Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX 515E: from OUT to IN without NAT

Hello!

On PIX 515E I need access from a real IP x.x.x.x (outside interface) to inside IP 10.1.1.2 (inside interface) without NAT - for test purposes.

When I try to access from the real IP x.x.x.x inside IP 10.1.1.2 PIX sends error messages to syslog: (305005) "No translation group found for icmp src OUT:x.x.x.x dst IN:10.1.1.2 (type 8, code 0)".

I tried 2 configs:

1. access-list nonat_toInside extended permit ip host x.x.x.x 10.1.1.0 255.255.255.0

nat (OUT) 0 access-list nonat_toInside

2. static (OUT,IN) 10.1.1.2 10.1.1.2 netmask 255.255.255.255

But nothing helped... May be there are mistakes? Or what should I do to solve the problem?

6 REPLIES
Hall of Fame Super Blue

Re: PIX 515E: from OUT to IN without NAT

Hi

static (inside,outside) 10.1.1.2 10.1.1.2 netmask 255.255.255.255

+ allow icmp on your access-lists

HTH

Jon

New Member

Re: PIX 515E: from OUT to IN without NAT

The problem is still remaining.

If I write "static (outside,inside) 10.1.1.2 10.1.1.2 netmask 255.255.255.255" I see on "show nat" this:

NAT policies on Interface Out:

match ip Out host 10.1.1.2 IN any

static translation to 10.1.1.2

translate_hits = 0, untranslate_hits = 0

If I write your command "static (inside,outside) 10.1.1.2 10.1.1.2 netmask 255.255.255.255" this rule appears on interface IN and PIX doesn't want to translate again.

Why nat 0 desn't work?..

Re: PIX 515E: from OUT to IN without NAT

nat(0) only works for inside to outside dynamic translations.

In your case you need a static like jon.marshall suggested:

static (inside,outside) 10.1.1.2 10.1.1.2 netmask 255.255.255.255

(outside,inside) is only used if you want to translate the outside source address.

Silver

Re: PIX 515E: from OUT to IN without NAT

Also, if you are testing with ping, make sure you are allowing ICMP echo replies into the outside interface.

Ex. access-list outside_in extended permit icmp any any eq echo-reply

access-group outside_in in interface outside

Gold

Re: PIX 515E: from OUT to IN without NAT

or add icmp inspection to the global policy.

New Member

Re: PIX 515E: from OUT to IN without NAT

Sorry, Jon, I wrote wrong IP to my config :[

So, your answer helped me!

Thanks!!

P.S. I've forgotten to check a box that the post resolved my problem. But now I'm not allowed to do this...

168
Views
13
Helpful
6
Replies