Skip to main content

PIX-3-305005 - No translation group found for protocol

More
14 years 6 months ago #34651 by pixbee
Hi,

I'm confident that I'm missing a major concept here for which I'd need a bit of assistance with. This should be an easy one to explain.

The setup I'm playing with is as simple than the below

[code:1]PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 AP security50
nameif ethernet1 inside security100

[AP] - [PIX] - [INSIDE]
[/code:1]

I'm trying to use a NAT between those two legs but I'm failing miserably and the cisco scenarios samples [1] don't help me much (assuming I have read that correctly).

Each interface has been attributed its IP.

[code:1]ip address AP 10.0.0.251 255.255.255.0
ip address inside 192.168.1.251 255.255.255.0
[/code:1]

And for the sake of simplicity, I have allowed traffic in both ways (test done from lower sec level to higher) to focus on my NAT issue for now.

[code:1]access-list inside_access_in permit ip any any
access-list AP_access_in permit ip any any
access-group AP_access_in in interface AP
access-group inside_access_in in interface inside[/code:1]

I have defined a default route and the following two nats,

[code:1]global (AP) 2 interface
global (inside) 1 192.168.1.20-192.168.1.50 netmask 255.255.255.0
nat (AP) 1 10.0.0.0 255.255.255.0 outside 0 0
nat (inside) 2 192.168.1.0 255.255.255.0 0 0

route inside 0.0.0.0 0.0.0.0 192.168.1.1 1[/code:1]

Now, as I understand this,
    - traffic coming from 10.0.0.0/24 will get translated to 192.168.1.20-50/24
    - traffic coming from 192.168.1.0/24 will get translated to 10.0.0.251 (PAT).

This looking good (I thought, you may have spot the issue already :/) I went and test with,

[code:1]name 192.168.1.70 HOSTB
name 10.0.0.1 HOSTA
[/code:1]
A ping from HOSTA to HOSTB doesn't go through.

[code:1]root@HOSTA:~# ping 192.168.1.70
PING 192.168.1.70 (192.168.1.70): 56 data bytes

--- 192.168.1.70 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss[/code:1]

Tcpdump on the inside side of the firewall see nothing leaving.
Enabling some logging I get the following on the PIX :

[code:1]%PIX-6-609001: Built local-host AP:10.0.0.1
%PIX-6-305009: Built dynamic translation from AP:10.0.0.1 to inside:192.168.1.20
%PIX-3-305005: No translation group found for icmp src AP:HOSTA dst inside:HOSTB (type 8, code 0)[/code:1]

Huh. On that, cisco says [2] :

Error Message %PIX-3-305005: No translation group found for protocol src
interface_name:dest_address/dest_port dst
interface_name:source_address/source_port
Explanation A packet does not match any of the outbound nat rules.

Recommended Action This message signals a configuration error. If dynamic NAT is desired for the source host, ensure that the nat command matches the source IP address. If static NAT is desired for the source host, ensure that the local IP address of the static command matches. If no NAT is desired for the source host, check the ACL bound to the nat 0 ACL.


My NAT command does matches the source IP address. As in, 10.0.0.1 is included in 10.0.0.0/24 - which is also why I get the built dynamic translation message I suppose.


Anyway, that's where I understand that I am surely missing a concept here. Could you please shed some light on those basics for me?

Ta.

pixbee.

[1] www.cisco.com/en/US/products/hw/vpndevc/...186a00800b6e1a.shtml
[2] www.cisco.com/en/US/docs/security/pix/pi...essage/pixemsgs.html
More
14 years 6 months ago #34653 by S0lo
Hi pixbee,

Assuming the AP is (or will) be connected to the outside/internet. The default route needs to be fixed, like this:

[code:1]route AP 0.0.0.0 0.0.0.0 10.0.0.x 1[/code:1]

Replace 10.0.0.x with the AP's interface IP (not 10.0.0.251).

Second, outside NAT is not needed for a basic setup. Remove the following commands:

[code:1]global (inside) 1 192.168.1.20-192.168.1.50 netmask 255.255.255.0
nat (AP) 1 10.0.0.0 255.255.255.0 outside 0 0 [/code:1]

If that doesn't work, then post your full config so that we have a full look at it.

Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
More
14 years 6 months ago #34654 by pixbee
Hi Solo,

Thanks for the note.

I guess I should amend the first "topo" by the below if it gives a better picture.

[AP] - [PIX] - [ROUTER Internet]

I can only concede that the names are misleading (sry for that). So to answer, no, AP is not connected to the outside directly. The route would therefore be correct and is actually directing the traffic from AP to the router connected to the Internet. Also, I'd like to keep that pool NAT in place for the router not to see the AP side addresses if that make sense.

I'm attaching the full config hoping it will help better.

Thank you again for your time!

pixbee.
More
14 years 6 months ago #34656 by S0lo
Ooops, so it's the other way arround!!. Inside is outside.

Better post your full config. Just copy/paste it here.

Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
More
14 years 6 months ago #34657 by pixbee
Thought an attachment would have been cleaner! :)

Here's the content of the file then.

Thank you!

Pixbee.


[code:1]: Saved
: Written by enable_15 at 18:09:58.711 UTC Mon May 31 2010
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 AP security50
nameif ethernet1 inside security100
enable password X encrypted
passwd P encrypted
hostname ERZILIE
domain-name v.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.70 MAWU
name 192.168.1.254 BT-ROUTER
name 192.168.1.79 SYSLOG
name 10.0.0.1 GANGAN
object-group service web-traffic-from-AP tcp
description Traffic web from AP
port-object eq www
port-object eq https
access-list inside_access_in permit ip any any
access-list AP_access_in permit ip any any
access-list capture permit icmp any host MAWU
pager lines 24
logging on
logging timestamp
logging trap debugging
logging host inside SYSLOG
mtu AP 1500
mtu inside 1500
ip address AP 10.0.0.251 255.255.255.0
ip address inside 192.168.1.251 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location SYSLOG 255.255.255.255 inside
pdm location GANGAN 255.255.255.255 AP
pdm history enable
arp timeout 14400
global (AP) 2 interface
global (inside) 1 192.168.1.20-192.168.1.50 netmask 255.255.255.0
nat (AP) 1 10.0.0.0 255.255.255.0 outside 0 0
nat (inside) 2 192.168.1.0 255.255.255.0 0 0
access-group AP_access_in in interface AP
access-group inside_access_in in interface inside
route inside 0.0.0.0 0.0.0.0 BT-ROUTER 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside SYSLOG TFTP
floodguard enable
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 30
console timeout 0
terminal width 80
Cryptochecksum:B
: end[/code:1]
More
14 years 6 months ago #34663 by S0lo
Ok,

First I would recommend you physically switch the 2 ports. In other words, Connect the AP to Ethernet1 and connect the router/internet to Ethernet0. (You can do switching, in the config too, but it probably involves more complications regarding auto and 100full). Physical should be easier.

Then do the following:

[code:1]nameif ethernet0 outside security50
nameif ethernet1 AP security100 [/code:1]

The AP is your inside now. Then do

[code:1]ip address AP 10.0.0.251 255.255.255.0
ip address outside 192.168.1.251 255.255.255.0 [/code:1]

Then for NAT:

[code:1]nat (AP) 1 10.0.0.0 255.255.255.0 0 0
global (outside) 1 interface [/code:1]

Thats the only NAT (PAT) you need for a basic setup without inside servers. Note that I'm assuming here that the internet router is NOT doing NAT. If it is, then you can ignore NAT on the Pix by using identity NAT.

Then replace the keyword inside with outside in the ACLs and default route. Like this:

[code:1]access-list outside_access_in permit ip any any
access-group outside_access_in in interface outside[/code:1]

And

[code:1]route outside 0.0.0.0 0.0.0.0 BT-ROUTER 1 [/code:1]

And if you want, you can change the name AP to inside in all of the config.

Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
Time to create page: 0.136 seconds