Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ping problem

Hi

I have a pix firewall. The problem I have is when I ping a server in the DMZ, I get the following response in the logs:

305005: No translation group found for icmp src outside:y.y.y.50 dst dmz2:webserver_1 (type 8, code 0)

Just to add I not NATting and my access rule allows pings

Does anyone have any ideas?

Thanks in advance for any help.

Dan

  • Other Security Subjects
2 REPLIES

Re: ping problem

Hi,

The log indicates no address translation (address mapping) for your DMZ server from outside interface/segment.

2 ways to allow connectivity to DMZ from inside:

a. Address mapping - configure static NAT for your DMZ server's IP Address to an address belongs to outside/Public segment:

ip address outside 209.165.201.3 255.255.255.224

ip address dmz 172.16.0.1 225 255.255.255.0

static (dmz,outside) 172.16.0.10 209.165.201.10 netmask 255.255.255.255

access-list outside permit icmp any *any

access-group outside in interface outside

where 10.1.1.10 is your DMZ IP, 192.168.1.10 = outside/Public IP

*or change to specific host "host 10.1.1.10"

b. No NAT - do not configure any NAT between DMZ and outside/public segment IF both segments run on same IP subnet, e.g public

ip address outside 209.165.201.3 255.255.255.224

ip address dmz 209.165.200.225 255.255.255.0

nat (dmz) 0 209.165.200.225 255.255.255.0

route outside 0.0.0.0 0.0.0.0 1

access-list outside permit icmp any any

access-group outside in interface outside

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html#wp1113021

Rgds,

AK

New Member

Re: ping problem

Hi

Thanks for your help with this. Currently I am allowing allowing pings to all servers, and it is working. The difference with this particular IP with which I am having problems with is that it is teamed (win 2003). If I ping it from with in the DMZ I get (DUP) replies. Does this create an issue, if so how can I resolve it? Are there special rules needed with teaming?

Thanks in advance

Dan

99
Views
0
Helpful
2
Replies