Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
375
Views
0
Helpful
3
Replies

PIX_SYSLOG_MESSAGES

amancuso
Level 1
Level 1

‎03-16-2004 01:56 PM - edited ‎02-20-2020 11:18 PM

NAT services have been reduced to only 2 vlans.

The computers on the remaining vlans use ISA_Server for access to the internet.

The syslog server has tremendous amounts of the following messages:

305005

Error Message IREFO BJ:24101%PIX-3-305005: No translation group found for protocol src interface_name:dest_address/dest_port dst interface_name:source_address/source_port

Explanation A packet does not match any of the outbound nat rules.

Recommended Action This message signals a configuration error. If dynamic NAT is desired for the source host, ensure that the nat command matches the source IP address. If static NAT is desired for the source host, ensure that the local IP address of the static command matches. If no NAT is desired for the source host, check the ACL bound to the nat 0 ACL.

To remove the enormous amount of messages i will use the no logging message 305005 command. However, this configuration change will not stop the actual events from happening.

Is this type of message common or can do I have a misconfiguration on the PIX itself or are there changes that need to be made on the routers?

As I see it. A client makes a http request to the internet. The browser has the proxy IP. The traffic is directed to the proxy. the proxy requests the page

Is this correct? .

Why is the firewall deny a translation for the client on the PIX?

0 Helpful
3 Replies 3

matthew.mohan
Level 1
Level 1

‎03-16-2004 03:12 PM

Without looking at a trace of the traffic, I think your assumption is correct. The PIX sees traffic initiated by the ISA retuning on it's outside interface. Because it didn't exit the PIX, there is not dynamic ACL created for that returning traffic and it fails. Other than the syslog messages, are you seeing anything fail on the client side?

BTW If I were offered the opportunity I would make every attempt to scrap the ISA server

0 Helpful

amancuso
Level 1
Level 1
In response to matthew.mohan

‎03-16-2004 05:56 PM

matthew,

the clients experience no problems. they browse the way they should via proxy. I will look into this in depth with a trace.

Your thoughts on ISA can you can you elaborate?

Can you provide any links supporting this?

Thank you

0 Helpful

matthew.mohan
Level 1
Level 1

‎03-17-2004 10:20 AM

The trace should help, although I am surprised that clients are not experiencing any problems.

I currently work for M'soft in Enterprise Network Support, supporting ISA. ISA unnecessarily complicates the network, unless you're exclusively using it as a web proxy to restrict web traffic, and even in that case I would use Websense instead. I am simply speaking from opinion ;-)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card