PIX 7.0: DMZ to Inside NAT
hypnotoad
Banned Posts: 915
Hey guys,
Trying to write a rule to allow LDAP DMZ traffic to get to a server on the inside LAN and my PIX is logging this message:
No Translation group for tcp src:dmz192.168.0.5/47770 dst inside:172.16.0.2/389. Explanation: A packet does not match any of the outbound nat command rules.
I believe my ACL is ok, but how do I tell it that it doesn't have to do NAT between the DMZ and inside (or does it?!)
TIA...
Sorry I'm an ASA/PIX newbie (not for long I hope).
Trying to write a rule to allow LDAP DMZ traffic to get to a server on the inside LAN and my PIX is logging this message:
No Translation group for tcp src:dmz192.168.0.5/47770 dst inside:172.16.0.2/389. Explanation: A packet does not match any of the outbound nat command rules.
I believe my ACL is ok, but how do I tell it that it doesn't have to do NAT between the DMZ and inside (or does it?!)
TIA...
Sorry I'm an ASA/PIX newbie (not for long I hope).
Comments
-
bighornsheep
Member Posts: 1,506
you probably need a NAT exempt rule.
Remember, high to low, good to go!Jack of all trades, master of none -
hypnotoad
Banned Posts: 915
Actually this page (http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807fc191.shtml#DMZ2inside) has pretty much the exact config I need. But it doesn't work. At the moment, 'doesn't work' is the most accurate description I have
-
Ahriakin
Member Posts: 1,799 ■■■■■■■■□□
You can turn nat control off and it removes the need to have translations for all inter-zone traffic, it's just ' no nat-control'. Just make sure your ACLs are perfect as you won't have the safety net of havign to have those NAT rules aswell anymore.We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?