Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1124
Views
0
Helpful
7
Replies

Static NAT PIX Command

Go to solution
ajohnson
Level 1
Level 1

‎12-22-2008 09:17 AM - edited ‎03-11-2019 07:28 AM

Running PIX 6.3(5)

Goal is to translate a outside external src IP 12.12.12.10 to a internal ip 172.16.1.200 on the inside of the PIX.

Tried to use static (outside,inside) 172.16.1.200 12.12.12.10 without any luck get

305005: No translation group found for icmp src outside:12.12.12.10 dst inside:1

72.16.1.200 (type 8, code 0)

This should work, what am I missing?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ajagadee
Cisco Employee
Cisco Employee

‎12-22-2008 11:23 AM

Andrew,

After you configure the above statement, where are you sourcing the ICMP packets from and what is the destination.

I believe below statement will translate the outside IP 12.12.12.10 to 172.16.1.200 and then you need a translation for whatever destination the IP Address is.

For example:

Router 1.1.1.1 - Inside ASA - Outside - 12.12.12.10

static (outside,inside) 172.16.1.200 12.12.12.10 netmask 255.255.255.255

static (inside,outside) 1.1.1.1 1.1.1.1 netmask 255.255.255.255

ciscoasa(config)# sh xlate

2 in use, 2 most used

Global 1.1.1.1 Local 1.1.1.1

Global 172.16.1.200 Local 12.12.12.10

So, if I telnet to 1.1.1.1 from the outside with 12.12.12.10, the packets get translated to 172.16.1.200 on the ASA and then the ASA looks for the regular inside/outside translation for the destination. That is why I have a static (inside,outside) for 1.1.1.1.

Router that is configured with IP 1.1.1.1

interface Loopback101

ip address 1.1.1.1 255.255.255.0

7140#sh users

Line User Host(s) Idle Location

* 0 con 0 idle 00:00:00

2 vty 0 idle 00:02:27 172.16.1.200

I hope it helps.

Regards,

Arul

*Pls rate all helpful posts*

View solution in original post

0 Helpful
7 Replies 7

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10

‎12-22-2008 10:24 AM

try it in other direction, to map 12.12.12.10 towards 172.16.1.200 your identity nat must be in this format.

static (inside, outside) 12.12.12.10 172.16.1.200 netmask 255.255.255.255

Jorge Rodriguez
0 Helpful

Go to solution
ajohnson
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎12-22-2008 10:35 AM

I get this error:

305006: regular translation creation failed for icmp src outside:12.12.12.10 dst

inside:172.16.1.200 (type 8, code 0)

0 Helpful

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10
In response to ajohnson

‎12-22-2008 10:45 AM

clear xlate or local host and try again

either do pix#clear xlate

or

pix#clear local-host 172.16.1.200

btw you will need icmp acl to allow pings from outside ot inside , create an acl to allow different service such as rdp and test through that port instead of icmp by rdping from outside to 12.12.12.10

icmp

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

Jorge Rodriguez
0 Helpful

Go to solution
ajohnson
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎12-22-2008 11:15 AM

Yes already have a permit any any on outside interface and have done clear xlate.

0 Helpful

Go to solution
ajagadee
Cisco Employee
Cisco Employee

‎12-22-2008 11:23 AM

Andrew,

After you configure the above statement, where are you sourcing the ICMP packets from and what is the destination.

I believe below statement will translate the outside IP 12.12.12.10 to 172.16.1.200 and then you need a translation for whatever destination the IP Address is.

For example:

Router 1.1.1.1 - Inside ASA - Outside - 12.12.12.10

static (outside,inside) 172.16.1.200 12.12.12.10 netmask 255.255.255.255

static (inside,outside) 1.1.1.1 1.1.1.1 netmask 255.255.255.255

ciscoasa(config)# sh xlate

2 in use, 2 most used

Global 1.1.1.1 Local 1.1.1.1

Global 172.16.1.200 Local 12.12.12.10

So, if I telnet to 1.1.1.1 from the outside with 12.12.12.10, the packets get translated to 172.16.1.200 on the ASA and then the ASA looks for the regular inside/outside translation for the destination. That is why I have a static (inside,outside) for 1.1.1.1.

Router that is configured with IP 1.1.1.1

interface Loopback101

ip address 1.1.1.1 255.255.255.0

7140#sh users

Line User Host(s) Idle Location

* 0 con 0 idle 00:00:00

2 vty 0 idle 00:02:27 172.16.1.200

I hope it helps.

Regards,

Arul

*Pls rate all helpful posts*

0 Helpful

Go to solution
ajohnson
Level 1
Level 1
In response to ajagadee

‎12-22-2008 12:23 PM

That did it. I was missing the 2nd static.

Thanks.

0 Helpful

Go to solution
mohsin.khan
Level 3
Level 3
In response to ajohnson

‎12-22-2008 11:57 PM

Why not a single command

static (inside,outside) 12.12.12.10 172.16.1.200 0 0

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card