Translation issue

Unanswered Question
Mar 22nd, 2007

I seem to have stumbled on an issue in our test environment. Please see explanation below and relevant lines of the configuration.

We have a PIX that is using 2 interfaces, inside and outside, no DMZ.

The network outside of the PIX is 10.1.0.0/16. The network inside the PIX is 172.16.15.0/27.

Behind the PIX is a web server. NAT is configured so that HTTP traffic to the web server which is directed at its external ip address (10.1.96.2), is port redirected to its real ip address on the inside (172.16.15.30). This is achieved using static NAT.

The web server needs to initiate outbound traffic. In this example I have configured it to be able to do DNS lookups on external servers (10.1.15.98 + 99). The "inside" access-list and nat/global pair achieve this.

OK so far. For arguments sake the web server needs to receive HTTP traffic from the same source IP address. I have achieved this using outside NAT with another nat/global pair. All inbound HTTP requests appear to the web server as 192.168.0.1.

This is when the problem occurs. The inbound HTTP requests still succeed. The destination IP address is changed to the web servers real IP address and the source IP address is changed to the address configured with the inside global. This has been verified by entries in the web server logs.

What now fails to work is any outbound requests. The error I see on the PIX is:

"No translation group found for udp src inside:172.16.15.30/1340 dst outside:10.1.15.99/53"

I am puzzled as this message normally appears when NAT has not been configured yet it has been and has worked up until this point.

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

access-list outside permit tcp any host 10.1.96.2 eq www

access-list outside deny ip any any

access-list policy-nat permit tcp any host 10.1.96.2 eq www

access-list inside permit tcp host 172.16.15.30 host 10.1.15.98 eq domain

access-list inside permit tcp host 172.16.15.30 host 10.1.15.99 eq domain

access-list inside permit udp host 172.16.15.30 host 10.1.15.99 eq domain

access-list inside permit udp host 172.16.15.30 host 10.1.15.98 eq domain

ip address outside 10.1.96.1 255.255.0.0

ip address inside 172.16.15.1 255.255.255.224

global (outside) 2 10.1.96.2

global (inside) 1 192.168.0.1

nat (outside) 1 access-list policy-nat outside 0 0

nat (inside) 2 172.16.15.30 255.255.255.255 0 0

static (inside,outside) tcp 10.1.96.2 www 172.16.15.30 www netmask 255.255.255.255 0 0

access-group outside in interface outside

access-group inside in interface inside

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
vitripat Thu, 03/22/2007 - 08:58

Hi There,

This is a known problem when using outside nat. Please try implementing following commands and check if this resolves the issue:

no nat (outside) 1 access-list policy-nat outside

no global (inside) 1 192.168.0.1

access-list nonat deny tcp any host 10.1.96.2 eq 80

access-list nonat permit ip any any

nat (outside) 0 access-list nonat outside

nat (outside) 1 access-list policy-nat outside

global (inside) 1 192.168.0.1

clear xlate

Let me know if this helps in resolving your issue. I'll be glad to explain once things work.

Regards,

Vibhor.

g.leonard Thu, 03/22/2007 - 10:13

Hi Vibhor

Thank you for the information. I have run the commands that you have suggested. I can now initiate outbound traffic. However the outside NAT does not work so the source IP address of a machine on the outside making an HTTP request is received by the web server unchanged.

The point of doing this was so that all requests appear to the web server with the same IP address.

Many thanks

Gary

vitripat Sat, 03/24/2007 - 09:29

Hi Gary,

Thats wierd, if you have syslogs, could you pass them on?

Regards,

Vibhor.

g.leonard Mon, 03/26/2007 - 01:56

Hi Vibhor

Nothing in the syslogs really - see below:

305011: Built static TCP translation from inside:172.16.15.30/80 to outside:10.1.96.2/80

302013: Built inbound TCP connection 38 for outside:10.1.102.60/1701 (10.1.102.60/1701) to inside:172.16.15.30/80 (10.1.96.2/80)

304001: 10.1.102.60 Accessed URL 10.1.96.2:/

Web Logs are consistent with the above:

#Date: 2007-03-26 08:39:57

#Fields: time c-ip s-ip s-port cs-method cs-uri-stem sc-status

08:39:57 10.1.102.60 172.16.15.30 80 GET /Default.htm 200

08:40:42 10.1.102.60 172.16.15.30 80 GET /Default.htm 304

08:41:32 10.1.102.60 172.16.15.30 80 GET /Default.htm 304

Regards

Gary

vitripat Mon, 03/26/2007 - 21:41

Thanks for the logs. Please try using these commands-

no access-list nonat deny tcp any host 10.1.96.2 eq 80

no access-list nonat permit ip any any

no nat (outside) 0 access-list nonat outside

no nat (outside) 1 access-list policy-nat outside

clear xlate

access-list nonat deny ip any host 10.1.96.2

access-list nonat permit ip any any

nat (outside) 1 access-list policy-nat outside

nat (outside) 0 access-list nonat outside

clear xlate

Let me know if this helps.

Regards,

Vibhor.

g.leonard Tue, 03/27/2007 - 02:05

Hi Vibhor

Thank you for the info. Unfortunately this just results in the same - traffic flows inbound and outbound but the outside nat fails to work anymore.

Please see a cut down of the configuration to verify:

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

access-list outside permit tcp any host 10.1.96.2 eq www

access-list outside deny ip any any

access-list policy-nat permit tcp any host 10.1.96.2 eq www

access-list inside permit tcp host 172.16.15.30 host 10.1.15.98 eq domain

access-list inside permit tcp host 172.16.15.30 host 10.1.15.99 eq domain

access-list inside permit udp host 172.16.15.30 host 10.1.15.99 eq domain

access-list inside permit udp host 172.16.15.30 host 10.1.15.98 eq domain

access-list nonat deny ip any host 10.1.96.2

access-list nonat permit ip any any

ip address outside 10.1.96.1 255.255.0.0

ip address inside 172.16.15.1 255.255.255.224

ip audit info action alarm

ip audit attack action alarm

global (outside) 2 10.1.96.2

global (inside) 1 192.168.0.1

nat (outside) 0 access-list nonat outside

nat (outside) 1 access-list policy-nat outside 0 0

nat (inside) 2 172.16.15.30 255.255.255.255 0 0

static (inside,outside) tcp 10.1.96.2 www 172.16.15.30 www netmask 255.255.255.255 0 0

access-group outside in interface outside

access-group inside in interface inside

Regards

Gary

vitripat Tue, 03/27/2007 - 18:47

Hey Gary,

Thanks for the latest snippet of config, I was looking for that. Now this is not good. The configuration is perfect and things should work. Could you tell me what version is running on PIX? I'm afraid that we may be looking into a bug.

Regards,

Vibhor.

Actions

This Discussion