Solved

initiate traffic from the outside to the inside on a pix

Posted on 2006-06-24
12
607 Views
Last Modified: 2013-11-16
ive been trying to get traffic from the outside to the inside,
ive tried every nat pat combination and tried applying access lists to no avail

here is the error messae

305005: No translation group found for icmp src outside:172.16.103.55 dst inside
:10.56.8.3 (type 8, code 0)

below is the config

wr t
Building configuration...
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
enable password y0AM.IYFcz0c0i9V encrypted
passwd s6vcrASP2DGVvv4K encrypted
hostname BS2FW01
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
<--- More --->
               
 fixup protocol icmp error
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network TCS-Access
  network-object host 10.102.1.135
  network-object host 192.168.130.120
  network-object host 192.168.30.209
access-list ACL_inside permit tcp 10.0.0.0 255.0.0.0 host 172.16.103.10 eq telnet
access-list ACL_inside permit tcp 10.0.0.0 255.0.0.0 host 172.16.103.5 eq telnet
access-list ACL_inside permit tcp 10.0.0.0 255.0.0.0 host 172.16.103.55 eq telnet
access-list ACL_inside permit tcp 10.0.0.0 255.0.0.0 host 172.16.103.55 eq www
access-list ACL_inside permit tcp any host 172.16.103.11 eq ftp
access-list ACL_inside permit tcp any host 172.16.103.13 eq smtp
access-list ACL_inside permit tcp 10.0.0.0 255.0.0.0 host 172.16.103.12 eq https
access-list ACL_inside permit tcp host 10.57.1.123 host 172.16.103.12 eq www
access-list ACL_inside permit icmp any 10.27.212.0 255.255.255.0
access-list ACL_inside permit ip any 10.27.212.0 255.255.255.0
access-list acl_outside permit tcp host 172.16.103.12 host 10.102.1.174 eq www
access-list acl_outside permit ip 10.27.212.0 255.255.255.0 object-group TCS-Access
access-list acl_outside permit icmp 10.27.212.0 255.255.255.0 object-group TCS-Access
access-list acl_outside permit icmp any any
pager lines 24
logging on
logging monitor debugging
logging buffered debugging
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 172.16.103.1 255.255.255.0
ip address inside 10.103.16.100 255.255.240.0
no ip address intf2
no ip address intf3
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (outside) 1 172.0.0.0 255.0.0.0 0 0
nat (inside) 1 10.0.0.0 255.0.0.0 0 0
static (inside,outside) 172.16.103.13 10.102.1.67 netmask 255.255.255.255 0 0
static (outside,inside) 10.27.212.0 10.27.212.0 netmask 255.255.255.0 0 0
static (outside,inside) 172.16.103.55 172.16.103.55 netmask 255.255.255.255 0 0
access-group acl_outside in interface outside
access-group ACL_inside in interface inside
route inside 10.0.0.0 255.0.0.0 10.103.16.100 1
route outside 10.27.212.0 255.255.255.0 172.16.103.55 1
route inside 172.17.50.0 255.255.255.0 10.103.16.1 1
route inside 172.18.70.0 255.255.255.0 10.103.16.1 1
route inside 192.168.30.0 255.255.255.0 10.103.16.1 1
route inside 192.168.130.0 255.255.255.0 10.103.16.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication telnet console TACACS+
aaa authentication http console TACACS+
aaa authentication enable console TACACS+
http server enable
http 10.103.16.0 255.255.240.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.53.0.0 255.255.0.0 inside
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 60
ssh timeout 5
management-access inside
console timeout 60
terminal width 80
Cryptochecksum:8ac1a6215826dc278d1a3c663be10ed4
: end
0
Comment
Question by:biswar
  • 7
  • 4
12 Comments
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
no access-group ACL_inside in interface inside
no static (outside,inside) 10.27.212.0 10.27.212.0 netmask 255.255.255.0 0 0
no static (outside,inside) 172.16.103.55 172.16.103.55 netmask 255.255.255.255 0 0
no nat (outside) 1 172.0.0.0 255.0.0.0 0 0
no access-list acl_outside
clear xlate

Make those changes.
given this:
>access-list acl_outside permit icmp any any
>static (inside,outside) 172.16.103.13 10.102.1.67 netmask 255.255.255.255 0 0

You should be able to ping 172.16.103.13
10.102.1.67 will answer, but only if its default gateway points to this PIX' inside IP address
you will never be able to directly ping any 10.x.x.x. IP address from outside
You can only ping the 1-1 static nat addresses

What is your ultimate goal? This appears to be in a lab/test environment with private IP on the outside interface. . .

Suggest adding a default route outside
 route outside 0.0.0.0 0.0.0.0 172.16.103.xxx

0
 

Author Comment

by:biswar
Comment Utility
this is a corporate internal firewall, this is a brand new setup and has not been used before
there is another firewall beyond this one which allow access to the outside,

static (outside,inside) 172.16.103.55 172.16.103.55 netmask 255.255.255.255 0 0

my ultimate goal is  to allow devices sitting on the outside to iniate connections to the inside,
 172.16.103.55 is a vpn concentrator sitting on the outside and i am issuing pings from there to 10.56.8.3
which is a device on the inside.
ping inside 10.56.8.3 from this firewall  does work

the error message i get when pingingfrom 172.16.103.55 outside to 10.56.8.3
305005: No translation group found for icmp src outside:172.16.103.55 dst inside
:10.56.8.3 (type 8, code 0)

i would like to contol traffic both ways, so removing access-list is not a option
there is a routing protocol in place on the inside so 10.56.8.3 shouldbrespond back
i belive static (inside,outside) 172.16.103.13 10.102.1.67 netmask 255.255.255.255 0 0
should work, unfortunaltely the server hasnt been installed so can test that.

ive put this statement in so that the device keeps its ip on the inside, this is a valid statement
static (outside,inside) 172.16.103.55 172.16.103.55 netmask 255.255.255.255 0 0

also i have no prob iniatin traffic from devices on the inside to the outside, the problem is devices on the outside iniatinon the inside .

is the security level stoppin this ?




0
 

Author Comment

by:biswar
Comment Utility
i have found the answer on another question

what i was missing was

static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0

this now works
0
 

Author Comment

by:biswar
Comment Utility
oops

thanks for your reply
0
 

Author Comment

by:biswar
Comment Utility
sorry bout the c, im a newb to this, i will ask the moderator to upgrade to  a B , i didnt know that the grading would make a difference and thought it was based on the points.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
No problem. The points that we get awarded are actually a multiple of your question points, based on the grade.
For example, a C grade is a multiple of 2 for 1000 points, a B is a multiple of 3 for 1500 and an A would be an award of 2000 points.

Since I'm also a Page Editor, I can re-open this question and you can close it again with a B grade.

Thanks!
0
 

Author Comment

by:biswar
Comment Utility
hi i still have a problem

if its ok, I would be grateful if could you continue helping,

the source address is 10.27.212.5
the destination from the source is 10.46.10.36 (the 10.46 subnet does not exist physically)
when it hits the inside of the pix the destination gets translated to 10.57.1.63, the source remains as 10.27.212.5
the packet does not return cos i get a error message
110001: No route to 10.27.212.5 from 10.46.10.36


i did a icmp trace and get this
70: ICMP echo-request: untranslating outside:10.46.10.36 to inside:10.57.1.63
71: ICMP echo-reply from inside:10.57.1.63 to 10.27.212.5 ID=512 seq=13088 lengt
h=40
72: ICMP echo-reply: translating inside:10.57.1.63 to outside:10.46.10.36
73: ICMP echo-reply from outside:10.46.10.36 to 10.27.212.5 ID=512 seq=13088 len
gth=40

this is the config i have
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
enable password y0AM.IYFcz0c0i9V encrypted
passwd s6vcrASP2DGVvv4K encrypted
hostname BS2FW01
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
<--- More --->
               
 fixup protocol icmp error
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network TCS-Access
  network-object host 10.102.1.135
  network-object host 10.102.1.136
 
access-list ACL_inside permit tcp 10.0.0.0 255.0.0.0 host 172.16.103.10 eq telnet
access-list ACL_inside permit tcp 10.0.0.0 255.0.0.0 host 172.16.103.5 eq telnet
access-list ACL_inside permit tcp 10.0.0.0 255.0.0.0 host 172.16.103.55 eq telnet
access-list ACL_inside permit tcp 10.0.0.0 255.0.0.0 host 172.16.103.55 eq www
access-list ACL_inside permit tcp any host 172.16.103.11 eq ftp
access-list ACL_inside permit tcp any host 172.16.103.13 eq smtp
access-list ACL_inside permit tcp 10.0.0.0 255.0.0.0 host 172.16.103.12 eq https
access-list ACL_inside permit tcp host 10.57.1.123 host 172.16.103.12 eq www
access-list ACL_inside permit icmp any any
access-list ACL_inside deny ip any any
access-list acl_outside permit tcp host 172.16.103.12 host 10.102.1.174 eq www
access-list acl_outside permit ip 10.27.212.0 255.255.255.0 object-group TCS-Access
access-list acl_outside permit icmp 10.27.212.0 255.255.255.0 object-group TCS-Access
access-list acl_outside permit icmp host 172.16.103.55 any
access-list acl_outside permit icmp any any
access-list acl_outside deny ip any any
pager lines 24
<--- More --->
               
 logging on
logging monitor debugging
logging buffered debugging
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 172.16.103.1 255.255.255.0
ip address inside 10.103.16.100 255.255.240.0
no ip address intf2
no ip address intf3
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
<--- More --->
               
 no failover ip address intf4
no failover ip address intf5
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 172.16.103.13 10.102.1.67 netmask 255.255.255.255 0 0
static (inside,outside) 10.46.10.36 10.57.1.63 netmask 255.255.255.255 0 0
static (inside,outside) 10.46.10.17 10.58.1.177 netmask 255.255.255.255 0 0
access-group acl_outside in interface outside
access-group ACL_inside in interface inside
route inside 10.0.0.0 255.0.0.0 10.103.16.100 1
route outside 10.27.212.0 255.255.255.0 172.16.103.55 1
route inside 172.17.50.0 255.255.255.0 10.103.16.1 1
route inside 172.18.70.0 255.255.255.0 10.103.16.1 1
route inside 192.168.30.0 255.255.255.0 10.103.16.1 1
route inside 192.168.130.0 255.255.255.0 10.103.16.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.103.16.0 255.255.240.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt noproxyarp outside
sysopt noproxyarp inside
telnet 10.53.0.0 255.255.0.0 inside
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 60
ssh timeout 5
management-access inside
console timeout 60
<--- More --->
               
 terminal width 80


0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
>No route to 10.27.212.5 from 10.46.10.36
>route outside 10.27.212.0 255.255.255.0 172.16.103.55

Whatever the next hop router is that is 172.16.103.55 must point a route for 10.46.10.0 to the outside IP of this PIX
0
 

Author Comment

by:biswar
Comment Utility
i have tried adding this

route outside 10.46.0.0 255.255.0.0 172.16.103.55

but i get the same message
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
Comment Utility
The router needs a route:
 ip route 10.46.0.0 255.255.0.0 172.16.103.1  <== back to the PIX
0
 

Author Comment

by:biswar
Comment Utility
Thanks for your help, added the route to the concentrator and now works,
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now