×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

PIX NAT Translation Problem

Unanswered Question
Dec 19th, 2002
User Badges:

Hello All I have the following situation on a PIX 520 running 6.2.2

I have three interfaces inside, outside, dmz

on the outside interface have an access-list which permits icmp from any to the IPs behind the DMZ interface, I have the following:


access-list external_access_in permit icmp any 1.1.1.0 255.255.255.0

nat (dmz) 0 1.1.1.0 255.255.255.0 0 0

access-group external_access_in in interface outside


1.1.1.0 are routed ip addresses in internet, the above permits outside hosts to ping my hosts behind the dmz interface


I am trying to do the same trying to permit the hosts behind the dmz to icmp ping the hosts behind the inside interface:


access-list dmz_in permit ip any any

nat (inside) 0 1.1.5.0 255.255.255.0 0 0

access-group dmz_in in interface dmz


The inside permits inbound by default.


But I have in the log :

305005: No translation group found for icmp src dmz:1.1.1.1 dst inside:1.1.5.1 (type 8, code 0)


According to me the situation is the same like pinging outside to dmz.

I have:

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50


Does anyone could tell me where I am wrong, and how to permit the dmz hosts to icmp ping the hosts on the inside interface.

Thanks for your answers.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
c-cn Fri, 12/20/2002 - 04:44
User Badges:

Hi,


you need static entries for nating, like that:


static (inside,dmz) 1.1.1.0 1.1.1.0 netmask 255.255.255.0 0 0

static (inside,outside) 1.1.5.0 1.1.5.0 netmask 255.255.255.0 0 0

Actions

This Discussion