Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Static NAT PIX Command

Running PIX 6.3(5)

Goal is to translate a outside external src IP 12.12.12.10 to a internal ip 172.16.1.200 on the inside of the PIX.

Tried to use static (outside,inside) 172.16.1.200 12.12.12.10 without any luck get

305005: No translation group found for icmp src outside:12.12.12.10 dst inside:1

72.16.1.200 (type 8, code 0)

This should work, what am I missing?

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Static NAT PIX Command

Andrew,

After you configure the above statement, where are you sourcing the ICMP packets from and what is the destination.

I believe below statement will translate the outside IP 12.12.12.10 to 172.16.1.200 and then you need a translation for whatever destination the IP Address is.

For example:

Router 1.1.1.1 - Inside ASA - Outside - 12.12.12.10

static (outside,inside) 172.16.1.200 12.12.12.10 netmask 255.255.255.255

static (inside,outside) 1.1.1.1 1.1.1.1 netmask 255.255.255.255

ciscoasa(config)# sh xlate

2 in use, 2 most used

Global 1.1.1.1 Local 1.1.1.1

Global 172.16.1.200 Local 12.12.12.10

So, if I telnet to 1.1.1.1 from the outside with 12.12.12.10, the packets get translated to 172.16.1.200 on the ASA and then the ASA looks for the regular inside/outside translation for the destination. That is why I have a static (inside,outside) for 1.1.1.1.

Router that is configured with IP 1.1.1.1

interface Loopback101

ip address 1.1.1.1 255.255.255.0

7140#sh users

Line User Host(s) Idle Location

* 0 con 0 idle 00:00:00

2 vty 0 idle 00:02:27 172.16.1.200

I hope it helps.

Regards,

Arul

*Pls rate all helpful posts*

7 REPLIES

Re: Static NAT PIX Command

try it in other direction, to map 12.12.12.10 towards 172.16.1.200 your identity nat must be in this format.

static (inside, outside) 12.12.12.10 172.16.1.200 netmask 255.255.255.255

New Member

Re: Static NAT PIX Command

I get this error:

305006: regular translation creation failed for icmp src outside:12.12.12.10 dst

inside:172.16.1.200 (type 8, code 0)

Re: Static NAT PIX Command

clear xlate or local host and try again

either do pix#clear xlate

or

pix#clear local-host 172.16.1.200

btw you will need icmp acl to allow pings from outside ot inside , create an acl to allow different service such as rdp and test through that port instead of icmp by rdping from outside to 12.12.12.10

icmp

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

New Member

Re: Static NAT PIX Command

Yes already have a permit any any on outside interface and have done clear xlate.

Cisco Employee

Re: Static NAT PIX Command

Andrew,

After you configure the above statement, where are you sourcing the ICMP packets from and what is the destination.

I believe below statement will translate the outside IP 12.12.12.10 to 172.16.1.200 and then you need a translation for whatever destination the IP Address is.

For example:

Router 1.1.1.1 - Inside ASA - Outside - 12.12.12.10

static (outside,inside) 172.16.1.200 12.12.12.10 netmask 255.255.255.255

static (inside,outside) 1.1.1.1 1.1.1.1 netmask 255.255.255.255

ciscoasa(config)# sh xlate

2 in use, 2 most used

Global 1.1.1.1 Local 1.1.1.1

Global 172.16.1.200 Local 12.12.12.10

So, if I telnet to 1.1.1.1 from the outside with 12.12.12.10, the packets get translated to 172.16.1.200 on the ASA and then the ASA looks for the regular inside/outside translation for the destination. That is why I have a static (inside,outside) for 1.1.1.1.

Router that is configured with IP 1.1.1.1

interface Loopback101

ip address 1.1.1.1 255.255.255.0

7140#sh users

Line User Host(s) Idle Location

* 0 con 0 idle 00:00:00

2 vty 0 idle 00:02:27 172.16.1.200

I hope it helps.

Regards,

Arul

*Pls rate all helpful posts*

New Member

Re: Static NAT PIX Command

That did it. I was missing the 2nd static.

Thanks.

New Member

Re: Static NAT PIX Command

Why not a single command

static (inside,outside) 12.12.12.10 172.16.1.200 0 0

198
Views
0
Helpful
7
Replies
CreatePlease to create content