Skip to main content

PIX-3-305005 - No translation group found for protocol

More
13 years 9 months ago #34666 by pixbee
Hi Solo,

Thanks for your time on this. I may consider rewriting that to match your suggestions. But you are re-designing everything here, as opposed to advise me why what I have now is not working - which was my main concern, hence the post. Let aside the names, the configuration I have is something which I believed should have worked. It is not. What I would love to understand is why and thus, which concept I have missed. In the first post, I have tried to explain the process as I understood it step by step, is there any of those step which is wrong?

Cheers,

Pixbee.
More
13 years 9 months ago #34687 by S0lo
pixbee,

Remove the following lines in your config, and it should work.

[code:1]global (inside) 1 192.168.1.20-192.168.1.50 netmask 255.255.255.0
nat (AP) 1 10.0.0.0 255.255.255.0 outside 0 0 [/code:1]

I tried it on my Pix, it works. Here is what I think is happening,

When host 192.168.1.70 pings 10.0.0.1. The Pix receives this and translates the source address 192.168.1.70 to 10.0.0.251 according to nat (inside) 2 and global (AP) 2 interface statements. Now, here where it goes wrong, since the other nat/global uses outside translation, the Pix will Again translate 10.0.0.251 (that was already translated) to an IP between 192.168.1.20-192.168.1.50. Now this IP is obviously in the same segment that the pinger is (i.e inside). The packet will not reach the destination at all and it will be dropped.

The thing that clued me into this, is when I issued the command show xlate. It shows a statement like this:

Global 192.168.1.22 Local GANGAN

This is obviously a map between 192.168.1.70 and 192.168.1.22 !!!

Again, this is just what I think the reason is. What I'm sure of is that you don't need the two statements above in your setup. (i.e outside NAT).

Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
More
13 years 9 months ago #34689 by pixbee
Hi Solo,

Thanks for your time, appreciated it!

Remove the following lines in your config, and it should work.
Code:
global (inside) 1 192.168.1.20-192.168.1.50 netmask 255.255.255.0
nat (AP) 1 10.0.0.0 255.255.255.0 outside 0 0
I tried it on my Pix, it works.

When host 192.168.1.70 pings 10.0.0.1.


Mm. You tried it in the other way then :/

The thing that clued me into this, is when I issued the command show xlate. It shows a statement like this:

Global 192.168.1.22 Local GANGAN

This is obviously a map between 192.168.1.70 and 192.168.1.22 !!!


Well, actually GANGAN is 10.0.0.1 (not 192.168.1.70, which was the destination of the ping in my test. That is from "AP" to "Inside").

So what the show xlate indicates is indeed that the translation has been done from 10.0.0.1 to 192.168.1.22 which is what was expected from any outbound connections from "AP" to "Inside".

What I'm sure of is that you don't need the two statements above in your setup. (i.e outside NAT).


That means that no outbound connections from AP is allowed towards inside if I do that. Which isn't what I was trying to do.

But I'm starting to get that I just can't do anything else then a static NAT if I want to get from a lower secu interface (AP) to a higher secu (inside)... specific to pix/firewall then as a router wouldn't behave like that.

Sounds like I'm giving up here, may understand why exactly in few years (when I'll be a big boy :) ).

For now, I'm likely to swap the interfaces /secu level around and get it working.

Cheers again for your time.

Pixbee.
More
13 years 9 months ago #34690 by S0lo
Oh, GANGAN is 10.0.0.1. got confused.

I better start sleeping well then or else starting killing the 4 or 5 brain cells that I have left upstairs :P

Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
More
12 years 11 months ago #36692 by EthelValenzuela
:P It always happens, if you want to sleep you cannot think clear :roll:
Time to create page: 0.152 seconds