cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
348
Views
0
Helpful
0
Replies

PIX/ASA - No translation group found for tcp src

Hi, 

I am not able to ssh to a device behind a PIX firewall due to this error

Apr 01 2017 16:25:07: %PIX-3-305005: No translation group found for tcp src outside:192.168.255.10/47080 dst inside.50:192.168.50.10/22

I don't get the error since the packet is coming from outside interface whit destination inside and PIX has route for source address coming from outside (is a connected subnet)

: Saved
:
PIX Version 8.0(4)
!
hostname PIX5151e
enable password CL.khMZg4eIU8kpv encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0
description //--OUTSIDE--//
nameif outside
security-level 0
ip address 192.168.255.50 255.255.255.0
!
interface Ethernet1
description //--INSIDE--//
no nameif
no security-level
no ip address
!
interface Ethernet1.10
no vlan
no nameif
no security-level
no ip address
!
interface Ethernet1.20
vlan 20
nameif inside.20
security-level 50
ip address 192.168.20.1 255.255.255.0
!
interface Ethernet1.30
vlan 30
nameif inside.30
security-level 50
ip address 192.168.30.1 255.255.255.0
!
interface Ethernet1.40
vlan 40
nameif inside.40
security-level 50
ip address 192.168.40.1 255.255.255.0
!
interface Ethernet1.50
vlan 50
nameif inside.50
security-level 50
ip address 192.168.50.1 255.255.255.0
!
interface Ethernet1.60
vlan 60
nameif inside.60
security-level 50
ip address 192.168.60.1 255.255.255.0
!
interface Ethernet1.70
vlan 70
nameif inside.70
security-level 50
ip address 192.168.70.1 255.255.255.0
!
ftp mode passive
clock summer-time GMT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.255.10
object-group network DEB01.70
network-object host 192.168.70.12
object-group network PI.255
network-object host 192.168.255.10
object-group network DMZ.50
network-object host 192.168.50.10
object-group network DMZ.20
network-object host 192.168.20.10
access-list PERMIT extended permit ip any any
access-list PERMIT-DEB01-IN extended permit udp object-group PI.255 object-group DEB01.70 eq ntp
access-list PERMIT-DEB01-IN extended permit tcp object-group PI.255 object-group DEB01.70 eq ssh
access-list PERMIT-DEB01-IN extended permit udp object-group PI.255 object-group DEB01.70 eq domain
access-list PERMIT-DEB01-IN extended permit tcp any object-group DEB01.70 eq www
access-list PERMIT-DEB01-IN extended permit tcp any object-group DEB01.70 eq https
access-list PERMIT-DEB01-IN extended deny ip any any log
access-list DEB01-OUT extended permit tcp object-group DEB01.70 any eq www
access-list DEB01-OUT extended permit tcp object-group DEB01.70 any eq https
access-list DEB01-OUT extended permit udp object-group DEB01.70 object-group PI.255 eq domain
access-list DEB01-OUT extended permit udp object-group DEB01.70 object-group PI.255 eq ntp
access-list DEB01-OUT extended deny ip any any log
access-list DMZ-OUT extended permit icmp object-group DMZ.50 host 8.8.8.8
access-list DMZ-OUT extended permit icmp object-group DMZ.50 interface inside.50
access-list DMZ-OUT extended permit udp object-group DMZ.50 any eq domain
access-list DMZ-OUT extended permit udp object-group DMZ.50 object-group PI.255 eq ntp
access-list DMZ-OUT extended permit tcp object-group DMZ.50 any eq www
access-list DMZ-OUT extended permit tcp object-group DMZ.50 any eq https
access-list DMZ-OUT extended permit tcp object-group DMZ.50 any eq ftp
access-list DMZ-OUT extended permit tcp object-group DMZ.50 any eq ftp-data
access-list DMZ-OUT extended deny ip any any log
pager lines 24
logging enable
logging timestamp
logging monitor debugging
logging buffered notifications
logging trap notifications
mtu outside 1500
mtu inside.20 1500
mtu inside.30 1500
mtu inside.40 1500
mtu inside.50 1500
mtu inside.60 1500
mtu inside.70 1500
ip audit name dns_info info action
ip audit name dns_attack attack action
ip audit interface outside dns_info
ip audit interface outside dns_attack
ipv6 access-list IPv6 permit ip any any
icmp unreachable rate-limit 1 burst-size 1
icmp permit host 8.8.8.8 echo-reply outside
icmp permit 192.168.255.0 255.255.255.0 echo outside
icmp permit 192.168.255.0 255.255.255.0 echo-reply outside
icmp permit 192.168.20.0 255.255.255.0 inside.20
icmp permit 192.168.30.0 255.255.255.0 inside.30
icmp permit 192.168.40.0 255.255.255.0 inside.40
icmp permit 192.168.50.0 255.255.255.0 inside.50
icmp permit host 192.168.70.12 inside.70
asdm image flash:/asdm.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside.50) 1 192.168.50.0 255.255.255.0
nat (inside.70) 1 192.168.70.0 255.255.255.0
access-group PERMIT in interface outside
access-group DMZ-OUT in interface inside.50
access-group DEB01-OUT in interface inside.70
!
router ospf 1
router-id 192.168.255.50
network 192.168.50.0 255.255.255.0 area 1
network 192.168.255.0 255.255.255.0 area 0
log-adj-changes
redistribute connected subnets
default-information originate
!
route outside 0.0.0.0 0.0.0.0 192.168.255.1 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
snmp-server location London,England,United Kingdom
snmp-server contact lvrfrc87@gmail.com
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 1000
telnet timeout 60
ssh 192.168.0.0 255.255.0.0 outside
ssh timeout 60
console timeout 0
priority-queue outside
queue-limit 488
tx-ring-limit 128
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.255.10 source outside prefer
username root password dkBAO53Id5ndYed4 encrypted privilege 15
tunnel-group 192.168.255.1 type ipsec-l2l
tunnel-group 192.168.255.1 ipsec-attributes
pre-shared-key *
!
class-map QoS_DNS_TAG
match dscp ef
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 4096
message-length maximum client auto
id-mismatch count 10 duration 2 action log
policy-map type inspect http web_server
parameters
protocol-violation action drop-connection log
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http web_server
policy-map QoS_DNS
class QoS_DNS_TAG
priority
!
service-policy global_policy global
service-policy QoS_DNS interface outside
prompt hostname context
Cryptochecksum:2f3e9c4423ff330c10c9cc1716114012
: end

0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: