• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 367
  • Last Modified:

pix

Hi I am getting the following error on my PIX firewall. It's a 525 running v7 with nat-control available.

2007-10-02 12:43:05      Local3.Error      10.52.165.132      Oct 02 2007 12:49:24: %PIX-3-305005: No translation group found for tcp src outside:10.145.221.210/1246 dst dmz3:20.138.210.85/80

Enlosed is a static NAT translation for the above. Not sure why I am getting this message?

static (inside,dmz3) 10.52.0.0 10.52.0.0 netmask 255.255.0.0
static (inside,dmz3) 10.52.130.75 10.52.130.69 netmask 255.255.255.255

Thanks

0
billythehamster
Asked:
billythehamster
  • 12
  • 9
1 Solution
 
billythehamsterAuthor Commented:
A little more info, I need the PIX to route the traffic from 10.145.221.210 to 20.138.210.85 from the outside to the dmz3 network without any translation.
0
 
grbladesCommented:
Can you post your current configuration. Or at least say what IP ranges you have assigned to each interface.
0
 
billythehamsterAuthor Commented:
interface Ethernet0
 nameif outside
 security-level 0
 ip address 195.104.xx.xx 255.255.254.0 standby xx.xx.xx.xx
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 10.52.165.132 255.255.255.248 standby 10.52.165.133
!
interface Ethernet2
 nameif dmz2
 security-level 50
 ip address 192.168.253.254 255.255.255.0 standby 192.168.253.253
!
interface Ethernet3
 nameif dmz3
 security-level 75
 ip address 10.52.165.17 255.255.255.240 standby 10.52.165.19
!
interface Ethernet4
 nameif dmz4
 security-level 25
 ip address 192.168.251.254 255.255.255.0 standby 192.168.251.253
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
billythehamsterAuthor Commented:
Here is the static route in the PIX that is applicable to this error:

route dmz3 20.138.210.85 255.255.255.255 10.52.165.20 1

0
 
billythehamsterAuthor Commented:
Here is the correct static nat translation:

static (dmz3,outside) 10.145.0.0 10.145.0.0 netmask 255.255.0.0

0
 
billythehamsterAuthor Commented:
But I am still having problems
0
 
grbladesCommented:
Where did 10.145.0.0 come from?
0
 
billythehamsterAuthor Commented:
Someone else has entered that element of the config. But seeing that that is the IP address that the user is connecting from then I imagine that's why it is not working. Please can someone else confirm this?
0
 
grbladesCommented:
Do you have any other 'route' commands other than the one you posted earlier to the dmz3 interface?

If not then you will need to add one so the pix knows how to get to 10.145.221.210
0
 
billythehamsterAuthor Commented:
there is a default route to the core switch which knows about those networks. The translation error is related to NAT not routing.
0
 
grbladesCommented:
Ok I think you had it almost correct with the last static command you posted but just has the interfaces specified the wrong way round. Try this :-

no static (dmz3,outside) 10.145.0.0 10.145.0.0 netmask 255.255.0.0
static (outside,dmz3) 10.145.0.0 10.145.0.0 netmask 255.255.0.0
0
 
billythehamsterAuthor Commented:
Why is it in the format static (outside,dmz3) , just when I think I have got my head around PIX nat translations it all seems to change!
0
 
grbladesCommented:
Sorry I got it wrong this time. Your first static command was correct.

After changing any of the static mappings it is advisble to issue the command 'clear xlate' to clear and rebuild the translation table in memory.
0
 
billythehamsterAuthor Commented:
Phew, I already find PIX nat translation confusing!!!! Seeing as the 20.138.0.0/16 network is on the dmz3 interface and the 10.145 address is coming from the outside do I not need a statement like this as well:

static (dmz3,outside) 20.138.0.0  20.138.0.0 netmask 255.255.0.0
0
 
grbladesCommented:
Take the following example :-
static (inside,dmz) yyy.yyy.yyy.yyy xxx.xxx.xxx.xxx netmask 255.255.0.0 0 0
This means translate the source IP address xxx.xxx.xxx.xxx of any packet coming into the inside interface and translate it to yyy.yyy.yyy.yyy going out the dmz interface.
Traffic to yyy.yyy.yyy.yyy coming in the dmz interface gets translated to xxx.xxx.xxx.xxx and passed out the inside interface.

Now these commands are only needed to overide any default NAT you have already applied to the PIX using the 'global' and 'nat' commands.
I think it would be best if you could post your complete configuration as that would be far easier to understand.
0
 
billythehamsterAuthor Commented:
The complete PIX config is 42 pages of A4 when I print it out!! There are 4 rather large networks that the PIX is protecting. What you are saying is that the PIX translations work both ways. Seeing as I am getting the following error:
2007-10-02 12:43:05      Local3.Error      10.52.165.132      Oct 02 2007 12:49:24: %PIX-3-305005: No translation group found for tcp src outside:10.145.221.210/1246 dst dmz3:20.138.210.85/80

How would you create NAT rules so that traffic coming from the outside interface (network 10.145.0.0/16) going to the dmz3 interface (20.138.0.0/16) doesn't get translated and the same vice versa? I can then compare this to the NAT rules I have in place. If it is helpful I can put both the global and static nat statements from the PIX on the post.
0
 
grbladesCommented:
You could add this :-
static (dmz3,outside) 20.138.0.0  20.138.0.0 netmask 255.255.0.0
I think thats the correct way as the dmz interface has the higher of the two security levels.

However that error message may not indicate that there is a NAT issue. The error really indicates that it is receiving data that it does not know what to do with. It could be a case that the NAT is fine but it does not know that it should be routing the data to the dmz3 interface. I would therefore check that all the route commands entered.

I'll be back online in the morning (uk time).
0
 
billythehamsterAuthor Commented:
Cheers for the help so far. I posted it earlier in the post but here is the route command for the firewall:

route dmz3 20.138.210.85 255.255.255.255 10.52.165.20 1 so it must be a NAT issue
0
 
grbladesCommented:
What about a route to 10.145?
Do you have a default route aswell?
0
 
billythehamsterAuthor Commented:
Yes there is a default route on the outside interface to the core router.
0
 
grbladesCommented:
All I can suggest is you try disabling NAT in both directions between those two IP ranges :-

static (dmz3,outside) 20.138.0.0  20.138.0.0 netmask 255.255.0.0
static (outside,dmz3) 10.145.0.0 10.145.0.0 netmask 255.255.0.0
clear xlate

If that doesnt work perhaps you can post your config excluding the ACLs which I am guessing is the bulk of it.
0
 
Computer101Commented:
Forced accept.

Computer101
EE Admin
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

  • 12
  • 9
Tackle projects and never again get stuck behind a technical roadblock.
Join Now