Translation problems with PIX OS 7.0(1)

[netadmin65]

I was on 6.3(4) and upgraded to 7.0(1).
I also added a DMZ interface, but it is not configured
and basically disabled (shutdown).

I now get:

%PIX-3-305005: No translation group found for tcp src inside:65.59.207.13/80 dst outside:208.x.x.x/2671

and

%PIX-3-305005: No translation group found for tcp src inside:208.x.x.x/2712 dst outside:216.251.114.10/80

The 208.x address (addresses actually) are applied
globally to my outside interface, yet are showing as
inside (I would assume the correct inside addresses
would be my 10.x.x.x NAT'ed addresses).

Also, as can be seen, I get a foreign (my name for
external to any of my address space) address showing
as inside.

Once again, everything worked in 6.3(4) .... anyone
familiar with why this is not working?

Please DO NOT tell me to use the "downgrade" command.
That is not an option.

Thanks in advance.

 

[NetworkGhost]

Post your config. That will help get down to the problem

 

[netadmin65]

Please note that traffic appears to be going smoothly,
it is just that I get the translation errors now,
and my Cisco Trust Agent on my VPN client can no longer
authenticate. Once again, before going to 7.0(1), my
config worked fine at 6.3(4).

Here it is:

PIX Version 7.0(1)
names
name 216.x.x.3 host3
name 216.x.x.4 host4
name 216.x.x.5 host5
name 216.x.x.6 host6
name 216.x.x.8 host8
name 216.x.x.7 host7
name 216.x.x.48 host48
name 216.x.x.47 host47
name 216.x.x.45 host45
name 216.x.x.46 host46
!
interface Ethernet0
nameif outside
security-level 0
ip address 216.x.x.2 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.1.0.1 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
enable password lalalalalala encrypted
passwd lalalalalalalala encrypted
hostname pixfw
domain-name somedomain.name
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
access-list inboundtraffic <hidden... allows proper inbound requests>
access-list bypassnat extended permit ip 10.0.0.0 255.255.255.0 10.1.0.0 255.255.255.0
access-list bypassnat extended permit ip host 10.1.0.2 10.1.0.0 255.255.255.0
access-list outboundtraffic <hidden... allows proper outbound traffic>
access-list 6 standard permit 10.0.0.0 255.255.255.0
pager lines 24
logging enable
logging trap warnings
logging host inside 10.0.0.x
no logging message 106012
no logging message 106021
mtu outside 1500
mtu inside 1500
ip audit name Inbound-Attack attack action alarm drop reset
ip audit name Outbound-Attack attack action alarm drop
ip audit interface outside Inbound-Attack
ip audit interface inside Outbound-Attack
ip local pool dealer 10.1.0.101-10.1.0.108
ip local pool shark 10.1.0.100
no failover
monitor-interface outside
monitor-interface inside
arp timeout 14400
nat-control
global (outside) 1 216.x.x.49-216.x.x.243 netmask 255.255.255.0
nat (inside) 0 access-list bypassnat
nat (inside) 1 10.0.0.0 255.255.255.0
nat (inside) 2 10.1.0.0 255.255.255.0
static (inside,outside) host5 10.0.0.5 netmask 255.255.255.255
static (inside,outside) host6 10.0.0.6 netmask 255.255.255.255
static (inside,outside) host7 10.0.0.7 netmask 255.255.255.255
static (inside,outside) host8 10.0.0.8 netmask 255.255.255.255
static (inside,outside) host3 10.0.0.3 netmask 255.255.255.255
static (inside,outside) host48 10.0.0.48 netmask 255.255.255.255
static (inside,outside) host45 10.0.0.45 netmask 255.255.255.255
static (inside,outside) host46 10.0.0.46 netmask 255.255.255.255
static (inside,outside) host47 10.0.0.71 netmask 255.255.255.255
access-group inboundtraffic in interface outside
access-group outboundtraffic in interface inside
route outside 0.0.0.0 0.0.0.0 216.x.x.1 1
route inside 10.0.0.0 255.255.255.0 10.1.0.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
group-policy admin7777 internal
group-policy admin7777 attributes
wins-server value 10.0.0.13
dns-server value 10.0.0.4
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 6
default-domain value somedomain.name
username testuser password lalalalala encrypted
url-server (inside) vendor websense host 10.0.0.32 timeout 10 protocol TCP version 4 connections 5
filter url except 10.0.0.0 255.255.255.224 0.0.0.0 0.0.0.0
filter url except 10.0.0.32 255.255.255.240 0.0.0.0 0.0.0.0
filter https 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
filter ftp 21 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow proxy-block longurl-deny
http server enable
http 10.0.0.x 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community lalalalalalala
snmp-server enable traps snmp
service resetinbound
crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
crypto dynamic-map dyn1 1 set transform-set FirstSet
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
isakmp identity address
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 43200
telnet timeout 60
ssh 10.0.0.x 255.255.255.255 inside
ssh 10.0.0.x 255.255.255.255 inside
ssh timeout 6
ssh version 2
console timeout 0
tunnel-group adminuser type ipsec-ra
tunnel-group adminuser general-attributes
address-pool shark
default-group-policy admin7777
tunnel-group adminuser ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect netbios
!
url-block url-mempool 1500
url-block url-size 4
service-policy global_policy global

 

[netadmin65]

Whoops... I may see the CTA auth problem, in that
access-list 6 needs to also include 10.1.0.0 network.

But that still doesn't explain the translation errors I
get. Please advise on that.

the network goes like this:

Internet[router]myClassC---myClassC[PIX]10.1.x.x---10.1.x.x[internalRouter]10.0.x.x---LAN

The items in brackets are the physical devices... addresses on either side are for internal or external interface addresses, depending on which side of the device, dashes of course show connection to the next device.

 

[netadmin65]

Well, still not having Cisco Trust Agent auth, even
after the addition of the 10.1.0.0 network on ACL 6.

Still, I feel the problems may be related.

Anyone see any glaring errors in my config?
I see none.

 

[netadmin65]

And one more thing... I show 208.x in the errors, yet
216.x in the config. Ignore this, this is just me hiding
my real external address. In fact, it starts with neither
of these octets. Just know that the 208 or 216 are in place of my external internet-capable Class C.

 

[dopehead]

That error is just info that a webserver tried to reply to a sessions that your pix has already timed out and as such there is no translation for that packet to reply via. Probably just a slow webserver....nothing big.

About your CTA agent, what exactly are you trying to do ? the pix doesn't have nac support, so what are you trying to auth with ?

Jan


Network Systems Engineer
CCNA/CQS/CCSP/Infosec

 

[netadmin65]

The PIX is the VPN endpoint, as you can see from the
config and the "diagram" listed above. Then there is a
router "behind" the PIX. I am trying to authenticate
with a policy server on the LAN, which will then give
the correct token to the CSACS server, which in turn
will allow access through the router.

The router config has not changed. The VPN client
has not changed. The CSACS server has not changed.

The only thing different is that the PIX was upgraded
to 7.0(1).

 

[dopehead]

Hmm, and you can ping the router ?, i forget if that is possible when nac is enabled on the interface. How about putting your permit ip host 10.1.0.2 host 10.1.0.100 in your nat 0 access-list. You only seem to have disabled nat from the router to the 10.0.x.x network which is not what the client is getting via the shark pool.

Jan


Network Systems Engineer
CCNA/CQS/CCSP/Infosec

 

[netadmin65]

The Nat0 was not the problem. I think it was lack of
ICMP to the router. Sorry, I'm not 100% sure what
corrected it, but it sees the Cisco Trust Agent now.

As for the NAT translation errors, I believe that was
answered earlier, but is there a way I can adjust the
timing so this does not happen? Traffic still flows,
so this is not a big issue.