On Mon, 2009-01-12 at 15:13 +0000, William wrote: > What I'm trying to figure out is how I can get hosts on the office > network to access hosts on the inside network without their addresses > being translated. I've built an access-list and applied it to the > office interface which is straight forward and I've added the > following static: > > static (office,inside) 10.75.4.0 10.75.4.0 netmask 255.255.255.0 0 0
As Tony says, you need to swap those interface names, so it says "static (<higher-if>,<lower-if>) <lower-ip> <higher-ip> netmask <mask>" as per the documentation. > However I'm not getting any connectivity, so I added: > > access-list office_outbound_nat0_acl permit ip host 10.75.4.1 10.1.1.0 > 255.255.255.0 > nat (office) 0 access-list office_outbound_nat0_acl > > At the moment I'm not getting any hits on office_outbound_nat0_acl and > no traffic is getting across either, the logs say: > > 305005: No translation group found for icmp src office:10.75.4.1 dst > inside:10.1.1.250 (type 8, code 0) You need to reverse the access-list and put the NAT-statement on the other interface. You always define those things "from" the higher security level "to" the lower. Then you control what's allowed with access lists. Thus, it's: access-list nonat permit ip 10.1.1.0 255.255.255.0 host 10.75.4.1 nat (inside) 0 access-list nonat > Which matches up with the traffic I'm sending! Can someone assist me > so I know what I'm doing wrong? It may seem reverse compared to logic, but that's how PIX/ASA does it. :-) Regards, Peter _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/