Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Static Port Redirection on Pix 515E 6.3(5)

Dear All,

I am working on a 515e with the following interfaces:

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security4

nameif ethernet3 webside security6

nameif ethernet4 backweb security8

nameif ethernet5 bakweb_domino security7

I have a windows box with 139.128.152.130/27 on the inside, and another windows box with 81.184.174.86/29 on the dmz, both with a tftp client.

I have configured the following static port redirection:

static (dmz,inside) udp 139.128.152.133 tftp 81.184.174.86 tftp netmask 255.255.255.255

In this way the tftp request from the inside network .130 to .133 are redirected to 81.184.174.86.Than I have also configured a:

nat (inside) 0 139.128.152.130 255.255.255.255

to exclude the .130 from traslation.

It works from the inside to dmz, but from dmz 81.184.174.86 to 139.128.152.130 it do not work, I have just added an acl to permit the traffic.

On the pix log i got the following message:

%PIX-3-305005: No translation group found for udp src dmz:81.184.174.86/1038 dst inside:139.128.152.130/69

why?

Best regards,

Igor.

2 REPLIES

Re: Static Port Redirection on Pix 515E 6.3(5)

You need a translation anytime you go from a lower security interface to a higher one.

static (inside,dmz) 139.128.152.130 139.128.152.130 netmask 255.255.255.255

Hope that helps

New Member

Re: Static Port Redirection on Pix 515E 6.3(5)

Many thanks for your reply.

I think you are right, but my porpouse is that when the 81.184.174.86 reply to 139.128.152.130, its src address should be traslated to 139.128.152.133.

I have just tryed to configure an outside nat on dmz interface:

nat(dmz) 2 81.184.174.86 255.255.255.255 outside

global (inside) 2 139.128.152.133

It works, but I lost all the other traslation on the webside interface.

What di you think ?

BR,

Igor.

120
Views
0
Helpful
2
Replies