Hi Jouni,

I cant do the packet-tracer as the PIX already bypass by my superior.

As based on my config.How should I allowed ip 10.45.x.0 pingable from the outside interface eg my HQ.As this config was written, the Log show its has no translation group towards the dst 10.45.x.0/19

Jul 02 2013 20:13:30: %PIX-3-305005: No translation group found for tcp src Net:202.75.x.24/50204 dst inside:10.45.x.51/443

Jul 02 2013 20:13:30: %PIX-3-305005: No translation group found for tcp src Net:202.75.x.43/65025 dst inside:10.45.x.51/443

Jul 02 2013 20:13:30: %PIX-3-305005: No translation group found for tcp src Net:113.210.x.139/34736 dst inside:10.45.x.51/443

*Base on my config.Even allowing all for in and out i still stuck with the "No translation group".Can you guide my how to use the network-object with the acl so that outside can access server inside so that it will not stuck on Nat portion.

===============

PIX Version 7.2(1)

!

hostname SD

names

dns-guard

!

interface Ethernet0

nameif Net

security-level 0

ip address 10.39.x.x 255.255.255.128

!

interface Ethernet1

nameif inside

security-level 100

ip address 10.36.x.x 255.255.255.248

!

interface Ethernet2

shutdown

no nameif

no security-level

no ip address

!            

interface Ethernet3

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet4

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet5

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

clock timezone MYT 8

dns server-group DefaultDNS

domain-name

same-security-traffic permit inter-interface

access-list permit-all extended permit icmp any any

access-list permit-all extended permit ip any any

access-list permit-all extended permit udp any any

access-list permit-all extended permit tcp any any

pager lines 24

logging enable

logging timestamp

logging buffer-size 16384

logging buffered notifications

logging trap debugging

logging history informational

logging asdm informational

logging host inside 10.36.x.17

logging ftp-bufferwrap

mtu Net 1500

mtu inside 1500

ip verify reverse-path interface Net

ip verify reverse-path interface inside

no failover

asdm image flash:/asdm-521.bin

asdm history enable

arp timeout 14400

nat-control

global (Net) 1 interface

nat (inside) 1 10.0.0.0 255.0.0.0

access-group permit-all in interface Net

access-group permit-all in interface inside

route Net 0.0.0.0 0.0.0.0 10.39.x.x 1

route inside 10.36.0.0 255.255.0.0 10.36.x.x 1

route inside 10.45.x.0 255.255.224.0 10.36.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 10.36.x.142 255.255.255.255 inside

snmp-server location level 2

snmp-server contact Network

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps syslog

telnet 10.36.x.x 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

  inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:

: end

Anybody can teach me how I can accomplish multiple Internal IP that pingable from the outside ( HQ office ).

Hi,

The ICMP is coming from a public source IP address?

How is the HQ connected to this site that has the PIX firewall?

- Jouni

Hi Jouni,

My HQ with IP 10.22.x.x trying to ping a server with IP range of 10.45.x.0. Routing done at ISP level via IPVPN.

Once they traceroute from HQ it stuck at Router Public IP but if the PIX already bypass the flow of the traffic can pass through.

The old segment 10.36.x.x should remain in the PIX.How to allowed the new segments of ip 10.45.x.0 pingable from 10.22.x.x.? Any advice appreciated.

Hi Jouni,

Thank for the configuration.

I have limited knowledge about firewalling.Sorry about that.

Can the PIX pass through traffic without filtered/drop at NAT portion.. its just like eg:-

10.22.x.x -->10.45.x.x

10.23.x.x -> 10.36.x.x

--idz

Hi,

It seems to me you have in your above configuration allowed ALL traffic through the PIX

The configuration I provided should enable connections through the PIX with regards to NAT between 10.22.x.x/yy and 10.45.x.0/19 subnets in either direction.

If the other Branch network needs the same type of rule then you would simply add another line to the ACL/access-list we created BUT you would use the other Branch network as the source

access-list INSIDE-NAT0 permit ip 10.36.0.0 255.255.0.0 10.22.x.x y.y.y.y

- Jouni

Hi,

Thanks Jouni..Really appreaciate your help.Will try it tommorow.

Hi Jouni,

Here is the latest packet-tracer.Seem stuck on newly created Nat 0.Any idea?

packet-tracer input Net tcp 103.245.x.x 443 10.45.x.51 443

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.45.160.0     255.255.224.0   inside

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         Net

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group permit-all in interface Net

access-list permit-all extended permit ip any any

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

nat (inside) 0 access-list INSIDE-NAT0

nat-control

  match ip inside any Net any

    no translation group, implicit deny

    policy_hits = 220178

Additional Information:

Result:

input-interface: Net

input-status: up

input-line-status: up

output-interface: Net

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Hi,

You are testing with an IP address that you havent mentioned so far. Last you mentioned some 10.22.x.x/yy networks.

So I have no idea what you are trying to accomplish since the IP addresses you are using are changing in every post.

Its really hard to help with this since I dont know what you are actually trying to accomplish.

- Jouni

Hi Jouni,

Thank you for you patient.I am really sorry to troublesome you.

I have an email with Public IP of 103.245.xx.xx. This Ip is natted to our Private ip 10.45.160.51.

If i connected PIX the email cant be view.If I bypass PIX its ok.

Im trying to accomplish where our staff at outside can reach my OWA email.

Hope this can clear up up on what I want to accomplish.

Hi Jouni,

I manage to resolved this problem as you advice.Just a little tweak on the command you give and its works.Thank you for your great help.