billythehamster
asked on
pix
Hi I am getting the following error on my PIX firewall. It's a 525 running v7 with nat-control available.
2007-10-02 12:43:05 Local3.Error 10.52.165.132 Oct 02 2007 12:49:24: %PIX-3-305005: No translation group found for tcp src outside:10.145.221.210/124 6 dst dmz3:20.138.210.85/80
Enlosed is a static NAT translation for the above. Not sure why I am getting this message?
static (inside,dmz3) 10.52.0.0 10.52.0.0 netmask 255.255.0.0
static (inside,dmz3) 10.52.130.75 10.52.130.69 netmask 255.255.255.255
Thanks
2007-10-02 12:43:05 Local3.Error 10.52.165.132 Oct 02 2007 12:49:24: %PIX-3-305005: No translation group found for tcp src outside:10.145.221.210/124
Enlosed is a static NAT translation for the above. Not sure why I am getting this message?
static (inside,dmz3) 10.52.0.0 10.52.0.0 netmask 255.255.0.0
static (inside,dmz3) 10.52.130.75 10.52.130.69 netmask 255.255.255.255
Thanks
Can you post your current configuration. Or at least say what IP ranges you have assigned to each interface.
ASKER
interface Ethernet0
nameif outside
security-level 0
ip address 195.104.xx.xx 255.255.254.0 standby xx.xx.xx.xx
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.52.165.132 255.255.255.248 standby 10.52.165.133
!
interface Ethernet2
nameif dmz2
security-level 50
ip address 192.168.253.254 255.255.255.0 standby 192.168.253.253
!
interface Ethernet3
nameif dmz3
security-level 75
ip address 10.52.165.17 255.255.255.240 standby 10.52.165.19
!
interface Ethernet4
nameif dmz4
security-level 25
ip address 192.168.251.254 255.255.255.0 standby 192.168.251.253
nameif outside
security-level 0
ip address 195.104.xx.xx 255.255.254.0 standby xx.xx.xx.xx
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.52.165.132 255.255.255.248 standby 10.52.165.133
!
interface Ethernet2
nameif dmz2
security-level 50
ip address 192.168.253.254 255.255.255.0 standby 192.168.253.253
!
interface Ethernet3
nameif dmz3
security-level 75
ip address 10.52.165.17 255.255.255.240 standby 10.52.165.19
!
interface Ethernet4
nameif dmz4
security-level 25
ip address 192.168.251.254 255.255.255.0 standby 192.168.251.253
ASKER
Here is the static route in the PIX that is applicable to this error:
route dmz3 20.138.210.85 255.255.255.255 10.52.165.20 1
route dmz3 20.138.210.85 255.255.255.255 10.52.165.20 1
ASKER
Here is the correct static nat translation:
static (dmz3,outside) 10.145.0.0 10.145.0.0 netmask 255.255.0.0
static (dmz3,outside) 10.145.0.0 10.145.0.0 netmask 255.255.0.0
ASKER
But I am still having problems
Where did 10.145.0.0 come from?
ASKER
Someone else has entered that element of the config. But seeing that that is the IP address that the user is connecting from then I imagine that's why it is not working. Please can someone else confirm this?
Do you have any other 'route' commands other than the one you posted earlier to the dmz3 interface?
If not then you will need to add one so the pix knows how to get to 10.145.221.210
If not then you will need to add one so the pix knows how to get to 10.145.221.210
ASKER
there is a default route to the core switch which knows about those networks. The translation error is related to NAT not routing.
Ok I think you had it almost correct with the last static command you posted but just has the interfaces specified the wrong way round. Try this :-
no static (dmz3,outside) 10.145.0.0 10.145.0.0 netmask 255.255.0.0
static (outside,dmz3) 10.145.0.0 10.145.0.0 netmask 255.255.0.0
no static (dmz3,outside) 10.145.0.0 10.145.0.0 netmask 255.255.0.0
static (outside,dmz3) 10.145.0.0 10.145.0.0 netmask 255.255.0.0
ASKER
Why is it in the format static (outside,dmz3) , just when I think I have got my head around PIX nat translations it all seems to change!
Sorry I got it wrong this time. Your first static command was correct.
After changing any of the static mappings it is advisble to issue the command 'clear xlate' to clear and rebuild the translation table in memory.
After changing any of the static mappings it is advisble to issue the command 'clear xlate' to clear and rebuild the translation table in memory.
ASKER
Phew, I already find PIX nat translation confusing!!!! Seeing as the 20.138.0.0/16 network is on the dmz3 interface and the 10.145 address is coming from the outside do I not need a statement like this as well:
static (dmz3,outside) 20.138.0.0 20.138.0.0 netmask 255.255.0.0
static (dmz3,outside) 20.138.0.0 20.138.0.0 netmask 255.255.0.0
Take the following example :-
static (inside,dmz) yyy.yyy.yyy.yyy xxx.xxx.xxx.xxx netmask 255.255.0.0 0 0
This means translate the source IP address xxx.xxx.xxx.xxx of any packet coming into the inside interface and translate it to yyy.yyy.yyy.yyy going out the dmz interface.
Traffic to yyy.yyy.yyy.yyy coming in the dmz interface gets translated to xxx.xxx.xxx.xxx and passed out the inside interface.
Now these commands are only needed to overide any default NAT you have already applied to the PIX using the 'global' and 'nat' commands.
I think it would be best if you could post your complete configuration as that would be far easier to understand.
static (inside,dmz) yyy.yyy.yyy.yyy xxx.xxx.xxx.xxx netmask 255.255.0.0 0 0
This means translate the source IP address xxx.xxx.xxx.xxx of any packet coming into the inside interface and translate it to yyy.yyy.yyy.yyy going out the dmz interface.
Traffic to yyy.yyy.yyy.yyy coming in the dmz interface gets translated to xxx.xxx.xxx.xxx and passed out the inside interface.
Now these commands are only needed to overide any default NAT you have already applied to the PIX using the 'global' and 'nat' commands.
I think it would be best if you could post your complete configuration as that would be far easier to understand.
ASKER
The complete PIX config is 42 pages of A4 when I print it out!! There are 4 rather large networks that the PIX is protecting. What you are saying is that the PIX translations work both ways. Seeing as I am getting the following error:
2007-10-02 12:43:05 Local3.Error 10.52.165.132 Oct 02 2007 12:49:24: %PIX-3-305005: No translation group found for tcp src outside:10.145.221.210/124 6 dst dmz3:20.138.210.85/80
How would you create NAT rules so that traffic coming from the outside interface (network 10.145.0.0/16) going to the dmz3 interface (20.138.0.0/16) doesn't get translated and the same vice versa? I can then compare this to the NAT rules I have in place. If it is helpful I can put both the global and static nat statements from the PIX on the post.
2007-10-02 12:43:05 Local3.Error 10.52.165.132 Oct 02 2007 12:49:24: %PIX-3-305005: No translation group found for tcp src outside:10.145.221.210/124
How would you create NAT rules so that traffic coming from the outside interface (network 10.145.0.0/16) going to the dmz3 interface (20.138.0.0/16) doesn't get translated and the same vice versa? I can then compare this to the NAT rules I have in place. If it is helpful I can put both the global and static nat statements from the PIX on the post.
You could add this :-
static (dmz3,outside) 20.138.0.0 20.138.0.0 netmask 255.255.0.0
I think thats the correct way as the dmz interface has the higher of the two security levels.
However that error message may not indicate that there is a NAT issue. The error really indicates that it is receiving data that it does not know what to do with. It could be a case that the NAT is fine but it does not know that it should be routing the data to the dmz3 interface. I would therefore check that all the route commands entered.
I'll be back online in the morning (uk time).
static (dmz3,outside) 20.138.0.0 20.138.0.0 netmask 255.255.0.0
I think thats the correct way as the dmz interface has the higher of the two security levels.
However that error message may not indicate that there is a NAT issue. The error really indicates that it is receiving data that it does not know what to do with. It could be a case that the NAT is fine but it does not know that it should be routing the data to the dmz3 interface. I would therefore check that all the route commands entered.
I'll be back online in the morning (uk time).
ASKER
Cheers for the help so far. I posted it earlier in the post but here is the route command for the firewall:
route dmz3 20.138.210.85 255.255.255.255 10.52.165.20 1 so it must be a NAT issue
route dmz3 20.138.210.85 255.255.255.255 10.52.165.20 1 so it must be a NAT issue
What about a route to 10.145?
Do you have a default route aswell?
Do you have a default route aswell?
ASKER
Yes there is a default route on the outside interface to the core router.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Forced accept.
Computer101
EE Admin
Computer101
EE Admin
ASKER