Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Translation sets from VPN pool to DMZ

Hello,

I have a client VPNing into the corporate network and in the pool 10.10.100.x. Client is using internal DNS servers since they have to access private servers. They are also setup with split tunneling so as to use their own internet conenction for the internet, plus it precludes them from having to have proxy settings on their web browsers (all http traffic is through a proxy server for our company).

They also have to access the company web server, which using the internal DNS servers, gives them the private ip address of the server.

The problem I am having is, they can not access the web server in the DMZ. The log entry is:

Oct 28 2006 15:10:20: %PIX-3-305005: No translation group found for tcp src outside:10.10.110.2/1221 dst dmz1:10.10.1.3/80

(10.10.1.x is our DMZ range)

Obviously there is already a static translation between the web server and a public address. So, how do I do a translation group for this scenario without breakign the current translation set for the web server? Do I treat it like a normal private address range and the PIX is smart enough to send the packets over the correct translation?

3 REPLIES
New Member

Re: Translation sets from VPN pool to DMZ

nat 0 acl from dmz to outside should do the trick.

access-list dmz_nat0_outbound permit ip 10.10.1.3 255.255.255.255 10.10.100.0 255.255.255.0

nat (dmz) 0 access-list dmz_nat0_outbound

New Member

Re: Translation sets from VPN pool to DMZ

And the fact I have a static mapping for 10.10.1.3 to the outside (public ip) won't make a difference?

New Member

Re: Translation sets from VPN pool to DMZ

Nope.

That static is still in effect as it does not match the nat 0 acl. If you want to do this for all servers on dmz, then it would be

access-list dmz_nat0_outbound permit ip 10.10.1.0 255.255.255.0 10.10.100.0 255.255.255.0

104
Views
0
Helpful
3
Replies