Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

No translation group found - Possible attack?

I am periodically getting entries in my syslog like the following:

%PIX-3-305005: No translation group found for icmp src outside:10.4.188.13 dst inside:10.4.189.51 (type 5, code 0)

I've seen this error before, but this time it's weird because both of those addresses are private and on the inside interface. Could someone be spoofing the 10.4.188.13 address, or is it more likely that I have something configured incorrectly?

During one such instance of this "attack" I got an entry per second for about 4 minutes. I added the following line to my ACL on the outside interface, but the entries still appear.

access-list acl_outside deny ip 10.4.188.0 255.255.252.0 any

Any ideas?

Thanks,

Kory

3 REPLIES
Gold

Re: No translation group found - Possible attack?

Hi Kory,

Your network is being port scanned form the outside, I presume your PIX is denying this!!!

Add this to your config to make your inside network invisible to the outside : icmp deny any outside

Also as a security check go to http://www.grc.com and test your network using 'shields Up' for any 'holes' on your network - grc.com, shields Up is a secure connection and I've use it for network penetration testing.

Do the test first without the above mentioned command and then with the configured command. Makesure to save the config with cmd 'write memory' and also worth doing command 'clear xlate'

Hope this helps, Thanks - Jay.

New Member

Re: No translation group found - Possible attack?

Jay,

I ran the Shields Up scan and there were no open ports detected. What's strange though is I use NAT and those internal addresses should be blind to the outside world. But just to confirm, you think someone is spoofing my 10.4.188.13 address?

Thanks,

Kory

Gold

Re: No translation group found - Possible attack?

Hi Kory,

No you are not being spoofed, basically some inside client is sending icmp traffic from one inside client to another inside client and there's no tranlation on the PIX config for this, so this shows up as the stated error message : pix-3-305005 : no translation group.

Sorry I read your question to quickly... But if you want your inside network to be invisible to the outside world (good idea) then excute the formentioned command i.e. icmp deny any outside, this way if anyone from the outside tries to scan your inside network using icmp then they'll be denied.

Thank, Jay.

95
Views
0
Helpful
3
Replies