Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Reverse NAT and No Nat Translation Errors

Status
Not open for further replies.

oneciscokid

Technical User
Aug 18, 2006
22
CA
Hello,

I'm having a problem getting reverse NAT's to work properly. I'm not entirely sure what I'm doing wrong so any help would be appreciated.

A piece of the config

interface ethernet0 10full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100

access-list acl_outside permit icmp any any
access-list acl_outside permit tcp any host 172.16.1.2 eq ssh

access-list acl_no_nat1 deny ip host 172.31.1.200 any
access-list acl_no_nat1 permit ip any any

ip address outside 172.31.1.1 255.255.255.0
ip address inside 172.16.1.1 255.255.255.0

global (outside) 1 interface
global (inside) 10 172.16.1.5-172.16.1.10
nat (outside) 0 access-list acl_no_nat1 outside
nat (outside) 10 172.31.1.200 255.255.255.255 outside 0 0
nat (inside) 1 172.16.1.0 255.255.255.0 0 0
access-group acl_outside in interface outside


Computer Outside --> 172.31.1.200
Computer Inside --> 172.16.1.2

Routes are in place on both computers.

I'm trying to ping from 172.31.1.200 to 172.16.1.2 but on the pix I'm getting the following errors:

305005: No translation group found for icmp src outside:172.31.1.200 dst inside:172.16.1.2 (type 8, code 0)
305005: No translation group found for icmp src outside:172.31.1.200 dst inside:172.16.1.2 (type 8, code 0)
305005: No translation group found for icmp src outside:172.31.1.200 dst inside:172.16.1.2 (type 8, code 0)


But when I do

pix# show xlate
1 in use, 3 most used
Global 172.16.1.5 Local 172.31.1.200


But there are no connections when doing a

#show conn

So there's an entry in the translation table but errors are coming in the logs.

Same happens if I try the reverse as well from 172.16.1.2 to ping 172.31.1.200 but with the
ips reversed in the logs.

Can anyone shed some light on this?

Thanks in Advance.
 
What are you trying to do? Are you trying to NAT 172.31.1.200 to your inside IP range? Is there any reason why you cannot just disable NAT so the computers can communicate using their native IPs?




 
Just a lab scenario, want to get a better understanding of Reverse NATs and No NATs.
 
Have you tried using a static nat instead to translate the inbound traffic from that host, i.e.

static (outside,inside) 172.16.1.5 172.31.1.200 netmask 255.255.255.255 0 0
 
Yes, I'm familiar with using statics. But would like to understand Reverse NATs and NoNATs. Do you by chance happen to have a working example?
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top