Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX 501 routing question

Status
Not open for further replies.
rtmags

rtmags

IS-IT--Management
Mar 13, 2005
10
US
I have a 501 with an AD server connected to ethernet1 (AD server address is 192.168.100.1.) and a client computer connected to ethernet0 (client computer 192.168.11.108). The client successfully sends two UDP packets to my AD server and the AD server replies to my client. My client computer then tries a LDAP connection to authenticate to my AD server.

I have a 501 with an AD server connected to ethernet1 (AD server address is 192.168.100.1.) and a client computer connected to ethernet0 (client computer 192.168.11.108). The client successfully sends two UDP packets to my AD server and the AD server replies to my client. My client computer then tries a LDAP connection to authenticate to my AD server.

This is where the problem starts. The IP address the client is using for the LDAP connection is 192.168.100.1 (remember that the client is on the 192.168.11.x subnet!). I end up getting “No Translation group found” errors in my syslog because the PIX does not know how to translate 192.168.100.1 on the outside interface.

I though maybe I need a static route command so I added:

route inside 0.0.0.0 0.0.0.0 192.168.100.2 1 (where 192.168.100.2 is a wan router on our lab network)

This command did not fix the problem.

How do I tell the PIX that when it gets a packet for 192.168.100.1 on the outside interface (which again is the 192.168.11.x subnet) to route it to the inside interface and on to our wan router so that the AD server gets the LDAP request?
 
Sort by date Sort by votes
You have a static mapping, right? Otherwise, how did the UDP get through --
 
Upvote 0 Downvote
I agree, there must be some type of NAT and access-list set up already, since the default is for the Pix to drop those UDP packets.

Anyway, if you want to address your inside host by its true address, you'd have something like:

static (inside, outside) 192.168.100.0 192.168.100.0 mask 255.255.255.0

Then an access list to permit the desired inbound traffic, applied to the outside interface.

You can turn on logging to see what's being dropped by the Pix.

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
517
intel233
intel233
xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
93
xwray
xwray
Modem80
  • Locked
  • Question
Novice SonicOS user, need routing help
Replies
2
Views
122
Modem80
Modem80
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
114
brownmab53
brownmab53
NoCoolHandle
  • Locked
  • Question
TLS 1.0 vrs TLS 1.1 vrs 1.2 connection strategy question
Replies
1
Views
109
ChrisHirst
ChrisHirst

Part and Inventory Search

Sponsor

Back
Top