Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 879
  • Last Modified:

PIX 506e - Allow inbound traffic

I am creating a new network nat'd behind a PIX 506e.  I still need to allow users in the original network to access the new network.  Outbound traffic works because the PIX allows this implicitly.  I will have to close this down in the near future.  I can't seem to allow any inbound traffic initiated from the outside.  The log shows  
 
 %PIX-3-305005: No translation group found for tcp src outside:55.55.55.55/2832 dst inside:10.0.0.1/445
 
Basically I want to allow everything from outside network 55.55.55.0/24 to the inside network 10.0.0.0/23.
0
bdebelius
Asked:
bdebelius
  • 3
  • 2
1 Solution
 
Kent OlsenData Warehouse Architect / DBACommented:


I believe that your access list entry should look something like this:



access-list 160 permit ip  55.55.55.0 0.0.0.255 10.0.0.0/23 0.0.1.255
0
 
lrmooreCommented:
Kdo, the access-lists on a PIX use subnet masks. You must be more familiar with the access-lists on a router that use an inverse mask...

access-list outside_in permit ip 55.55.55.0 255.255.255.0 10.0.0.0 255.255.254.0
access-group outside_in in interface outside

0
 
lrmooreCommented:
Oh, yes, assuming that you do not want to nat the traffic between 55.55.55.0 and 10.0.0.0, add these lines:

access-list no_nat permit 10.0.0.0 255.255.254.0 55.55.55.0 255.255.255.0
nat(inside) 0 access-list no_nat

0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
Kent OlsenData Warehouse Architect / DBACommented:

Good catch....

I don't care how these devices represent the mask values internally -- you'd think that at least the language syntax would be similar.


:-)

0
 
bdebeliusAuthor Commented:
Thanks lrmooore.  That worked.  But I have another question(s) about this.

How would I change the configuration to nat the outside address, so that they appear to be coming from the inside interface?

What would be the reasons to do or not to do this?  I understand nat going outbound is to hide the inside network, but why would I want to hide the outside network?
0
 
lrmooreCommented:
You can nat the outside if you have some overlapping addresses, or routing issues. Otherwise, I can't think of any good reason to do it.

I have done it when I want to get to a customer's private IP addresses and they overlap with another customer's private IP addresses.

0

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now