cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2331
Views
0
Helpful
10
Replies

PIX 6.3.5 NAT Exemption Problem (Non VPN)

pguibord
Level 1
Level 1

Hi All!!!

I am running a PIX 515 failover pair running 6.3.5 and get the error message that follows:

"No translation group found for tcp src lyontwp-secure:172.16.7.69/52955 dst inside:4.2.2.2/9100"

I am trying to use NAT Exemption to bypass NAT entirely for a specific source network (172.16.7.0/24) destined to any address and get the "no translation group" error. In this test host 172.16.7.69 is sitting behind the PIX interface named lyontwp-secure.

These are the NAT exemption commads in the config:

nat (lyontwp-secure) 0 access-list NoNat

access-list NoNat permit ip 172.16.7.0 255.255.255.0 any

The config is attached........

10 Replies 10

try with this

static (lyontwp-secure,inside) 172.16.7.0 172.16.7.0 netmask 255.255.255.0 0 0

Herbert Baerten
Cisco Employee
Cisco Employee

Note that the syslog says "inside:4.2.2.2" so it thinks 4.2.2.2 is on the *inside* and therefor (assuming that "inside" has a higher security-level than "lyontwp-secure")

you would need a nat entry (or nat exemption) for 4.2.2.2.

Is 4.2.2.2 really on the inside (I doubt it, unless you replaced the real address with 4.2.2.2, so just to be sure)?

-If yes, add something like

static(inside,lyontwp-secure) 4.2.2.2 4.2.2.2

-If not, then check why it thinks it is. Usually this is caused by a routing error or a wrong static nat entry. If you need help with that, please post "show route" and "show run nat", "show run static"

Vikram,

Thanks for the reply!

Unfortunately I already tried that and still a no go.

Hebaerte,

Likewise, thank you for the reply!

4.2.2.2 is on the inside so yes traffic is flowing from a lower security interface (internal network)

to a higher (internal network). Eventually it will hit an ASA failover pair that is bordering the internet.

I do not want this traffic natted as it passes through the internal network (gathering netflow stats) so that

is why I am trying NAT exemtion from this source network to any out on the internet.

I read that traffic can flow from lower to higher (see link and snippet below) as long as you have an access-list permitting it.

http://www.enterastream.com/whitepapers/cisco/pix/pix-practical-guide.html

"3. As the packet passed the inbound security check is passed to ASA that performs the inbound network

translation (destination NAT)."

So the question is should not NAT Exemption satisfy step 3 in this document?

If you don't want to translate the addresses on the lower security interface then you don't need to configure any NAT exemption or any kind of NAT for them.

But again, you *do* need to do NAT (in this case identity NAT or NAT exemption) for the addresses on the inside (higher sec interface).

So I repeat my suggestion of

static (inside, ...) 4.2.2.2 4.2.2.2

or alternatively

access-list nonat permit host 4.2.2.2 any

nat (inside) 0 access-list nonat

(it may seem counter-intuitive that you need to define this as if it is for outbound traffic, but it's just like that, this will work both ways).

Herbert

Thank you Herbert but I cannot enter identity NAT or NAT exemption entries for every host that exists on the internet. 4.2.2.2 was only an example of a host (not even a host we own) siting out on the internet.

Can I not do:

access-list nonat permit ip any any

nat (inside) 0 access-list nonat

One more question, you are referencing the "inside" interface above and this traffic is being sourced (172.16.7.0/24)inbound on the lyontwp-secure interface passing through the PIX and then out the inside interface destined to 4.2.2.2. Shouldn't the commands be:

access-list nonat permit ip 172.16.7.0 255.255.255.0 any

nat (lyontwp-secure) 0 access-list nonat

If you say no then I clearly do not understand NAT on the PIX and apologize.

(Herbert, In my last post I did not say I appreciate your assistance and patience in assisting with this issue, I truly do...)

Thank you Herbert but I cannot enter identity NAT or NAT exemption entries for every host that exists on the internet. 4.2.2.2 was only an example of a host (not even a host we own) siting out on the internet.

Can I not do:

access-list nonat permit ip any any

nat (inside) 0 access-list nonat

One more question, you are referencing the "inside" interface above and this traffic is being sourced (172.16.7.0/24)inbound on the lyontwp-secure interface passing through the PIX and then out the inside interface destined to 4.2.2.2. Shouldn't the commands be:

access-list nonat permit ip 172.16.7.0 255.255.255.0 any

nat (lyontwp-secure) 0 access-list nonat

If you say no then I clearly do not understand NAT on the PIX and apologize.

My motto is "Patience is a virtue" :)

The answer is indeed No (I did say it may seem couner-intuitive), but ther is no need to apologize - I remember when I first worked with a Pix, I didn't get it either.

The one thing to remember about NAT on Pix, and I've said it before, and I'm not sure how to phrase it otherwise: you always always always (*) - need an xlate (this is what we call an entry in the translation table) for the address on the _higher_ security interface.

So for low-to-high, you need to "translate" (or exempt) the _destination_ address, not the source.

In the more common scenario, this is probably more logical, i.e. you have a webserver on the inside, and a client on the outside connecting to it; in that case you need a static(inside,outside) for the webserver address.

In your scenario, 4.2.2.2 is like the webserver on the inside, and your 172.x.x.x is the client on the "outside" (allow me to call it outside since it is easier to type - in general, whenever I say outside I mean lower security, and inside is higher security).

So what can you do:

a) you can indeed do "access-list nonat permit ip any any"

b) you could swap the security levels (I would advise to also change the name "inside" to avoid confusion later) so that the Internet (and the network between the Pix and the ASA pair) is the outside. Then you can do nat exemption for 172.x.x.x like you originally tried.

Note that in this case you may also need to put an ACL on the now-outside interface if you need to allow some traffic in the other direction.

I hope I didn't make it more complicated instead of more clear... let me know.

Herbert

(*) well, as with all rules there is an exception - but not on Pix 6; in version 8 IIRC you can disable nat-control and then this requirement is no longer true.

did you get the same error message " No translation group found " with the static too.

I believe you must be doing some kind of nat for "lyontwp-secure" network.

and also check the nat VS Static. section at this link

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/mr.html#wp1185638

Just as an aside..you do realize that the address 4.2.2.2 is a very popular dns public dns

server server...right?

You have the INTERNET on the inside? I hope not !!

Topology:

1. The default route route inside 0.0.0.0 0.0.0.0 10.0.6.1 1

says that 4.2.2.2 lives on the inside.

4.2.2.2---(inside/100)--PIX--(Iyontwp-secure/60)

2. nat (lyontwp-secure) 0 access-list NoNat

access-list NoNat permit ip 172.16.7.0 255.255.255.0 any

This NoNat acl will only be hit if the flow is from Lyontwp-secure (60) to other lower sec. interface than 60 like outside-it.

3. We do not translate the flow from low security to high security so, you need to provide static identity translation from high to low like

static (inside,lyontwp-secure) 0.0.0.0 0.0.0.0

for all the IPs that live on the inside.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: