OK, I need some ideas how to solve this problem. This will be a quite brainstorming for you ;).
IP addresses are not real, but as in my real situation they are public IANA addresses :).
I will describe network situation:
PIX running PIXOS6.3 with three interfaces:
1.inside - 188.8.131.52/24 (sec-level 100)
2.outside - x.x.x.x (sec-level 0) - Internet
3.projectVLAN - 192.168.50.0/24 (sec-level 60)
On inside network is another subnet 184.108.40.206/24 behind router. PIX has route to this subnet
"route inside 220.127.116.11 255.255.255.0 18.104.22.168" (this is ROUTER2 IP)
Users from projectVLAN can access inside
servers using configured static(s) with ACLpermits on projectVLAN interface.
Problem is when users wants to access servers on subnet 22.214.171.124/24 trought static. Communication is not successfull, because traffic is not returning correctly. ROUTER2 on 126.96.36.199/24 is on other WAN location and do not have route to hosts on 192.168.50.0/24 throught PIX IP 188.8.131.52/24.
Therefore I have used static with conjuction "nat outside". Translates destIP and also sourceIP, of which ROUTER2 is aware of(know route to it). Connect to server(tested throught ping is now successfull), but all other communication from inside to projectVLAN do not pass(is blocked) with this syslog message on PIX:
"%PIX-3-305005: no translation group found for ICMP ..."
Here is short cut-out from config(I hope you will be able to see all needed stuff - sry for mistakes, this is not pasted but manually written - hope syntax is good :)
name 184.108.40.206 ROUTER2
name 192.168.50.200 NATaddforSERVER
nameif outside ethernet0 security-level 0
nameif inside ethernet1 security-level 100
nameif projectVLAN ethernet2 security-level 60
ip address outside 220.127.116.11 255.255.255.248
ip address inside 18.104.22.168 255.255.255.0
ip address projectVLAN 192.168.50.1 255.255.255.0
route outside 0 0 22.214.171.124
route inside 126.96.36.199 255.255.255.0 188.8.131.52
nat (inside) 5 0 0
nat (pVLAN) 10 192.168.50.0 255.255.255.128
nat (pVLAN) 20 access-list TEST outside
global (outside) 10 184.108.40.206 - 220.127.116.11
global (outside) 10 18.104.22.168
global (outside) 5 interface
global (pVLAN) 5 192.168.50.254
global (inside) 20 interface
static (inside,projectVLAN) NATaddforSERVER 22.214.171.124 netmask 255.255.255.255 0 0
access-list TEST permit ip 192.168.50.0 255.255.255.0 host NATaddforSERVER
access-group TEST in interface projectVLAN
Any good ideas are greeeaaatly appreciated =P.
If you solve this I will say that you are a quite network proffesional :))).