PIX configuration Problem

Posted on 2003-02-27
Medium Priority
Last Modified: 2013-11-16
Two interface PIX. Inside interface is Corp, outside interface is Lab. I want the lab to be able to access the internet via the inside interface. When I configure statics, the lab is able to reach all private network addresses, 172,10,192 (Corp network). When I try to go to a public network (WWW), i get the error message "no translation groups available for 207.x.x.x"? What am I doing wrong, and can this be done?

I am not using NAT.

Question by:smotts72
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
LVL 79

Expert Comment

ID: 8037637
Sure can. Can you post your config?

Author Comment

ID: 8038231
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100

domain-name xxx
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
access-list acl_outside permit tcp 172.17.219.xxx 255.255.255.xxx any eq www
access-list acl_outside permit icmp any any
access-list acl_outside permit udp any any
access-list acl_inside permit icmp any any
access-list acl_inside permit tcp any any
access-list acl_inside permit udp any any
pager lines 24
interface ethernet0 100full
interface ethernet1 100full
mtu outside 1500
mtu inside 1500
ip address outside 172.17.219.xxx 255.255.255.xxx
ip address inside 172.17.xxx.xxx 255.255.xxx.xxx
ip address intf2
ip address intf3
ip address intf4
ip address intf5
ip address BASIC+ 172.17.219.xxx 255.255.255.xxx
pdm history enable
arp timeout 14400
nat (inside) 0 0 0
static (outside,inside) 172.17.219.xxx 172.17.219.xxx netmask 255.255.255.xxx 0 0
static (inside,outside) 172.xxx.xxx.xxx 172.xxx.xxx.xxx netmask 255.xxx.xxx.xxx 0 0
access-group acl_inside in interface inside
access-group acl_outside in interface outside
route inside 172.17.xxx.xxx 1
route inside 172.17.xxx.xxx 1
route inside 172.17.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
floodguard enable
no sysopt route dnat

LVL 79

Expert Comment

ID: 8038346
>ip address outside 172.17.219.xxx 255.255.255.xxx
>ip address inside 172.17.xxx.xxx 255.255.xxx.xxx

your outside cannot be a subnet of the inside. They need to be two distinct networks. If the inside subnet mask is, then you're OK. If that is the case, then the router that is your default gateway @ 172.17.xxx.xx needs to have a route back to the subnet of

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.


Author Comment

ID: 8038497
They are on seperate networks. inside, outside The only fix I have been able to find is to staticly assign the 192 network to whatever network I am trying to reach on www. My question is isn't there a static command that allows all networks?
For instance to get to yahoo it works like this:
static (inside,outside) netmask I want to use one static command for all public IP's. Or is the only way to do this, is by staticly defining all public ip subnets?
Routing is fine as I have statics on the gateway router back to the PIX.

Thanks for all the help so far.
LVL 79

Expert Comment

ID: 8038638
Where is outbound NAT happening? At the gateway router?
You basically just want to use the firewall as a router?

Your nat 0 should be all you need. I've got a PIX that is sort of "backwards" like yours with the "inside" router providing NAT and Internet access. I just can't get to it from here right now. As soon as I can, I'll post the relevant config.

You might try using an acl with NAT 0 :
access-list NO_NAT permit ip any
nat (inside) 0 access-list NO_NAT

What happens if you remove the acl from the inside interface:
no access-group acl_inside in interface inside
and remove the two static lines.

Author Comment

ID: 8038928
Outbound NAT is occuring at a NOKIA firewall. I have also tried the acl on the nat. I currently am allowing pretty much anything, but will give the ip any command a try.

If I remove the acls and the two static commands. I get the error message "no translation groups available" on both the network and aslo on the public network.

If you could post your code I would greatly appreciate it. Also I noticed you refered to it as "backwards", along with other Engineers I have spoke with. Why would you ever want a untrusted network on a higher security level then your trusted network? From all docs I could find, Cisco says you always want the untrusted side on the lower security.
LVL 79

Accepted Solution

lrmoore earned 200 total points
ID: 8039324
You are correct in your reasoning for higher/lower security realms, but we refer to it as backwards, because the Internet is generally the least secure, so in your case you are going from a lower security interface -through- a higher security realm to get to the Internet.

My pix has this in the ACL for my host. I permit host-by-host not by subnet, but the concept is the same:
access-list NO_NAT permit ip any host Thunderbird
nat (inside) 0 access-list NO_NAT
# above Host Thunderbird is in NETWORKADMIN subnet:
access-list outside_in permit ip NETWORKADMIN any

access-group outside_in in interface outside
# I have no acl applied to the inside interface
# I have NO static nat statements for this subnet or host
have you tried:
no static(inside,outside)
no static(outside,inside)
static(inside,outside) netmask

Question. Do these point to different gateways than the default?
>route inside 172.17.xxx.xxx 1
>route inside 172.17.xxx.xxx 1


Expert Comment

ID: 8039721

If you are not using NAT on the PIX, which is OK, then first you have to modify the NAT statements on your Nokia, so they include your Lab network.  Then you have to set a static route on the Nokia FW that will identify how to reach the Lab network, and that should be through the IP address of the PIX inrerface that is connected to the Corp network.  You need only one static route on the PIX (if that is the only exit point for your lab network) that will be the default route pointing through your the inside interface (the Corp network IP).  Nothing else has to be done, as long as your corp network uses gateway address of the nokia fw.  In this case when you have packets from corp to lab they will get to the nokia fw, and the nokia will reroute them to the PIX.  The PIX knows where the lab network is and there you go.  First accomplish what I explained and then try to tighten the security.  Don't use any ACL until you get this working.

I hope this helps

Author Comment

ID: 8045359
Thanks so much for your response. It was the NAT 0 ACL that fixed the whole problem. Hope I can help people out somtime.
LVL 79

Expert Comment

ID: 8045500
Glad you're working! Cheers!

Featured Post

Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month13 days, 11 hours left to enroll

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question