Tcpdump on the inside side of the firewall see nothing leaving.
Enabling some logging I get the following on the PIX :
[code:1]%PIX-6-609001: Built local-host AP:10.0.0.1
%PIX-6-305009: Built dynamic translation from AP:10.0.0.1 to inside:192.168.1.20
%PIX-3-305005: No translation group found for icmp src AP:HOSTA dst inside:HOSTB (type 8, code 0)[/code:1]
Error Message %PIX-3-305005: No translation group found for protocol src
Explanation A packet does not match any of the outbound nat rules.
Recommended Action This message signals a configuration error. If dynamic NAT is desired for the source host, ensure that the nat command matches the source IP address. If static NAT is desired for the source host, ensure that the local IP address of the static command matches. If no NAT is desired for the source host, check the ACL bound to the nat 0 ACL.
My NAT command does matches the source IP address. As in, 10.0.0.1 is included in 10.0.0.0/24 - which is also why I get the built dynamic translation message I suppose.
Anyway, that's where I understand that I am surely missing a concept here. Could you please shed some light on those basics for me?
I guess I should amend the first "topo" by the below if it gives a better picture.
[AP] - [PIX] - [ROUTER Internet]
I can only concede that the names are misleading (sry for that). So to answer, no, AP is not connected to the outside directly. The route would therefore be correct and is actually directing the traffic from AP to the router connected to the Internet. Also, I'd like to keep that pool NAT in place for the router not to see the AP side addresses if that make sense.
I'm attaching the full config hoping it will help better.
Thank you again for your time!
Re: PIX-3-305005 - No translation group found for protocol
8 years 4 months ago #34656
First I would recommend you physically switch the 2 ports. In other words, Connect the AP to Ethernet1 and connect the router/internet to Ethernet0. (You can do switching, in the config too, but it probably involves more complications regarding auto and 100full). Physical should be easier.
Then do the following:
[code:1]nameif ethernet0 outside security50
nameif ethernet1 AP security100 [/code:1]
The AP is your inside now. Then do
[code:1]ip address AP 10.0.0.251 255.255.255.0
ip address outside 192.168.1.251 255.255.255.0 [/code:1]
Thats the only NAT (PAT) you need for a basic setup without inside servers. Note that I'm assuming here that the internet router is NOT doing NAT. If it is, then you can ignore NAT on the Pix by using identity NAT.
Then replace the keyword inside with outside in the ACLs and default route. Like this:
[code:1]access-list outside_access_in permit ip any any
access-group outside_access_in in interface outside[/code:1]