From: Kulcsár
Date: Wed Mar 29 2006 - 08:39:19 GMT-3
Hello Alexei,
I think you should apply nat 0 to the inside interface and not dmz3 or use static.
Best regards,
Andras Kulcsar
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Alexei Monastyrnyi
Sent: Wednesday, March 29, 2006 1:28 PM
To: ccielab@groupstudy.com
Subject: vier problem wiith NAT exemption on PIX 7.1
Hi Group.
I am running PIX 515E 7.1.2 in production, two boxes in fail over mode
(it is no laughing matter :-))
There is an internal DMZ interface (i.e. using RFC 1918 addresses) on
the PIX and I would like to do a NAT exemption for IP traffic from one
of the hosts in that DMZ area towards some hosts behind inside interface
(security-level 100). Looks straightforward... but doesn't work. Below
you can find an extraction from config an logs.
I can ping and connect to this host from behind the inside interface
with no problems.
Pulling my hair out... Hints would be highly appreciated!
A.
pix-sthlm# sh run in eth 4
!
interface Ethernet4
nameif dmz3
security-level 50
ip address pix-sthlm-dmz3 255.255.255.0 standby pix2-sthlm-dmz3
pix-sthlm# sh run | in sthlm-dmz3
name 172.27.251.1 pix-sthlm-dmz3
name 172.27.251.2 pix2-sthlm-dmz3
pix-sthlm# sh run nat | in dmz3
nat (dmz3) 0 access-list dmz3-nonat
pix-sthlm(config)# sh access-list dmz3-nonat
access-list dmz3-nonat; 1 elements
access-list dmz3-nonat line 1 extended permit ip host 172.27.251.128
192.176.3.0 255.255.255.0 (hitcnt=0) 0xbe6a1ce0
pix-sthlm# sh logg | in 192.176
Mar 29 2006 12:59:35: %PIX-3-305005: No translation group found for tcp
src dmz3:172.27.251.128/60983 dst inside:192.176.3.129/20001
This archive was generated by hypermail 2.1.4 : Sat Apr 01 2006 - 10:07:40 GMT-3