Destination NAT on inside interface of Pix to DMZ host.

kskinner · ‎05-11-2006

Hello experts.

I wonder if there is a solution to this problem. I have a single host in a dmz 192.168.9.6/29 with a 515 pix at 192.168.9.1/29, and 172.30.7.250/24 on internal interface. There is also an external I/F but it is irrelevant to the problem.

I want all users on my internal network to see this host at 172.30.7.249. I want the Pix to Proxy arp for this address and NAT the destination to 192.168.9.6. The Pix then delivers the traffic to the DMZ host. The host responds, and again the PIX NATs the response packet putting 172.30.7.249 as the source ip of the response. I tried doing this with Static (dmz,inside) 172.30.7.249 192.168.9.6 netmask 255.255.255.255 0 0

but it doesn't work because the PIX didn't appear to even proxy arp for the internal address. Nothing appears in log. So I added an ALIAS (inside) 192.168.9.6 172.30.7.249 255.255.255.255

Now it still doesn't work, but I get log entries when I try to ping the DMZ server from an Inside switch...

11-05-2006 12:24:08 Local4.Error 172.30.7.254 May 11 2006 12:21:37: %PIX-3-305006: regular translation creation failed for icmp src inside:172.30.7.251 dst dmz:172.30.7.249 (type 8, code 0)

What can I do to make this type of NAT work for all protocols?

Fernando_Meza · ‎05-11-2006

I think the alias can do the job but in your case it seems you configured the other way around.. it should say

ALIAS (inside) 172.30.7.249 192.168.9.6 255.255.255.255

I hope it helps ... please rate it if it does !!!