[c-nsp] PIX 6x translation issue
Peter Rathlev
peter at rathlev.dk
Mon Jan 12 18:41:48 EST 2009
On Mon, 2009-01-12 at 15:13 +0000, William wrote:
> What I'm trying to figure out is how I can get hosts on the office
> network to access hosts on the inside network without their addresses
> being translated. I've built an access-list and applied it to the
> office interface which is straight forward and I've added the
> following static:
>
> static (office,inside) 10.75.4.0 10.75.4.0 netmask 255.255.255.0 0 0
As Tony says, you need to swap those interface names, so it says "static
(<higher-if>,<lower-if>) <lower-ip> <higher-ip> netmask <mask>" as per
the documentation.
> However I'm not getting any connectivity, so I added:
>
> access-list office_outbound_nat0_acl permit ip host 10.75.4.1 10.1.1.0
> 255.255.255.0
> nat (office) 0 access-list office_outbound_nat0_acl
>
> At the moment I'm not getting any hits on office_outbound_nat0_acl and
> no traffic is getting across either, the logs say:
>
> 305005: No translation group found for icmp src office:10.75.4.1 dst
> inside:10.1.1.250 (type 8, code 0)
You need to reverse the access-list and put the NAT-statement on the
other interface. You always define those things "from" the higher
security level "to" the lower. Then you control what's allowed with
access lists. Thus, it's:
access-list nonat permit ip 10.1.1.0 255.255.255.0 host 10.75.4.1
nat (inside) 0 access-list nonat
> Which matches up with the traffic I'm sending! Can someone assist me
> so I know what I'm doing wrong?
It may seem reverse compared to logic, but that's how PIX/ASA does
it. :-)
Regards,
Peter
More information about the cisco-nsp
mailing list