Solved

Syslog error on PIX 515 no translation group found for icmp

Posted on 2011-02-21
10
1,530 Views
Last Modified: 2012-05-11
Hi,

I am getting loads of syslog errors as follows with many different addresses;

feb 22 2011 12:24:47: %%pix-3-305005: no translation group found for icmp src inside:203.18.122.71 dst outside:172.16.86.81 (type 8, code 0)


The 203.18.122.71 is not on the inside interface.

I am runing a PIX 515 with version 6.3(5)

How do I fix this?

Peter
0
Comment
Question by:PeterSinger
  • 6
  • 4
10 Comments
 
LVL 18

Expert Comment

by:decoleur
ID: 34948335
this type of error is most common with a misconfigured NAT or NAT 0 ACL. look at how they or configured or post a cleaned up version of your code to see what you have.

hope this helps,

-t

some references http://www.cisco.com/en/US/partner/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution14
and from
http://www.cisco.com/en/US/partner/docs/security/pix/pix63/system/message/pixemsgs.html#wpxref24101

"Error Message    %PIX-3-305005: No translation group found for protocol src
interface_name:dest_address/dest_port dst
interface_name:source_address/source_port

Explanation    A packet does not match any of the outbound nat rules.

Recommended Action    This message signals a configuration error. If dynamic NAT is desired for the source host, ensure that the nat command matches the source IP address. If static NAT is desired for the source host, ensure that the local IP address of the static command matches. If no NAT is desired for the source host, check the ACL bound to the nat 0 ACL. "

hope this helps,

-t
0
 
LVL 4

Author Comment

by:PeterSinger
ID: 34948827
Could you look at the config?
0
 
LVL 18

Expert Comment

by:decoleur
ID: 34949079
sure, post a clean version and we will take care of you.
0
 
LVL 4

Author Comment

by:PeterSinger
ID: 34950943
Hi, Attached is the config pluss the main syslog errors.

feb 22 2011 23:33:23: %%pix-3-305005: no translation group found for icmp src inside:203.18.118.71 dst outside:172.16.102.254 (type 8, code 0)

feb 22 2011 14:19:42: %%pix-3-305005: no translation group found for tcp src inside:10.218.113.247/55243 dst outside:66.102.11.193/443

feb 22 2011 14:56:03: %%pix-3-305005: no translation group found for udp src dmz0:ex-edge1/63896 dst dmz1:srv-dns2/53

feb 22 2011 11:42:59: %%pix-3-305005: no translation group found for udp src dmz0:203.39.178.163/123 dst inside:wks-fwmanager/123

Thanks!
conf.txt
0
 
LVL 18

Accepted Solution

by:
decoleur earned 500 total points
ID: 34951719
the issues that you have is that hosts are trying to communicate across your firewall without access being allowed. if you are going from a high security level to a low security level like inside to outside you just need to make sure there is NAT available, if it is going in the other direction you need both NAT and an ACL.

for example inside natted out looks like this:
nat (inside) 142 10.8.0.0 255.252.0.0 0 0
nat (inside) 143 10.12.0.0 255.252.0.0 0 0
nat (inside) 141 lan-internal 255.248.0.0 0 0
nat (inside) 144 10.24.0.0 255.248.0.0 0 0

nothing matches 10.218.113.247 so it cannot go out.

you could add that network to any of your inside nats
nat (inside) 142 10.218.0.0 255.255.0.0 0 0

dmz0 to dmz1 needs
static (dmz0,dmz1) EX-Edge1 EX-Edge1 netmask 255.255.255.255 0 0

inside to outside needs
static (inside,outside) 203.18.118.71 203.18.118.71 netmask 255.255.255.255 0 0

dmz0 to inside needs
static (dmz0,inside) 203.39.178.163 203.39.178.163 netmask 255.255.255.255 0 0

if after adding the NAT they still do not work you might want to look at the ACLs to make sure they work as expected.

as a thought I might create larger NAT blocks and use ACLS to restrict access like this:

for example:
static (dmz0,inside) 203.39.178.160 203.39.178.160 255.255.255.224 0 0
static (dmz0,dmz1)  203.39.178.160 203.39.178.160 255.255.255.224 0 0

hope this helps,

-t
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 4

Author Closing Comment

by:PeterSinger
ID: 34954823
Fantastic help, thanks !!!
0
 
LVL 4

Author Comment

by:PeterSinger
ID: 34954839
One last thing, 203.18.118.71 is not one of my addresses on the inside, why would that need anything?
0
 
LVL 4

Author Comment

by:PeterSinger
ID: 34955158
Also even with the   I still get these;

feb 23 2011 06:59:52: %%pix-3-305005: no translation group found for icmp src inside:203.18.116.85 dst outside:172.16.86.17 (type 8, code 0)

feb 23 2011 06:56:58: %%pix-3-305005: no translation group found for icmp src inside:203.18.122.71 dst outside:172.16.86.81 (type 8, code 0)

and many other inside addresses for icmp only that are not internal to me.  If I add a the static nat for the address (e.g. static (inside,outside) 203.18.118.71 203.18.118.71 netmask 255.255.255.255 0 0) it does go away, but it is not one of my addresses so why should I have to do anything with it?

0
 
LVL 4

Author Comment

by:PeterSinger
ID: 34955262
And note it is always to 17.16.x.254 addresses.

It could be my MPLS cloud, but that should not go via this link as this is an internet link. Any sugestions on how to stop these messages and resolve the issue?
0
 
LVL 18

Expert Comment

by:decoleur
ID: 34957423
you really need to figure out where those addresses come from and then let that inform how you deal with it. Talk to your service provider or MPLS provider and see if they can explain where it comes from.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now