[c-nsp] PIX: Source [NP]AT traffic from the other side of a tunnel. Possible?
Matt Stockdale
mstockda at logicworks.net
Tue May 30 15:20:33 EDT 2006
Whoops - I forgot to specify, PIX A is running 6.3(3), in which I
believe that the nat (outside) ... outside feature is enabled.
On Tue, 2006-05-30 at 15:14 -0400, Matt Stockdale wrote:
> Folks -
>
> With the following setup
>
> 10.4.71.0/24------(inside)PIX A(outside)---------Internet----------(outside)PIX B(inside)--172.20.0.0/26
>
> Is it possible to source NAT/PAT traffic from 172.20.0.0/16 to
> 10.4.71.0/24, such that it appears to be coming either from the inside
> interface of PIX A itself, or a internal global NAT IP for this purpose?
>
> My attempts so far have resulted in
>
> %PIX-3-305005: No translation group found for icmp src outside:172.20.66.126 dst inside:10.4.71.254 (type 8, code 0)
>
> I've set up the "outside" nat config thusly
>
> nat (outside) 1 access-list fromClient outside
>
> where acl fromClient is multiple entries like
>
> access-list fromClient permit ip host 172.20.66.116 10.4.71.0 255.255.255.0
>
> for each host allowed over the tunnel.
>
> sh xlate detail looks "good".. (10.4.71.252 is PIX A, configured via global (inside) 1 interface)
>
> # sh xlate detail
> 1 in use, 3 most used
> Flags: D - DNS, d - dump, I - identity, i - inside, n - no random,
> o - outside, r - portmap, s - static
> ICMP PAT from outside:172.20.66.126/512 to inside(fromClient):10.4.71.252/1 flags ro
>
> I'm running a tcpdump on the target host, and it's not receiving any packets.
>
> Thoughts?
>
>
> Thanks in advance
>
> Matt
>
>
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list