I'm confident that I'm missing a major concept here for which I'd need a bit of assistance with.
The setup I'm playing with is as simple than the below:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 AP security50
nameif ethernet1 inside security100
[AP] - [PIX] - [INSIDE and router toward the internet]
I'm trying to use a NAT between those two legs but I'm failing miserably and the cisco scenarios samples  don't help me much (assuming I have read that correctly).
Each interface has been attributed its IP.
ip address AP 10.0.0.251 255.255.255.0
ip address inside 192.168.1.251 255.255.255.0
And for the sake of simplicity, I have allowed traffic in both ways (test done from lower sec level to higher) to focus on my NAT issue for now.
access-list inside_access_in permit ip any any
access-list AP_access_in permit ip any any
access-group AP_access_in in interface AP
access-group inside_access_in in interface inside
I have defined a default route and the following two nats,
global (AP) 2 interface
global (inside) 1 192.168.1.20-192.168.1.50 netmask 255.255.255.0
nat (AP) 1 10.0.0.0 255.255.255.0 outside 0 0
nat (inside) 2 192.168.1.0 255.255.255.0 0 0
route inside 0.0.0.0 0.0.0.0 192.168.1.1 1
Now, as I understand this,
- traffic coming from 10.0.0.0/24 will get translated to 192.168.1.20-50/24
- traffic coming from 192.168.1.0/24 will get translated to 10.0.0.251 (PAT).
This, looking good (I thought:/) was ready to be tested
name 192.168.1.70 HOSTB
name 10.0.0.1 HOSTA
A ping from HOSTA to HOSTB doesn't go through.
[email protected]:~# ping 192.168.1.70
PING 192.168.1.70 (192.168.1.70): 56 data bytes
--- 192.168.1.70 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss
Tcpdump on the inside side of the firewall see nothing leaving. So, enabling some logging I get the following on the PIX :
%PIX-6-609001: Built local-host AP:10.0.0.1
%PIX-6-305009: Built dynamic translation from AP:10.0.0.1 to inside:192.168.1.20
%PIX-3-305005: No translation group found for icmp src AP:HOSTA dst inside:HOSTB (type 8, code 0)
Huh. On that, cisco says  :
Error Message %PIX-3-305005: No translation group found for protocol src
Explanation A packet does not match any of the outbound nat rules.
Recommended Action This message signals a configuration error. If dynamic NAT is desired for the source host, ensure that the nat command matches the source IP address. If static NAT is desired for the source host, ensure that the local IP address of the static command matches. If no NAT is desired for the source host, check the ACL bound to the nat 0 ACL.
My NAT command does matches the source IP address.
As in, 10.0.0.1 is included in 10.0.0.0/24 - which is also why I get the built dynamic translation message I suppose.
Anyway, that's where I understand that I am surely missing a concept here. Could you please shed some light on those basics for me?