Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
373
Views
5
Helpful
3
Replies

Low Security-Level Accessing High Security-Level

Go to solution
haithamnofal
Level 3
Level 3

‎10-27-2005 01:11 PM - edited ‎03-09-2019 12:51 PM

Dear All,

I have something that I need your help clarifying it to me; for the sake of testing outside NAT in PIX I placed a host on the outside interface of my PIX FW and another one on the inside interface. Let's call the inside host (Host A: 172.16.1.178) and the outside host (Host B: 192.168.1.96).

I then applied:

NAT (inside) 0 0 0 and

NAT (outside) 0 0 0 outside

commands to have both subnets appear to each others with their original IP addresses. When pinging from Host B to Host A, no response is received and a syslog message 305005 appears (No translation group found for ICMP src outside: 192.168.1.96 dst inside: 172.16.1.178) ... However, when pinging from Host A to Host B with the original Host B IP, a response is received succefully. After doing that, confusingly if I try again to ping from Host B to Host A, things work this time with no errors. (Note: ICMP is applied both way).

When applying Clear XLATE, we start over! It looks like the PIX doesnt forward the request from Host B to Host A unless there's a previous session established from Host A through the PIX.

Does anybody have any explanation for what's happening? Is their anybody who went through something like this before?

Appreciate your feedback.

Thanks,

Haitham

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
fzamora
Cisco Employee
Cisco Employee

‎10-27-2005 01:33 PM

You are using nat 0 (identity nat) which does not allow bi-directional communication UNLESS the host located in the high security interface initiates the connection.

You may want to try the following:

static (inside,outside) 172.16.1.178 172.16.1.178 netmask 255.255.255.255

That allows inside host to be "self translated" on the outside and will allow the host located on the untrsuted to start communications to it (will be seen with the same IP)

more info:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/s.htm#wp1026694

Franco Zamora

View solution in original post

0 Helpful
3 Replies 3

Go to solution
fzamora
Cisco Employee
Cisco Employee

‎10-27-2005 01:33 PM

You are using nat 0 (identity nat) which does not allow bi-directional communication UNLESS the host located in the high security interface initiates the connection.

You may want to try the following:

static (inside,outside) 172.16.1.178 172.16.1.178 netmask 255.255.255.255

That allows inside host to be "self translated" on the outside and will allow the host located on the untrsuted to start communications to it (will be seen with the same IP)

more info:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/s.htm#wp1026694

Franco Zamora

0 Helpful

Go to solution
ayram23
Level 1
Level 1
In response to fzamora

‎11-18-2005 06:24 AM

Hi Franco,

I'm also facing the same problem with FWSM Module in Cisco 6509 Switch.

The command you have given applies for a single host static translation "static (inside,outside) 172.16.1.178 172.16.1.178 netmask 255.255.255.255". I have a full network of 172.21.X.X using Nat 0. How to give the static natting for the full network ?

Kindly revert back ASAP.

Regards,

R. Rajaraman.

0 Helpful

Go to solution
s.elmrabet
Level 1
Level 1
In response to ayram23

‎11-18-2005 10:45 PM

Hi Rajarman,

For the full network you will use the mask to specify this network :

Ex : static (inside,outside) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

But it depand on your architecture and needs, it's not safe to use such static for the hole network So you should use Access-list to permit just the trusted IP and the needed ports

Best Regards

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents