11-14-2009 11:20 AM - edited 03-11-2019 09:39 AM
Hi All!!!
I am running a PIX 515 failover pair running 6.3.5 and get the error message that follows:
"No translation group found for tcp src lyontwp-secure:172.16.7.69/52955 dst inside:4.2.2.2/9100"
I am trying to use NAT Exemption to bypass NAT entirely for a specific source network (172.16.7.0/24) destined to any address and get the "no translation group" error. In this test host 172.16.7.69 is sitting behind the PIX interface named lyontwp-secure.
These are the NAT exemption commads in the config:
nat (lyontwp-secure) 0 access-list NoNat
access-list NoNat permit ip 172.16.7.0 255.255.255.0 any
The config is attached........
11-14-2009 06:43 PM
try with this
static (lyontwp-secure,inside) 172.16.7.0 172.16.7.0 netmask 255.255.255.0 0 0
11-15-2009 02:41 AM
Note that the syslog says "inside:4.2.2.2" so it thinks 4.2.2.2 is on the *inside* and therefor (assuming that "inside" has a higher security-level than "lyontwp-secure")
you would need a nat entry (or nat exemption) for 4.2.2.2.
Is 4.2.2.2 really on the inside (I doubt it, unless you replaced the real address with 4.2.2.2, so just to be sure)?
-If yes, add something like
static(inside,lyontwp-secure) 4.2.2.2 4.2.2.2
-If not, then check why it thinks it is. Usually this is caused by a routing error or a wrong static nat entry. If you need help with that, please post "show route" and "show run nat", "show run static"
11-15-2009 06:24 AM
Vikram,
Thanks for the reply!
Unfortunately I already tried that and still a no go.
Hebaerte,
Likewise, thank you for the reply!
4.2.2.2 is on the inside so yes traffic is flowing from a lower security interface (internal network)
to a higher (internal network). Eventually it will hit an ASA failover pair that is bordering the internet.
I do not want this traffic natted as it passes through the internal network (gathering netflow stats) so that
is why I am trying NAT exemtion from this source network to any out on the internet.
I read that traffic can flow from lower to higher (see link and snippet below) as long as you have an access-list permitting it.
http://www.enterastream.com/whitepapers/cisco/pix/pix-practical-guide.html
"3. As the packet passed the inbound security check is passed to ASA that performs the inbound network
translation (destination NAT)."
So the question is should not NAT Exemption satisfy step 3 in this document?
11-15-2009 11:12 AM
If you don't want to translate the addresses on the lower security interface then you don't need to configure any NAT exemption or any kind of NAT for them.
But again, you *do* need to do NAT (in this case identity NAT or NAT exemption) for the addresses on the inside (higher sec interface).
So I repeat my suggestion of
static (inside, ...) 4.2.2.2 4.2.2.2
or alternatively
access-list nonat permit host 4.2.2.2 any
nat (inside) 0 access-list nonat
(it may seem counter-intuitive that you need to define this as if it is for outbound traffic, but it's just like that, this will work both ways).
Herbert
11-15-2009 01:00 PM
Thank you Herbert but I cannot enter identity NAT or NAT exemption entries for every host that exists on the internet. 4.2.2.2 was only an example of a host (not even a host we own) siting out on the internet.
Can I not do:
access-list nonat permit ip any any
nat (inside) 0 access-list nonat
One more question, you are referencing the "inside" interface above and this traffic is being sourced (172.16.7.0/24)inbound on the lyontwp-secure interface passing through the PIX and then out the inside interface destined to 4.2.2.2. Shouldn't the commands be:
access-list nonat permit ip 172.16.7.0 255.255.255.0 any
nat (lyontwp-secure) 0 access-list nonat
If you say no then I clearly do not understand NAT on the PIX and apologize.
11-15-2009 01:29 PM
(Herbert, In my last post I did not say I appreciate your assistance and patience in assisting with this issue, I truly do...)
Thank you Herbert but I cannot enter identity NAT or NAT exemption entries for every host that exists on the internet. 4.2.2.2 was only an example of a host (not even a host we own) siting out on the internet.
Can I not do:
access-list nonat permit ip any any
nat (inside) 0 access-list nonat
One more question, you are referencing the "inside" interface above and this traffic is being sourced (172.16.7.0/24)inbound on the lyontwp-secure interface passing through the PIX and then out the inside interface destined to 4.2.2.2. Shouldn't the commands be:
access-list nonat permit ip 172.16.7.0 255.255.255.0 any
nat (lyontwp-secure) 0 access-list nonat
If you say no then I clearly do not understand NAT on the PIX and apologize.
11-16-2009 01:58 AM
My motto is "Patience is a virtue" :)
The answer is indeed No (I did say it may seem couner-intuitive), but ther is no need to apologize - I remember when I first worked with a Pix, I didn't get it either.
The one thing to remember about NAT on Pix, and I've said it before, and I'm not sure how to phrase it otherwise: you always always always (*) - need an xlate (this is what we call an entry in the translation table) for the address on the _higher_ security interface.
So for low-to-high, you need to "translate" (or exempt) the _destination_ address, not the source.
In the more common scenario, this is probably more logical, i.e. you have a webserver on the inside, and a client on the outside connecting to it; in that case you need a static(inside,outside) for the webserver address.
In your scenario, 4.2.2.2 is like the webserver on the inside, and your 172.x.x.x is the client on the "outside" (allow me to call it outside since it is easier to type - in general, whenever I say outside I mean lower security, and inside is higher security).
So what can you do:
a) you can indeed do "access-list nonat permit ip any any"
b) you could swap the security levels (I would advise to also change the name "inside" to avoid confusion later) so that the Internet (and the network between the Pix and the ASA pair) is the outside. Then you can do nat exemption for 172.x.x.x like you originally tried.
Note that in this case you may also need to put an ACL on the now-outside interface if you need to allow some traffic in the other direction.
I hope I didn't make it more complicated instead of more clear... let me know.
Herbert
(*) well, as with all rules there is an exception - but not on Pix 6; in version 8 IIRC you can disable nat-control and then this requirement is no longer true.
11-15-2009 10:58 PM
did you get the same error message " No translation group found " with the static too.
I believe you must be doing some kind of nat for "lyontwp-secure" network.
and also check the nat VS Static. section at this link
http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/mr.html#wp1185638
11-19-2009 04:33 PM
Just as an aside..you do realize that the address 4.2.2.2 is a very popular dns public dns
server server...right?
11-19-2009 05:57 PM
You have the INTERNET on the inside? I hope not !!
Topology:
1. The default route route inside 0.0.0.0 0.0.0.0 10.0.6.1 1
says that 4.2.2.2 lives on the inside.
4.2.2.2---(inside/100)--PIX--(Iyontwp-secure/60)
2. nat (lyontwp-secure) 0 access-list NoNat
access-list NoNat permit ip 172.16.7.0 255.255.255.0 any
This NoNat acl will only be hit if the flow is from Lyontwp-secure (60) to other lower sec. interface than 60 like outside-it.
3. We do not translate the flow from low security to high security so, you need to provide static identity translation from high to low like
static (inside,lyontwp-secure) 0.0.0.0 0.0.0.0
for all the IPs that live on the inside.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: