Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Low Security-Level Accessing High Security-Level

Dear All,

I have something that I need your help clarifying it to me; for the sake of testing outside NAT in PIX I placed a host on the outside interface of my PIX FW and another one on the inside interface. Let's call the inside host (Host A: 172.16.1.178) and the outside host (Host B: 192.168.1.96).

I then applied:

NAT (inside) 0 0 0 and

NAT (outside) 0 0 0 outside

commands to have both subnets appear to each others with their original IP addresses. When pinging from Host B to Host A, no response is received and a syslog message 305005 appears (No translation group found for ICMP src outside: 192.168.1.96 dst inside: 172.16.1.178) ... However, when pinging from Host A to Host B with the original Host B IP, a response is received succefully. After doing that, confusingly if I try again to ping from Host B to Host A, things work this time with no errors. (Note: ICMP is applied both way).

When applying Clear XLATE, we start over! It looks like the PIX doesnt forward the request from Host B to Host A unless there's a previous session established from Host A through the PIX.

Does anybody have any explanation for what's happening? Is their anybody who went through something like this before?

Appreciate your feedback.

Thanks,

Haitham

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Low Security-Level Accessing High Security-Level

You are using nat 0 (identity nat) which does not allow bi-directional communication UNLESS the host located in the high security interface initiates the connection.

You may want to try the following:

static (inside,outside) 172.16.1.178 172.16.1.178 netmask 255.255.255.255

That allows inside host to be "self translated" on the outside and will allow the host located on the untrsuted to start communications to it (will be seen with the same IP)

more info:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/s.htm#wp1026694

Franco Zamora

3 REPLIES
Cisco Employee

Re: Low Security-Level Accessing High Security-Level

You are using nat 0 (identity nat) which does not allow bi-directional communication UNLESS the host located in the high security interface initiates the connection.

You may want to try the following:

static (inside,outside) 172.16.1.178 172.16.1.178 netmask 255.255.255.255

That allows inside host to be "self translated" on the outside and will allow the host located on the untrsuted to start communications to it (will be seen with the same IP)

more info:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/s.htm#wp1026694

Franco Zamora

New Member

Re: Low Security-Level Accessing High Security-Level

Hi Franco,

I'm also facing the same problem with FWSM Module in Cisco 6509 Switch.

The command you have given applies for a single host static translation "static (inside,outside) 172.16.1.178 172.16.1.178 netmask 255.255.255.255". I have a full network of 172.21.X.X using Nat 0. How to give the static natting for the full network ?

Kindly revert back ASAP.

Regards,

R. Rajaraman.

New Member

Re: Low Security-Level Accessing High Security-Level

Hi Rajarman,

For the full network you will use the mask to specify this network :

Ex : static (inside,outside) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

But it depand on your architecture and needs, it's not safe to use such static for the hole network So you should use Access-list to permit just the trusted IP and the needed ports

Best Regards

147
Views
5
Helpful
3
Replies
CreatePlease to create content