[c-nsp] PIX translation issue
Serguei Bezverkhi
sbezverkhi at hotmail.com
Wed Feb 23 09:58:45 EST 2005
Hi,
Instead of using nat 0, you have to use nat 0 with an access-list
Nat 0 allows only session initiated from a higher security interface.
Nat 0 with access-list allows two way communication.
HTH
Serguei
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Eric Helm
Sent: Wednesday, February 23, 2005 9:01 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] PIX translation issue
On this PIX setup, there are 3 interfaces: outside, inside, dmz.
All networks are not using NAT.
I'm having an issue a host on the dmz cannot access a host on the inside
interface, unless the host on the inside network initiates the
communication first. Once this initial communication is established,
then the 2 hosts have no issues until the dmz host is rebooted.
I notice a particular entry in the PIX syslog when the dmz host attempts
to communicate with the inside host:
Error Message %PIX-3-305005: No translation group found for protocol src
interface_name:dest_address/dest_port dst
interface_name:source_address/source_port
Below is a partial config:
nat (inside) 0 1.1.1.0 255.255.255.128 0 0
nat (dmz) 0 2.2.2.0 255.255.255.224 0 0
static (inside,outside) 1.1.1.0 1.1.1.0 netmask 255.255.255.128 0 0
static (dmz,outside) 2.2.2.0 2.2.2.0 netmask 255.255.255.224 0 0
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list