Solved

PIX 506e - Allow inbound traffic

Posted on 2004-04-01
6
861 Views
Last Modified: 2010-04-09
I am creating a new network nat'd behind a PIX 506e.  I still need to allow users in the original network to access the new network.  Outbound traffic works because the PIX allows this implicitly.  I will have to close this down in the near future.  I can't seem to allow any inbound traffic initiated from the outside.  The log shows  
 
 %PIX-3-305005: No translation group found for tcp src outside:55.55.55.55/2832 dst inside:10.0.0.1/445
 
Basically I want to allow everything from outside network 55.55.55.0/24 to the inside network 10.0.0.0/23.
0
Comment
Question by:bdebelius
  • 3
  • 2
6 Comments
 
LVL 45

Expert Comment

by:Kdo
ID: 10735657


I believe that your access list entry should look something like this:



access-list 160 permit ip  55.55.55.0 0.0.0.255 10.0.0.0/23 0.0.1.255
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 10736346
Kdo, the access-lists on a PIX use subnet masks. You must be more familiar with the access-lists on a router that use an inverse mask...

access-list outside_in permit ip 55.55.55.0 255.255.255.0 10.0.0.0 255.255.254.0
access-group outside_in in interface outside

0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 10736360
Oh, yes, assuming that you do not want to nat the traffic between 55.55.55.0 and 10.0.0.0, add these lines:

access-list no_nat permit 10.0.0.0 255.255.254.0 55.55.55.0 255.255.255.0
nat(inside) 0 access-list no_nat

0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 45

Expert Comment

by:Kdo
ID: 10737135

Good catch....

I don't care how these devices represent the mask values internally -- you'd think that at least the language syntax would be similar.


:-)

0
 

Author Comment

by:bdebelius
ID: 10741104
Thanks lrmooore.  That worked.  But I have another question(s) about this.

How would I change the configuration to nat the outside address, so that they appear to be coming from the inside interface?

What would be the reasons to do or not to do this?  I understand nat going outbound is to hide the inside network, but why would I want to hide the outside network?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 10744277
You can nat the outside if you have some overlapping addresses, or routing issues. Otherwise, I can't think of any good reason to do it.

I have done it when I want to get to a customer's private IP addresses and they overlap with another customer's private IP addresses.

0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now