[c-nsp] PIX: Source [NP]AT traffic from the other side of a tunnel. Possible?

David West david.h.west at gmail.com
Wed May 31 09:59:22 EDT 2006 

What you're attempting should work. Is there an ACL somewhere that's
dropping the traffic? Could you post a more complete (sanitized) config?

On 5/30/06, Matt Stockdale <mstockda at logicworks.net> wrote:
>
> Whoops - I forgot to specify, PIX A is running 6.3(3), in which I
> believe that the nat (outside) ... outside feature is enabled.
>
> On Tue, 2006-05-30 at 15:14 -0400, Matt Stockdale wrote:
> > Folks -
> >
> >   With the following setup
> >
> > 10.4.71.0/24------(inside)PIXA(outside)---------Internet----------(outside)PIX B(inside)--
> 172.20.0.0/26
> >
> >   Is it possible to source NAT/PAT traffic from 172.20.0.0/16 to
> > 10.4.71.0/24, such that it appears to be coming either from the inside
> > interface of PIX A itself, or a internal global NAT IP for this purpose?
> >
> >   My attempts so far have resulted in
> >
> >   %PIX-3-305005: No translation group found for icmp src outside:
> 172.20.66.126 dst inside:10.4.71.254 (type 8, code 0)
> >
> > I've set up the "outside" nat config thusly
> >
> > nat (outside) 1 access-list fromClient outside
> >
> > where acl fromClient is multiple entries like
> >
> >   access-list fromClient permit ip host 172.20.66.116 10.4.71.0
> 255.255.255.0
> >
> > for each host allowed over the tunnel.
> >
> > sh xlate detail looks "good".. (10.4.71.252 is PIX A, configured via
> global (inside) 1 interface)
> >
> > # sh xlate detail
> > 1 in use, 3 most used
> > Flags: D - DNS, d - dump, I - identity, i - inside, n - no random,
> >        o - outside, r - portmap, s - static
> > ICMP PAT from outside:172.20.66.126/512 to inside(fromClient):
> 10.4.71.252/1 flags ro
> >
> > I'm running a tcpdump on the target host, and it's not receiving any
> packets.
> >
> > Thoughts?
> >
> >
> > Thanks in advance
> >
> > Matt
> >
> >
> >
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 
Progress isn't made by early risers. It's made by lazy men trying to find
easier ways to do something.
  - Robert Heinlein

More information about the cisco-nsp mailing list