12-22-2008 09:17 AM - edited 03-11-2019 07:28 AM
Running PIX 6.3(5)
Goal is to translate a outside external src IP 12.12.12.10 to a internal ip 172.16.1.200 on the inside of the PIX.
Tried to use static (outside,inside) 172.16.1.200 12.12.12.10 without any luck get
305005: No translation group found for icmp src outside:12.12.12.10 dst inside:1
72.16.1.200 (type 8, code 0)
This should work, what am I missing?
Solved! Go to Solution.
12-22-2008 11:23 AM
Andrew,
After you configure the above statement, where are you sourcing the ICMP packets from and what is the destination.
I believe below statement will translate the outside IP 12.12.12.10 to 172.16.1.200 and then you need a translation for whatever destination the IP Address is.
For example:
Router 1.1.1.1 - Inside ASA - Outside - 12.12.12.10
static (outside,inside) 172.16.1.200 12.12.12.10 netmask 255.255.255.255
static (inside,outside) 1.1.1.1 1.1.1.1 netmask 255.255.255.255
ciscoasa(config)# sh xlate
2 in use, 2 most used
Global 1.1.1.1 Local 1.1.1.1
Global 172.16.1.200 Local 12.12.12.10
So, if I telnet to 1.1.1.1 from the outside with 12.12.12.10, the packets get translated to 172.16.1.200 on the ASA and then the ASA looks for the regular inside/outside translation for the destination. That is why I have a static (inside,outside) for 1.1.1.1.
Router that is configured with IP 1.1.1.1
interface Loopback101
ip address 1.1.1.1 255.255.255.0
7140#sh users
Line User Host(s) Idle Location
* 0 con 0 idle 00:00:00
2 vty 0 idle 00:02:27 172.16.1.200
I hope it helps.
Regards,
Arul
*Pls rate all helpful posts*
12-22-2008 10:24 AM
try it in other direction, to map 12.12.12.10 towards 172.16.1.200 your identity nat must be in this format.
static (inside, outside) 12.12.12.10 172.16.1.200 netmask 255.255.255.255
12-22-2008 10:35 AM
I get this error:
305006: regular translation creation failed for icmp src outside:12.12.12.10 dst
inside:172.16.1.200 (type 8, code 0)
12-22-2008 10:45 AM
clear xlate or local host and try again
either do pix#clear xlate
or
pix#clear local-host 172.16.1.200
btw you will need icmp acl to allow pings from outside ot inside , create an acl to allow different service such as rdp and test through that port instead of icmp by rdping from outside to 12.12.12.10
icmp
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
12-22-2008 11:15 AM
Yes already have a permit any any on outside interface and have done clear xlate.
12-22-2008 11:23 AM
Andrew,
After you configure the above statement, where are you sourcing the ICMP packets from and what is the destination.
I believe below statement will translate the outside IP 12.12.12.10 to 172.16.1.200 and then you need a translation for whatever destination the IP Address is.
For example:
Router 1.1.1.1 - Inside ASA - Outside - 12.12.12.10
static (outside,inside) 172.16.1.200 12.12.12.10 netmask 255.255.255.255
static (inside,outside) 1.1.1.1 1.1.1.1 netmask 255.255.255.255
ciscoasa(config)# sh xlate
2 in use, 2 most used
Global 1.1.1.1 Local 1.1.1.1
Global 172.16.1.200 Local 12.12.12.10
So, if I telnet to 1.1.1.1 from the outside with 12.12.12.10, the packets get translated to 172.16.1.200 on the ASA and then the ASA looks for the regular inside/outside translation for the destination. That is why I have a static (inside,outside) for 1.1.1.1.
Router that is configured with IP 1.1.1.1
interface Loopback101
ip address 1.1.1.1 255.255.255.0
7140#sh users
Line User Host(s) Idle Location
* 0 con 0 idle 00:00:00
2 vty 0 idle 00:02:27 172.16.1.200
I hope it helps.
Regards,
Arul
*Pls rate all helpful posts*
12-22-2008 12:23 PM
That did it. I was missing the 2nd static.
Thanks.
12-22-2008 11:57 PM
Why not a single command
static (inside,outside) 12.12.12.10 172.16.1.200 0 0
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide