NAT and static on DMZ interface

[sghezzi]

I have PIX 6.1 and also 6.3 for testing.
On both I have three i/f: outside, inside, dmz
I am using DMZ only for connecting it to a router which establishes VPN with remote partners, so there are no public IP to be published on the DMZ i/f.

Traffic is flowing from inside i/f to dmz i/f to be then encrypted on the router, and vice versa.
I do apply nonat on the inside i/f for this traffic that is flowing to the dmz i/f.

My question is: do I also have to apply static?
I have read on documentation that I should, but I didn't do it and I can see everything woring fine, a parte from some messages sometimes saying "%PIX-3-305005: No translation group found for icmp src vpn:192.168.100.62 dst inside2:10.0.4.46 (type 8, code 0)
%PIX-3-305005: No translation group found for icmp src vpn:192.168.100.62 dst inside2:10.0.4.46 (type 8, code 0)
But any application tested worked.

What do I have to do?

Many thanks
Regards
Silvia

 

[dopehead]

Well, it seems you haven't set up nat 0 or static translation for this address when traversing the pix from dmz to inside.

Jan

Network Systems Engineer
CCNA/CQS

 

[sghezzi]

I have configured only NAT 0.
"Static" I have not configured it?

Is it mandatory?
why ftp, http and so on work anyway?

I don't like this unpredictable behaviour!
I would like to have something that works or it doesn't, not something that half works!

 

[ridix]

I had a similar problem, and would be interested in the answer.

My issue: a 'nat 0' inside would not talk to dmz with a static.
I had to add a static for the nat 0:

global (outside) 1 interface
nat (inside) 0 x.x.x.0 255.255.255.0 0 0
nat (inside) 1 y.y.0.0 255.255.0.0 0 0
nat (DMZ) 1 z.z.z.0 255.255.255.0 0 0
static (inside,DMZ) y.y.0.0 y.y.0.0 netmask 255.255.0.0 0 0
static (DMZ,inside) z.z.z.0 z.z.z.0 netmask 255.255.255.0 0 0
>>Had to add:
static (inside,DMZ) x.x.x.0 x.x.x.0 netmask 255.255.255.0 0 0

So if x.x.x.0 is nat 0 why does a static need to be explicitly defined?


where
x.x.x.0 is internal public network with no NAT anywhere
y.y.0.0 is internal private network with interface PAT outside and static 'no translation' to DMZ
z.z.z.0 is dmz private network with interface PAT outside and static 'no translation' to inside.

 

[ridix]

It appears I have found my own answer from cisco:

>>>

http://www.cisco.com/en/US/products...ducts_qanda_item09186a0080094874.shtml#Q13>>>

Dynamic NAT using the nat and global commands creates a temporary connection/translation state that is ALWAYS built from a higher security level interface to a lower security level interface (inside to outside). The conduits on these dynamically built translations only apply when the connection state is built. Any inside host that the outside needs to initiate a connection into without the inside host first establishing a connection out, must be translated using the static command. By statically translating the host, this connection state is permanently mapped and all conduits applied to this static translation remain open at all times. With this in place, IP connections can be initiated from the Internet without fail.
>>>

They could be a little clearer on this when people are doing NAT 0, especially when the PDM will show translation rules that are misleading.

 

[themut]

You could also configure nat (inside) 0 access-list <acl> and that eliminates the need for a static translation.