cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1855
Views
0
Helpful
2
Replies

PIX-3-305005 - No translation group found for protocol


Hi,

I'm confident that I'm missing a major concept here for which I'd need a bit of assistance with.

The setup I'm playing with is as simple than the below:

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 AP security50
nameif ethernet1 inside security100

[AP] - [PIX] - [INSIDE and router toward the internet]


I'm trying to use a NAT between those two legs but I'm failing miserably and the cisco scenarios samples [1] don't help me much (assuming I have read that correctly).

Each interface has been attributed its IP.

ip address AP 10.0.0.251 255.255.255.0
ip address inside 192.168.1.251 255.255.255.0


And for the sake of simplicity, I have allowed traffic in both ways  (test done from lower sec level to higher) to focus on my NAT issue for now.

access-list inside_access_in permit ip any any
access-list AP_access_in permit ip any any
access-group AP_access_in in interface AP
access-group inside_access_in in interface inside

I have defined a default route and the following two nats,

global (AP) 2 interface
global (inside) 1 192.168.1.20-192.168.1.50 netmask 255.255.255.0
nat (AP) 1 10.0.0.0 255.255.255.0 outside 0 0
nat (inside) 2 192.168.1.0 255.255.255.0 0 0

route inside 0.0.0.0 0.0.0.0 192.168.1.1 1

Now, as I understand this,

- traffic coming from 10.0.0.0/24 will get translated to 192.168.1.20-50/24
- traffic coming from 192.168.1.0/24 will get translated to 10.0.0.251 (PAT).

This, looking good (I thought:/) was ready to be tested

name 192.168.1.70 HOSTB
name 10.0.0.1 HOSTA

A ping from HOSTA to HOSTB doesn't go through.

root@HOSTA:~# ping 192.168.1.70
PING 192.168.1.70 (192.168.1.70): 56 data bytes

--- 192.168.1.70 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss

Tcpdump on the inside side of the firewall see nothing leaving. So, enabling some logging I get the following on the PIX :

%PIX-6-609001: Built local-host AP:10.0.0.1
%PIX-6-305009: Built dynamic translation from AP:10.0.0.1 to inside:192.168.1.20
%PIX-3-305005: No translation group found for icmp src AP:HOSTA dst inside:HOSTB (type 8, code 0)

Huh. On that, cisco says [2] :

Error Message    %PIX-3-305005: No translation group found for protocol src
interface_name:dest_address/dest_port dst
interface_name:source_address/source_port
Explanation    A packet does not match any of the outbound nat rules.

Recommended Action    This message signals a configuration error. If dynamic NAT is desired for the source host, ensure that the nat command matches the source IP address. If static NAT is desired for the source host, ensure that the local IP address of the static command matches. If no NAT is desired for the source host, check the ACL bound to the nat 0 ACL.


My NAT command does matches the source IP address.
As in, 10.0.0.1 is included in 10.0.0.0/24 - which is also why I get the built dynamic translation message I suppose.

Anyway, that's where I understand that I am surely missing a concept here. Could you please shed some light on those basics for me?

Ta.


Pixbee

[1] http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800b6e1a.shtml
[2] http://www.cisco.com/en/US/docs/security/pix/pix63/system/message/pixemsgs.html

2 Replies 2

m.kafka
Level 4
Level 4

you are using only dynamic translations (both inside-nat and outside-nat), which is not a good NAT design if you actually want to establish connections. The PIX needs an active inside-global address in the XLATE-table to accept inbound connections. Your inside-local addresses are translated dynamically to a PATted inside-global. This does not establish a global address nor does it allow inbound connections.

Use statics if you want inbound sessions/connections. I'm not sure whether you version (which is end of support?) supports port statics, which you need for a PAT-environment.

Hi,

Thanks for the note.

The PIX needs an active inside-global address in the XLATE-table to accept inbound connections. Your inside-local addresses are translated dynamically to a PATted inside-global. This does not establish a global address nor does it allow inbound connections.

Use statics if you want inbound sessions/connections. I'm not sure whether you version (which is end of support?) supports port statics, which you need for a PAT-environment.

I'm not sure to fully understand that yet (sry for that).

As I understand, outbound connections from "AP" to "Inside" will have a AP global address in the XLATE-table.

Anything AP local addresses (10.x /24) get translated to the AP global addresses (which is the pool in 192.x/24).

If I attempt a ping from a device in "AP" to an address in "Inside", a look at the show xlate gives :

ERZILIE# show xlate

1 in use, 1 most used

Global 192.168.1.21 Local GANGAN

So, I would have expected that traffic to be allowed to go through using the global address as a source and translated back for the return packets.
I understand I am missing a translation rule, II don't see which one should the above statement is correct :/
Could you please attempt to explain this again, may be advising the translation you would use, when you will have a chance?
This may help me understand better.
Thank you for your time.
Pixbee.
p.s. : As per the version, this is the latest available to the 501 I'm using.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: