The computers on the remaining vlans use ISA_Server for access to the internet.
The syslog server has tremendous amounts of the following messages:
Error Message IREFO BJ:24101%PIX-3-305005: No translation group found for protocol src interface_name:dest_address/dest_port dst interface_name:source_address/source_port
Explanation A packet does not match any of the outbound nat rules.
Recommended Action This message signals a configuration error. If dynamic NAT is desired for the source host, ensure that the nat command matches the source IP address. If static NAT is desired for the source host, ensure that the local IP address of the static command matches. If no NAT is desired for the source host, check the ACL bound to the nat 0 ACL.
To remove the enormous amount of messages i will use the no logging message 305005 command. However, this configuration change will not stop the actual events from happening.
Is this type of message common or can do I have a misconfiguration on the PIX itself or are there changes that need to be made on the routers?
As I see it. A client makes a http request to the internet. The browser has the proxy IP. The traffic is directed to the proxy. the proxy requests the page
Is this correct? .
Why is the firewall deny a translation for the client on the PIX?
Without looking at a trace of the traffic, I think your assumption is correct. The PIX sees traffic initiated by the ISA retuning on it's outside interface. Because it didn't exit the PIX, there is not dynamic ACL created for that returning traffic and it fails. Other than the syslog messages, are you seeing anything fail on the client side?
BTW If I were offered the opportunity I would make every attempt to scrap the ISA server
The trace should help, although I am surprised that clients are not experiencing any problems.
I currently work for M'soft in Enterprise Network Support, supporting ISA. ISA unnecessarily complicates the network, unless you're exclusively using it as a web proxy to restrict web traffic, and even in that case I would use Websense instead. I am simply speaking from opinion ;-)
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...