From: Ajay mehra (ajaymehra01@gmail.com)
Date: Sat Nov 15 2008 - 10:45:24 ARST
No luck with even global (inside) 1 interface command , it is still giving
translation error. I could get it runnin using a static mapping for the
destination host with
static (i,i) 183.1.19.10 183.1.19.10
As per my understanding what happening is since nat is enable for
183.1.0.0network and source and destination both exist on the same
interface if PIX
receive a packet which has destination on 183.1.0.0 subnet it looks for
xlate table to check if there is already an entry for 183.1.19.10.
The problem here is not the source translation but the destination
translation.
This case would be same as if we have a packets coming from the outside to
inside interface and we do not have entry in xlate table(provided we have
nat enabled for the host on the inside network)
Thanks,
Ajay
2008/11/15 Farrukh Haroon <farrukhharoon@gmail.com>
> Once you apply dynamic translation to an interface, 'no nat-control' rule
> no longer applies.
>
> Remove the NAT 0 command and put the global command I gave ya, it will
> work!
>
> Regards
>
> Farrukh
>
> On Sat, Nov 15, 2008 at 10:56 AM, Ajay mehra <ajaymehra01@gmail.com>wrote:
>
>> Thanks for the quick reply but none of these solution work, I still get
>> the same message
>>
>> This is what I added to the PIX configs.
>>
>> access-list EXEMPT per ip ho 11.0.0.100 ho 183.1.19.10
>> nat (inside) 0 access-list EXEMPT
>>
>> I do not understand 1st of all why would It look for translation when I do
>> not have either nat-control or nat(inside) 1 0 0 configured.
>>
>> Thanks,
>> Ajay
>> 2008/11/15 Farrukh Haroon <farrukhharoon@gmail.com>
>>
>> Either exempt this traffic from NAT or add the following:
>>>
>>> global (inside) 1 interface
>>>
>>> On Sat, Nov 15, 2008 at 10:27 AM, Ajay mehra <ajaymehra01@gmail.com>wrote:
>>>
>>>> Hi Guys,
>>>>
>>>> I have one host on the inside interface of PIX which is 11.0.0.100 ,
>>>> Also
>>>> there is another host 183.1.19.10 again on the inside interface. As
>>>> a traffic policy any traffic from 11.0.0.100 to 183.1.19.10 must go to
>>>> PIX
>>>> and come back on the same interface(inside). But due to some reason when
>>>> I
>>>> ping from 11.0.0.100 to 183.1.19.10 I keep getting these messages on
>>>> PIX
>>>> console
>>>>
>>>> %PIX-3-305005: No translation group found for icmp src inside:
>>>> 11.0.0.100 dst
>>>> inside:183.1.19.10 (type 8, code 0)
>>>>
>>>>
>>>> I have the following configs on PIX related to Nat.
>>>>
>>>> PIX(config)# sh run | i nat|global|same
>>>> same-security-traffic permit intra-interface
>>>> global (outside) 1 interface
>>>> nat (inside) 1 183.1.0.0 255.255.0.0
>>>>
>>>> Now I do not understand why is PIX looking for translation for
>>>> 11.0.0.0subnet when there is no nat-control on the PIX. Intersting
>>>> thing is as soon
>>>> as I remove nat(inside) 1 statement ping starts working.
>>>>
>>>> Can you guys please help me out to understand this concept?
>>>>
>>>>
>>>> Thanks,
>>>> Ajay
>>>>
>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Dec 01 2008 - 08:18:30 ARST