Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Bronze

Simple pix ques

Hi

New at pix so bear with me.

R2(.2)--1.1.1.0/24--(E0-.1)pix(v6.3.5)(E1-.1)---2.2.2.0/24----(.5)R5

both r2/r5 has def route point to pix as next hop and pix can ping both r2/r5. R2 is outside and r5 is inside

On pix, I setup:

static (i,o) 1.1.1.2 2.2.2.5 net 255.255.255.255

global (outside) 1 1.1.1.10-1.1.1.20 netmask 255.255.255.0

nat (inside) 1 0 0 0 0

pix def route points to r2 as next hop

acl 1 per icmp any any

a-g 1 in interface outbound

I cannot ping from r2 to r5 and deb show "no translation group..."

Please advise. TIA

1 REPLY
New Member

Re: Simple pix ques

Your static is wrong.

your static (i,o) will translate the local inside address 2.2.2.5 to 1.1.1.2 on the outside.

Remove it and add:

static (i,o) 2.2.2.3 1.1.1.2 net 255.255.255.255

(This will translate the address 1.1.1.2 to 2.2.2.3 on the outside.)

if you ping 2.2.2.5 from R2, the pix will translate it to 2.2.2.3 on the outside, and R5 will respond to 2.2.2.3, and the PIX will translate back to 1.1.1.2

Assuming this is a lab/test (non-production environment) you can also turn on debug icmp trace on the pix or debug ip icmp on the routers.

The nat(inside) 1 and global(outside) 1 would not be used by the firewall, since the static NAT would take priority.

87
Views
0
Helpful
1
Replies
CreatePlease login to create content