12.12.10

So, if I telnet to 1.1.1.1 from the outside with 12.12.12.10, the packets get translated to 172.16.1.200 on the ASA and then the ASA looks for the regular inside/outside translation for the destination. That is why I have a static (inside,outside) for 1.1.1.1.

Router that is configured with IP 1.1.1.1

interface Loopback101

ip address 1.1.1.1 255.255.255.0

7140#sh users

Line User Host(s) Idle Location

* 0 con 0 idle 00:00:00

2 vty 0 idle 00:02:27 172.16.1.200

I hope it helps.

Regards,

Arul

*Pls rate all helpful posts*

Actions

This Discussion