We help IT Professionals succeed at work.

PIX 506e - Allow inbound traffic

bdebelius
bdebelius asked
on
895 Views
Last Modified: 2010-04-09
I am creating a new network nat'd behind a PIX 506e.  I still need to allow users in the original network to access the new network.  Outbound traffic works because the PIX allows this implicitly.  I will have to close this down in the near future.  I can't seem to allow any inbound traffic initiated from the outside.  The log shows  
 
 %PIX-3-305005: No translation group found for tcp src outside:55.55.55.55/2832 dst inside:10.0.0.1/445
 
Basically I want to allow everything from outside network 55.55.55.0/24 to the inside network 10.0.0.0/23.
Comment
Watch Question

Kent OlsenData Warehouse / Database Architect
CERTIFIED EXPERT

Commented:


I believe that your access list entry should look something like this:



access-list 160 permit ip  55.55.55.0 0.0.0.255 10.0.0.0/23 0.0.1.255
Les MooreSr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008

Commented:
Kdo, the access-lists on a PIX use subnet masks. You must be more familiar with the access-lists on a router that use an inverse mask...

access-list outside_in permit ip 55.55.55.0 255.255.255.0 10.0.0.0 255.255.254.0
access-group outside_in in interface outside

Sr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Kent OlsenData Warehouse / Database Architect
CERTIFIED EXPERT

Commented:

Good catch....

I don't care how these devices represent the mask values internally -- you'd think that at least the language syntax would be similar.


:-)

Author

Commented:
Thanks lrmooore.  That worked.  But I have another question(s) about this.

How would I change the configuration to nat the outside address, so that they appear to be coming from the inside interface?

What would be the reasons to do or not to do this?  I understand nat going outbound is to hide the inside network, but why would I want to hide the outside network?
Les MooreSr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008

Commented:
You can nat the outside if you have some overlapping addresses, or routing issues. Otherwise, I can't think of any good reason to do it.

I have done it when I want to get to a customer's private IP addresses and they overlap with another customer's private IP addresses.

Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.