Solved

Syslog error on PIX 515 no translation group found for icmp

Posted on 2011-02-21
10
1,556 Views
Last Modified: 2012-05-11
Hi,

I am getting loads of syslog errors as follows with many different addresses;

feb 22 2011 12:24:47: %%pix-3-305005: no translation group found for icmp src inside:203.18.122.71 dst outside:172.16.86.81 (type 8, code 0)


The 203.18.122.71 is not on the inside interface.

I am runing a PIX 515 with version 6.3(5)

How do I fix this?

Peter
0
Comment
Question by:PeterSinger
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
10 Comments
 
LVL 18

Expert Comment

by:decoleur
ID: 34948335
this type of error is most common with a misconfigured NAT or NAT 0 ACL. look at how they or configured or post a cleaned up version of your code to see what you have.

hope this helps,

-t

some references http://www.cisco.com/en/US/partner/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution14 
and from
http://www.cisco.com/en/US/partner/docs/security/pix/pix63/system/message/pixemsgs.html#wpxref24101

"Error Message    %PIX-3-305005: No translation group found for protocol src
interface_name:dest_address/dest_port dst
interface_name:source_address/source_port

Explanation    A packet does not match any of the outbound nat rules.

Recommended Action    This message signals a configuration error. If dynamic NAT is desired for the source host, ensure that the nat command matches the source IP address. If static NAT is desired for the source host, ensure that the local IP address of the static command matches. If no NAT is desired for the source host, check the ACL bound to the nat 0 ACL. "

hope this helps,

-t
0
 
LVL 4

Author Comment

by:PeterSinger
ID: 34948827
Could you look at the config?
0
 
LVL 18

Expert Comment

by:decoleur
ID: 34949079
sure, post a clean version and we will take care of you.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 4

Author Comment

by:PeterSinger
ID: 34950943
Hi, Attached is the config pluss the main syslog errors.

feb 22 2011 23:33:23: %%pix-3-305005: no translation group found for icmp src inside:203.18.118.71 dst outside:172.16.102.254 (type 8, code 0)

feb 22 2011 14:19:42: %%pix-3-305005: no translation group found for tcp src inside:10.218.113.247/55243 dst outside:66.102.11.193/443

feb 22 2011 14:56:03: %%pix-3-305005: no translation group found for udp src dmz0:ex-edge1/63896 dst dmz1:srv-dns2/53

feb 22 2011 11:42:59: %%pix-3-305005: no translation group found for udp src dmz0:203.39.178.163/123 dst inside:wks-fwmanager/123

Thanks!
conf.txt
0
 
LVL 18

Accepted Solution

by:
decoleur earned 500 total points
ID: 34951719
the issues that you have is that hosts are trying to communicate across your firewall without access being allowed. if you are going from a high security level to a low security level like inside to outside you just need to make sure there is NAT available, if it is going in the other direction you need both NAT and an ACL.

for example inside natted out looks like this:
nat (inside) 142 10.8.0.0 255.252.0.0 0 0
nat (inside) 143 10.12.0.0 255.252.0.0 0 0
nat (inside) 141 lan-internal 255.248.0.0 0 0
nat (inside) 144 10.24.0.0 255.248.0.0 0 0

nothing matches 10.218.113.247 so it cannot go out.

you could add that network to any of your inside nats
nat (inside) 142 10.218.0.0 255.255.0.0 0 0

dmz0 to dmz1 needs
static (dmz0,dmz1) EX-Edge1 EX-Edge1 netmask 255.255.255.255 0 0

inside to outside needs
static (inside,outside) 203.18.118.71 203.18.118.71 netmask 255.255.255.255 0 0

dmz0 to inside needs
static (dmz0,inside) 203.39.178.163 203.39.178.163 netmask 255.255.255.255 0 0

if after adding the NAT they still do not work you might want to look at the ACLs to make sure they work as expected.

as a thought I might create larger NAT blocks and use ACLS to restrict access like this:

for example:
static (dmz0,inside) 203.39.178.160 203.39.178.160 255.255.255.224 0 0
static (dmz0,dmz1)  203.39.178.160 203.39.178.160 255.255.255.224 0 0

hope this helps,

-t
0
 
LVL 4

Author Closing Comment

by:PeterSinger
ID: 34954823
Fantastic help, thanks !!!
0
 
LVL 4

Author Comment

by:PeterSinger
ID: 34954839
One last thing, 203.18.118.71 is not one of my addresses on the inside, why would that need anything?
0
 
LVL 4

Author Comment

by:PeterSinger
ID: 34955158
Also even with the   I still get these;

feb 23 2011 06:59:52: %%pix-3-305005: no translation group found for icmp src inside:203.18.116.85 dst outside:172.16.86.17 (type 8, code 0)

feb 23 2011 06:56:58: %%pix-3-305005: no translation group found for icmp src inside:203.18.122.71 dst outside:172.16.86.81 (type 8, code 0)

and many other inside addresses for icmp only that are not internal to me.  If I add a the static nat for the address (e.g. static (inside,outside) 203.18.118.71 203.18.118.71 netmask 255.255.255.255 0 0) it does go away, but it is not one of my addresses so why should I have to do anything with it?

0
 
LVL 4

Author Comment

by:PeterSinger
ID: 34955262
And note it is always to 17.16.x.254 addresses.

It could be my MPLS cloud, but that should not go via this link as this is an internet link. Any sugestions on how to stop these messages and resolve the issue?
0
 
LVL 18

Expert Comment

by:decoleur
ID: 34957423
you really need to figure out where those addresses come from and then let that inform how you deal with it. Talk to your service provider or MPLS provider and see if they can explain where it comes from.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question