Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

initiate traffic from the outside to the inside on a pix

Posted on 2006-06-24
12
Medium Priority
?
653 Views
Last Modified: 2013-11-16
ive been trying to get traffic from the outside to the inside,
ive tried every nat pat combination and tried applying access lists to no avail

here is the error messae

305005: No translation group found for icmp src outside:172.16.103.55 dst inside
:10.56.8.3 (type 8, code 0)

below is the config

wr t
Building configuration...
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
enable password y0AM.IYFcz0c0i9V encrypted
passwd s6vcrASP2DGVvv4K encrypted
hostname BS2FW01
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
<--- More --->
               
 fixup protocol icmp error
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network TCS-Access
  network-object host 10.102.1.135
  network-object host 192.168.130.120
  network-object host 192.168.30.209
access-list ACL_inside permit tcp 10.0.0.0 255.0.0.0 host 172.16.103.10 eq telnet
access-list ACL_inside permit tcp 10.0.0.0 255.0.0.0 host 172.16.103.5 eq telnet
access-list ACL_inside permit tcp 10.0.0.0 255.0.0.0 host 172.16.103.55 eq telnet
access-list ACL_inside permit tcp 10.0.0.0 255.0.0.0 host 172.16.103.55 eq www
access-list ACL_inside permit tcp any host 172.16.103.11 eq ftp
access-list ACL_inside permit tcp any host 172.16.103.13 eq smtp
access-list ACL_inside permit tcp 10.0.0.0 255.0.0.0 host 172.16.103.12 eq https
access-list ACL_inside permit tcp host 10.57.1.123 host 172.16.103.12 eq www
access-list ACL_inside permit icmp any 10.27.212.0 255.255.255.0
access-list ACL_inside permit ip any 10.27.212.0 255.255.255.0
access-list acl_outside permit tcp host 172.16.103.12 host 10.102.1.174 eq www
access-list acl_outside permit ip 10.27.212.0 255.255.255.0 object-group TCS-Access
access-list acl_outside permit icmp 10.27.212.0 255.255.255.0 object-group TCS-Access
access-list acl_outside permit icmp any any
pager lines 24
logging on
logging monitor debugging
logging buffered debugging
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 172.16.103.1 255.255.255.0
ip address inside 10.103.16.100 255.255.240.0
no ip address intf2
no ip address intf3
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (outside) 1 172.0.0.0 255.0.0.0 0 0
nat (inside) 1 10.0.0.0 255.0.0.0 0 0
static (inside,outside) 172.16.103.13 10.102.1.67 netmask 255.255.255.255 0 0
static (outside,inside) 10.27.212.0 10.27.212.0 netmask 255.255.255.0 0 0
static (outside,inside) 172.16.103.55 172.16.103.55 netmask 255.255.255.255 0 0
access-group acl_outside in interface outside
access-group ACL_inside in interface inside
route inside 10.0.0.0 255.0.0.0 10.103.16.100 1
route outside 10.27.212.0 255.255.255.0 172.16.103.55 1
route inside 172.17.50.0 255.255.255.0 10.103.16.1 1
route inside 172.18.70.0 255.255.255.0 10.103.16.1 1
route inside 192.168.30.0 255.255.255.0 10.103.16.1 1
route inside 192.168.130.0 255.255.255.0 10.103.16.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication telnet console TACACS+
aaa authentication http console TACACS+
aaa authentication enable console TACACS+
http server enable
http 10.103.16.0 255.255.240.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.53.0.0 255.255.0.0 inside
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 60
ssh timeout 5
management-access inside
console timeout 60
terminal width 80
Cryptochecksum:8ac1a6215826dc278d1a3c663be10ed4
: end
0
Comment
Question by:biswar
  • 7
  • 4
11 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 16976708
no access-group ACL_inside in interface inside
no static (outside,inside) 10.27.212.0 10.27.212.0 netmask 255.255.255.0 0 0
no static (outside,inside) 172.16.103.55 172.16.103.55 netmask 255.255.255.255 0 0
no nat (outside) 1 172.0.0.0 255.0.0.0 0 0
no access-list acl_outside
clear xlate

Make those changes.
given this:
>access-list acl_outside permit icmp any any
>static (inside,outside) 172.16.103.13 10.102.1.67 netmask 255.255.255.255 0 0

You should be able to ping 172.16.103.13
10.102.1.67 will answer, but only if its default gateway points to this PIX' inside IP address
you will never be able to directly ping any 10.x.x.x. IP address from outside
You can only ping the 1-1 static nat addresses

What is your ultimate goal? This appears to be in a lab/test environment with private IP on the outside interface. . .

Suggest adding a default route outside
 route outside 0.0.0.0 0.0.0.0 172.16.103.xxx

0
 

Author Comment

by:biswar
ID: 16977660
this is a corporate internal firewall, this is a brand new setup and has not been used before
there is another firewall beyond this one which allow access to the outside,

static (outside,inside) 172.16.103.55 172.16.103.55 netmask 255.255.255.255 0 0

my ultimate goal is  to allow devices sitting on the outside to iniate connections to the inside,
 172.16.103.55 is a vpn concentrator sitting on the outside and i am issuing pings from there to 10.56.8.3
which is a device on the inside.
ping inside 10.56.8.3 from this firewall  does work

the error message i get when pingingfrom 172.16.103.55 outside to 10.56.8.3
305005: No translation group found for icmp src outside:172.16.103.55 dst inside
:10.56.8.3 (type 8, code 0)

i would like to contol traffic both ways, so removing access-list is not a option
there is a routing protocol in place on the inside so 10.56.8.3 shouldbrespond back
i belive static (inside,outside) 172.16.103.13 10.102.1.67 netmask 255.255.255.255 0 0
should work, unfortunaltely the server hasnt been installed so can test that.

ive put this statement in so that the device keeps its ip on the inside, this is a valid statement
static (outside,inside) 172.16.103.55 172.16.103.55 netmask 255.255.255.255 0 0

also i have no prob iniatin traffic from devices on the inside to the outside, the problem is devices on the outside iniatinon the inside .

is the security level stoppin this ?




0
 

Author Comment

by:biswar
ID: 16977836
i have found the answer on another question

what i was missing was

static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0

this now works
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 

Author Comment

by:biswar
ID: 16977838
oops

thanks for your reply
0
 

Author Comment

by:biswar
ID: 16981302
sorry bout the c, im a newb to this, i will ask the moderator to upgrade to  a B , i didnt know that the grading would make a difference and thought it was based on the points.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16983038
No problem. The points that we get awarded are actually a multiple of your question points, based on the grade.
For example, a C grade is a multiple of 2 for 1000 points, a B is a multiple of 3 for 1500 and an A would be an award of 2000 points.

Since I'm also a Page Editor, I can re-open this question and you can close it again with a B grade.

Thanks!
0
 

Author Comment

by:biswar
ID: 16983077
hi i still have a problem

if its ok, I would be grateful if could you continue helping,

the source address is 10.27.212.5
the destination from the source is 10.46.10.36 (the 10.46 subnet does not exist physically)
when it hits the inside of the pix the destination gets translated to 10.57.1.63, the source remains as 10.27.212.5
the packet does not return cos i get a error message
110001: No route to 10.27.212.5 from 10.46.10.36


i did a icmp trace and get this
70: ICMP echo-request: untranslating outside:10.46.10.36 to inside:10.57.1.63
71: ICMP echo-reply from inside:10.57.1.63 to 10.27.212.5 ID=512 seq=13088 lengt
h=40
72: ICMP echo-reply: translating inside:10.57.1.63 to outside:10.46.10.36
73: ICMP echo-reply from outside:10.46.10.36 to 10.27.212.5 ID=512 seq=13088 len
gth=40

this is the config i have
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
enable password y0AM.IYFcz0c0i9V encrypted
passwd s6vcrASP2DGVvv4K encrypted
hostname BS2FW01
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
<--- More --->
               
 fixup protocol icmp error
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network TCS-Access
  network-object host 10.102.1.135
  network-object host 10.102.1.136
 
access-list ACL_inside permit tcp 10.0.0.0 255.0.0.0 host 172.16.103.10 eq telnet
access-list ACL_inside permit tcp 10.0.0.0 255.0.0.0 host 172.16.103.5 eq telnet
access-list ACL_inside permit tcp 10.0.0.0 255.0.0.0 host 172.16.103.55 eq telnet
access-list ACL_inside permit tcp 10.0.0.0 255.0.0.0 host 172.16.103.55 eq www
access-list ACL_inside permit tcp any host 172.16.103.11 eq ftp
access-list ACL_inside permit tcp any host 172.16.103.13 eq smtp
access-list ACL_inside permit tcp 10.0.0.0 255.0.0.0 host 172.16.103.12 eq https
access-list ACL_inside permit tcp host 10.57.1.123 host 172.16.103.12 eq www
access-list ACL_inside permit icmp any any
access-list ACL_inside deny ip any any
access-list acl_outside permit tcp host 172.16.103.12 host 10.102.1.174 eq www
access-list acl_outside permit ip 10.27.212.0 255.255.255.0 object-group TCS-Access
access-list acl_outside permit icmp 10.27.212.0 255.255.255.0 object-group TCS-Access
access-list acl_outside permit icmp host 172.16.103.55 any
access-list acl_outside permit icmp any any
access-list acl_outside deny ip any any
pager lines 24
<--- More --->
               
 logging on
logging monitor debugging
logging buffered debugging
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 172.16.103.1 255.255.255.0
ip address inside 10.103.16.100 255.255.240.0
no ip address intf2
no ip address intf3
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
<--- More --->
               
 no failover ip address intf4
no failover ip address intf5
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 172.16.103.13 10.102.1.67 netmask 255.255.255.255 0 0
static (inside,outside) 10.46.10.36 10.57.1.63 netmask 255.255.255.255 0 0
static (inside,outside) 10.46.10.17 10.58.1.177 netmask 255.255.255.255 0 0
access-group acl_outside in interface outside
access-group ACL_inside in interface inside
route inside 10.0.0.0 255.0.0.0 10.103.16.100 1
route outside 10.27.212.0 255.255.255.0 172.16.103.55 1
route inside 172.17.50.0 255.255.255.0 10.103.16.1 1
route inside 172.18.70.0 255.255.255.0 10.103.16.1 1
route inside 192.168.30.0 255.255.255.0 10.103.16.1 1
route inside 192.168.130.0 255.255.255.0 10.103.16.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.103.16.0 255.255.240.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt noproxyarp outside
sysopt noproxyarp inside
telnet 10.53.0.0 255.255.0.0 inside
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 60
ssh timeout 5
management-access inside
console timeout 60
<--- More --->
               
 terminal width 80


0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16983146
>No route to 10.27.212.5 from 10.46.10.36
>route outside 10.27.212.0 255.255.255.0 172.16.103.55

Whatever the next hop router is that is 172.16.103.55 must point a route for 10.46.10.0 to the outside IP of this PIX
0
 

Author Comment

by:biswar
ID: 16983196
i have tried adding this

route outside 10.46.0.0 255.255.0.0 172.16.103.55

but i get the same message
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 16983225
The router needs a route:
 ip route 10.46.0.0 255.255.0.0 172.16.103.1  <== back to the PIX
0
 

Author Comment

by:biswar
ID: 17009181
Thanks for your help, added the route to the concentrator and now works,
0

Featured Post

Ready for your healthcare security check-up?

In the past few years, healthcare organizations have become a prime target for advanced attacks. Does your organization have what it needs to defend itself? Schedule your healthcare security check-up today and download our free Healthcare Security Resource Kit today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
Considering cloud tradeoffs and determining the right mix for your organization.
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

877 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question