Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

PIX NAT Translation Problem

Hello All I have the following situation on a PIX 520 running 6.2.2

I have three interfaces inside, outside, dmz

on the outside interface have an access-list which permits icmp from any to the IPs behind the DMZ interface, I have the following:

access-list external_access_in permit icmp any

nat (dmz) 0 0 0

access-group external_access_in in interface outside are routed ip addresses in internet, the above permits outside hosts to ping my hosts behind the dmz interface

I am trying to do the same trying to permit the hosts behind the dmz to icmp ping the hosts behind the inside interface:

access-list dmz_in permit ip any any

nat (inside) 0 0 0

access-group dmz_in in interface dmz

The inside permits inbound by default.

But I have in the log :

305005: No translation group found for icmp src dmz: dst inside: (type 8, code 0)

According to me the situation is the same like pinging outside to dmz.

I have:

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

Does anyone could tell me where I am wrong, and how to permit the dmz hosts to icmp ping the hosts on the inside interface.

Thanks for your answers.

Community Member

Re: PIX NAT Translation Problem


you need static entries for nating, like that:

static (inside,dmz) netmask 0 0

static (inside,outside) netmask 0 0

CreatePlease to create content