10-27-2005 01:11 PM - edited 03-09-2019 12:51 PM
Dear All,
I have something that I need your help clarifying it to me; for the sake of testing outside NAT in PIX I placed a host on the outside interface of my PIX FW and another one on the inside interface. Let's call the inside host (Host A: 172.16.1.178) and the outside host (Host B: 192.168.1.96).
I then applied:
NAT (inside) 0 0 0 and
NAT (outside) 0 0 0 outside
commands to have both subnets appear to each others with their original IP addresses. When pinging from Host B to Host A, no response is received and a syslog message 305005 appears (No translation group found for ICMP src outside: 192.168.1.96 dst inside: 172.16.1.178) ... However, when pinging from Host A to Host B with the original Host B IP, a response is received succefully. After doing that, confusingly if I try again to ping from Host B to Host A, things work this time with no errors. (Note: ICMP is applied both way).
When applying Clear XLATE, we start over! It looks like the PIX doesnt forward the request from Host B to Host A unless there's a previous session established from Host A through the PIX.
Does anybody have any explanation for what's happening? Is their anybody who went through something like this before?
Appreciate your feedback.
Thanks,
Haitham
Solved! Go to Solution.
10-27-2005 01:33 PM
You are using nat 0 (identity nat) which does not allow bi-directional communication UNLESS the host located in the high security interface initiates the connection.
You may want to try the following:
static (inside,outside) 172.16.1.178 172.16.1.178 netmask 255.255.255.255
That allows inside host to be "self translated" on the outside and will allow the host located on the untrsuted to start communications to it (will be seen with the same IP)
more info:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/s.htm#wp1026694
Franco Zamora
10-27-2005 01:33 PM
You are using nat 0 (identity nat) which does not allow bi-directional communication UNLESS the host located in the high security interface initiates the connection.
You may want to try the following:
static (inside,outside) 172.16.1.178 172.16.1.178 netmask 255.255.255.255
That allows inside host to be "self translated" on the outside and will allow the host located on the untrsuted to start communications to it (will be seen with the same IP)
more info:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/s.htm#wp1026694
Franco Zamora
11-18-2005 06:24 AM
Hi Franco,
I'm also facing the same problem with FWSM Module in Cisco 6509 Switch.
The command you have given applies for a single host static translation "static (inside,outside) 172.16.1.178 172.16.1.178 netmask 255.255.255.255". I have a full network of 172.21.X.X using Nat 0. How to give the static natting for the full network ?
Kindly revert back ASAP.
Regards,
R. Rajaraman.
11-18-2005 10:45 PM
Hi Rajarman,
For the full network you will use the mask to specify this network :
Ex : static (inside,outside) 172.16.1.0 172.16.1.0 netmask 255.255.255.0
But it depand on your architecture and needs, it's not safe to use such static for the hole network So you should use Access-list to permit just the trusted IP and the needed ports
Best Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide