topic Re: VPN logging in Network Security

VPN logging

Danny Guillory Jr — Mon, 11 Mar 2019 14:58:14 GMT

I have a cisco pix 506 and 9 cisco pix 501's the pix 506 is the main firewall that all the 501's VPN into... I have started logging on my pix 506:

ABVALVE-PIX(config)# show log

Syslog logging: enabled

Facility: 20

Timestamp logging: enabled

Standby logging: disabled

Console logging: disabled

Monitor logging: disabled

Buffer logging: disabled

Trap logging: level errors, 337472 messages logged

Logging to inside 10.9.2.8

History logging: disabled

Device ID: disabled

History logging: disabled

Device ID: disabled

all i am getting in this log is alot of what you see below:

2/27/2009 0:00 Local4.Error 10.9.2.254 Feb 26 2009 22:57:30: %PIX-3-305005: No translation group found for tcp src inside:10.9.2.50/4037 dst outside:198.107.148.254/443

2/27/2009 0:00 Local4.Error 10.9.2.254 Feb 26 2009 22:57:35: %PIX-3-305005: No translation group found for tcp src inside:10.9.2.50/4038 dst outside:198.107.148.254/443

2/27/2009 0:00 Local4.Error 10.9.2.254 Feb 26 2009 22:57:40: %PIX-3-305005: No translation group found for tcp src inside:10.9.2.50/4039 dst outside:198.107.148.254/443

1. is there any way to ignore these?

2. When one of my VPN connections drop are the 506 loses connection to one of the 501'a I am not seeing a log for that even... is there any way to log VPN drops and reconnects.

Re: VPN logging

adamclarkuk_2 — Fri, 27 Feb 2009 15:33:02 GMT

Here is what that error means

%PIX-3-305005 (x1): No translation group found for protocol src interface_name:dest_address/dest_port

dst interface_name:source_address/source_port

Explanation: A packet does not match any of the outbound nat command rules.

Recommended Action: This message indicates a configuration error. If dynamic

NAT is desired for the source host, ensure that the nat command matches the source

IP address. If static NAT is desired for the source host, ensure that the local

IP address of the static command matches. If no NAT is desired for the source

host, check the ACL bound to the NAT 0 ACL.

I dont think you can log VPN drops/reconnects on the PIX ( someone will correct me if I'm wrong).

IF you need to know when a VPN is down, setup a Monitor server that sends ICMP down the other head of the tunnels from your headoffice and that can report to you when a tunnel has dropped and re established.

There are plenty of free ones out there :-

www.nagios.org for instance.

Re: VPN logging

Danny Guillory Jr — Fri, 27 Feb 2009 15:37:39 GMT

Thank you for your response. But i do Understand what that error means and WHY i am getting it. we do NOT use nat here in my network.

so the question was is there a way to have logging ignore that? if not its ok i can deal with it logging that. my main concern is logging the VPN connections when they drop and reconnect.

any ideas?

Re: VPN logging

adamclarkuk_2 — Fri, 27 Feb 2009 15:40:21 GMT

Sorry I updated my post afer you replied.

If you have no nat, try turning off nat control with the no nat-control command ( version 7 upwards)

Re: VPN logging

Danny Guillory Jr — Fri, 27 Feb 2009 15:47:18 GMT

I am using IpSwitch as my network monitor.

Problem is at my data center the pipe coming to my rack goes to a small none managed network HUB then to my pix it goes to the network hub 1st b/c we have 1 drop that is redundant from the DC. so i have 2 cat5 cables that are handed down to my rack.

that plug into the hub, from the hub to my pix 506. e0 of course. i need to know by logging if the pix is dropping connection... if its not then its the hub. I am trying to isolate the problem to the pix are the hub.

for instanse last night at 306am all 9 of my VPN's dropped connection and were back online at 307am. so what hiccuped the pix are the hub. by using logs i should be able to tell if the pix had a error and reset are hicupped.