Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

PIX NAT Translation Problem

Hello All I have the following situation on a PIX 520 running 6.2.2

I have three interfaces inside, outside, dmz

on the outside interface have an access-list which permits icmp from any to the IPs behind the DMZ interface, I have the following:

access-list external_access_in permit icmp any 1.1.1.0 255.255.255.0

nat (dmz) 0 1.1.1.0 255.255.255.0 0 0

access-group external_access_in in interface outside

1.1.1.0 are routed ip addresses in internet, the above permits outside hosts to ping my hosts behind the dmz interface

I am trying to do the same trying to permit the hosts behind the dmz to icmp ping the hosts behind the inside interface:

access-list dmz_in permit ip any any

nat (inside) 0 1.1.5.0 255.255.255.0 0 0

access-group dmz_in in interface dmz

The inside permits inbound by default.

But I have in the log :

305005: No translation group found for icmp src dmz:1.1.1.1 dst inside:1.1.5.1 (type 8, code 0)

According to me the situation is the same like pinging outside to dmz.

I have:

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

Does anyone could tell me where I am wrong, and how to permit the dmz hosts to icmp ping the hosts on the inside interface.

Thanks for your answers.

1 REPLY
Community Member

Re: PIX NAT Translation Problem

Hi,

you need static entries for nating, like that:

static (inside,dmz) 1.1.1.0 1.1.1.0 netmask 255.255.255.0 0 0

static (inside,outside) 1.1.5.0 1.1.5.0 netmask 255.255.255.0 0 0

89
Views
0
Helpful
1
Replies
CreatePlease to create content