03-16-2004 01:56 PM - edited 02-20-2020 11:18 PM
NAT services have been reduced to only 2 vlans.
The computers on the remaining vlans use ISA_Server for access to the internet.
The syslog server has tremendous amounts of the following messages:
305005
Error Message IREFO BJ:24101%PIX-3-305005: No translation group found for protocol src interface_name:dest_address/dest_port dst interface_name:source_address/source_port
Explanation A packet does not match any of the outbound nat rules.
Recommended Action This message signals a configuration error. If dynamic NAT is desired for the source host, ensure that the nat command matches the source IP address. If static NAT is desired for the source host, ensure that the local IP address of the static command matches. If no NAT is desired for the source host, check the ACL bound to the nat 0 ACL.
To remove the enormous amount of messages i will use the no logging message 305005 command. However, this configuration change will not stop the actual events from happening.
Is this type of message common or can do I have a misconfiguration on the PIX itself or are there changes that need to be made on the routers?
As I see it. A client makes a http request to the internet. The browser has the proxy IP. The traffic is directed to the proxy. the proxy requests the page
Is this correct? .
Why is the firewall deny a translation for the client on the PIX?
03-16-2004 03:12 PM
Without looking at a trace of the traffic, I think your assumption is correct. The PIX sees traffic initiated by the ISA retuning on it's outside interface. Because it didn't exit the PIX, there is not dynamic ACL created for that returning traffic and it fails. Other than the syslog messages, are you seeing anything fail on the client side?
BTW If I were offered the opportunity I would make every attempt to scrap the ISA server
03-16-2004 05:56 PM
matthew,
the clients experience no problems. they browse the way they should via proxy. I will look into this in depth with a trace.
Your thoughts on ISA can you can you elaborate?
Can you provide any links supporting this?
Thank you
03-17-2004 10:20 AM
The trace should help, although I am surprised that clients are not experiencing any problems.
I currently work for M'soft in Enterprise Network Support, supporting ISA. ISA unnecessarily complicates the network, unless you're exclusively using it as a web proxy to restrict web traffic, and even in that case I would use Websense instead. I am simply speaking from opinion ;-)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide