Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Cisco Employee

access list problem

I'm trying to solve a strange issue with a PIX 506

The PIX is configured to separate two internal networks 192.168.20.0 ( outside interface ) 192.168.5.0 ( inside interface ) .

hosts on the outside should only be permitted icmp,udp,tcp traffic to a remote host (REPLICA 192.168.1.x) which is reachable through a router on the inside interface.

The configuration is the following

...

name 192.168.1.4 REPLICA

name 172.16.1.0 NET-RADIO

access-list outside_access_in permit tcp 192.168.20.0 255.255.255.0 host REPLICA log 4

access-list outside_access_in permit icmp 192.168.20.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list outside_access_in permit icmp 192.168.20.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list outside_access_in permit udp 192.168.20.0 255.255.255.0 host REPLICA log 4

access-list inside_access_in permit ip 192.168.1.0 255.255.255.0 any log

access-list inside_access_in permit ip 192.168.5.0 255.255.255.0 any

access-list inside_access_in permit icmp 192.168.1.0 255.255.255.0 any

access-list inside_access_in permit icmp 192.168.5.0 255.255.255.0 any log 4

ip address outside 192.168.20.253 255.255.255.0

ip address inside 192.168.5.253 255.255.255.0

nat (inside) 0 192.168.1.0 255.255.255.0 0 0

nat (inside) 0 192.168.5.0 255.255.255.0 0 0

static (outside,inside) 192.168.20.0 192.168.20.0 netmask 255.255.255.0 0 0

nat (inside) 0 192.168.1.0 255.255.255.0 0 0

nat (inside) 0 192.168.5.0 255.255.255.0 0 0

static (outside,inside) 192.168.20.0 192.168.20.0 netmask 255.255.255.0 0 0

static (inside,outside) 192.168.5.254 192.168.5.254 netmask 255.255.255.255 0 0

static (inside,outside) 192.168.1.253 192.168.1.253 netmask 255.255.255.255 0 0

static (inside,outside) NET-RADIO NET-RADIO netmask 255.255.255.248 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route inside NET-RADIO 255.255.255.248 192.168.5.253 1

route inside 192.168.1.0 255.255.255.0 192.168.5.253 1

icmp permit any outside

icmp permit any inside

The problem is that the traffic gets blocked and in the log we found the following

305005: No translation group found for icmp src outside:192.168.20.98 dst inside:REPLICA (type 8, code 0)

305005: No translation group found for icmp src outside:192.168.20.98 dst inside:REPLICA (type 8, code 0)

305005: No translation group found for icmp src outside:192.168.20.98 dst inside:REPLICA (type 8, code 0)

305005: No translation group found for icmp src outside:192.168.20.98 dst inside:REPLICA (type 8, code 0)

305005: No translation group found for icmp src outside:192.168.20.98 dst inside:REPLICA (type 8, code 0)

305005: No translation group found for icmp src outside:192.168.20.98 dst inside:REPLICA (type 8, code 0)

305005: No translation group found for icmp src outside:192.168.20.98 dst inside:REPLICA (type 8, code 0)

305005: No translation group found for icmp src outside:192.168.20.98 dst inside:REPLICA (type 8, code 0)

305005: No translation group found for icmp src outside:192.168.20.98 dst inside:REPLICA (type 8, code 0)

305005: No translation group found for icmp src outside:192.168.20.98 dst inside:REPLICA (type 8, code 0)

305005: No translation group found for icmp src outside:192.168.20.98 dst inside:REPLICA (type 8, code 0)

305005: No translation group found for icmp src outside:192.168.20.98 dst inside:REPLICA (type 8, code 0)

305005: No translation group found for icmp src outside:192.168.20.98 dst inside:REPLICA (type 8, code 0)

305005: No translation group found for icmp src outside:192.168.20.98 dst inside:REPLICA (type 8, code 0)

1 REPLY
Silver

Re: access list problem

static (outside,inside) 192.168.20.0 192.168.20.0 netmask 255.255.255.0 0 0

This makes no sense - statics should reference high security ints, then low security ints.

static (inside, outside) 192.168.5.0 192.168.5.0 netmask 255.255.255.0

would statically map the inside subnet for outside access - commonly seen in environments where nat is not used

You do not have a static command for replica - all of the other static commands are for 3 other hosts -

static (inside,outside) 192.168.5.254 192.168.5.254 netmask 255.255.255.255 0 0

static (inside,outside) 192.168.1.253 192.168.1.253 netmask 255.255.255.255 0 0

static (inside,outside) NET-RADIO NET-RADIO netmask 255.255.255.248 0 0

Create a static for replica.

99
Views
0
Helpful
1
Replies