[c-nsp] VPN PIX 6.x Translation issue

[Laurent Geyer]

This has to do with NAT behavior on Pix 6.x and supposedly changed on
the ASA, but I have personally observed the behavior there as well.

Pixes will inherently attempt to translate any traffic they receive on
an interface unless told not to.

In your case following should address the problem.

static (inside,inside2) 10.10.200.0 10.10.200.0 netmask 255.255.255.0

You could also build a nat exempt access-list and define the subnets
in question.

- Laurent

On Mon, Feb 2, 2009 at 10:57 AM, William <willay at gmail.com> wrote:
> Hi folks!
>
> I currently have a PIX firewall running 6 code, the firewall has 3
> interfaces, inside, outside and inside2.
>
> At the moment I can VPN and communicate to all the hosts on the
> inside, what I'd like to do is also be able to communicate with the
> hosts on inside2, the security levels are:
>
> outside: 0
> inside: 100
> inside2: 90
>
> When I try to speak to inside2 hosts, I get the following error:
>
> %PIX-3-305005: No translation group found for icmp src
> outside:10.10.199.3 dst inside2:192.168.0.1 (type 8, code 0)
>
> I'm very confused as to where I should be putting global/nat
> statements... so far my setup consists of:
>
>
> nat (inside) 0 access-list inside_outbound_nat0_acl
> nat (inside) 1 10.10.200.0 255.255.255.0 0 0
> nat (inside2) 0 access-list office_outbound_nat0_acl
> nat (inside2) 1 192.168.0.0 255.255.255.0 0 0
> global (outside) 1 interface
>
> This lets both inside and inside2 hosts contact the internet via int
> outside, and no nat stuff that needs to traverse VPN tunnels...
>
> If anyone can assist/educate me on getting this working I would
> appreciate it very much!
>
> Cheers,
>
> W
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>