PIX 515 8.03 L2TP/PPTP - No translation group found

Discussion in 'Cisco' started by luciogodoy, May 17, 2008.

  1. luciogodoy

    luciogodoy

    Joined:
    May 17, 2008
    Messages:
    1
    Hi All;

    I have been trying to fix the "No translation group found" message for days now and i haven't been able to do so, hence my post.

    I have a simple network with a PIX 515 running pixos 8.03, and i would like Win XP computers to connect from the Internet to a Web server hosted on the DMZ via a PPTP VPN connection.

    I can sucessfully login to the PIX from the Win XP, I am able to ping the interfaces (all 3 of then) but i am not to ping or connect to the web server on port 80.

    I keep on getting messages "No translation group found" messages, could somebody share some light, pls?

    Many thanks

    Lucio

    #sh running
    : Saved
    :
    PIX Version 8.0(3)
    !
    hostname gatekeeper
    domain-name nonono.com
    enable password dQ1mI8Vv4fqni3E5iu encrypted
    names
    name 192.168.1.100 WEB_SERVER
    name 78.186.13.1 GATEWAY
    !
    interface Ethernet0
    nameif outside
    security-level 0
    ip address 78.186.13.92 255.255.240.0
    !
    interface Ethernet1
    nameif inside
    security-level 100
    ip address 172.16.1.254 255.255.255.0
    !
    interface Ethernet2
    nameif dmz
    security-level 50
    ip address 192.168.1.254 255.255.255.0
    !
    passwd 2KFQnbNdfIdI.2KYa12OU encrypted
    ftp mode passive
    dns server-group DefaultDNS
    domain-name nonono.com
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object-group network MailHopRelayGroup
    description Mail Hop Relay Group
    network-object MailHopRelay02 255.255.255.0
    network-object MailHopRelay01 255.255.255.0
    access-list ACLOUT extended permit tcp any host 78.186.13.95 eq www
    access-list ACLOUT extended permit tcp any host 78.186.13.95 eq https
    access-list ACLOUT extended permit tcp PublicHomeNetwork 255.255.255.0 host 78.186.13.95 eq ftp
    access-list ACLOUT extended permit tcp PublicHomeNetwork 255.255.255.0 host 78.186.13.95 eq ftp-data
    access-list ACLOUT extended permit tcp PublicHomeNetwork 255.255.255.0 host 78.186.13.95 eq ssh
    access-list ACLOUT extended permit tcp PublicHomeNetwork 255.255.255.0 host 78.186.13.95 eq 10000
    access-list ACLOUT extended permit tcp object-group MailHopRelayGroup host 78.186.13.95 eq smtp
    access-list ACLOUT extended permit tcp PublicHomeNetwork 255.255.255.0 host 78.186.13.95 eq 3389
    access-list http-list2 extended permit tcp any host 78.186.13.94
    access-list http-list2 extended permit tcp any host 78.186.13.95
    access-list dmz_access_in extended permit ip any any
    access-list nonat extended permit ip 172.16.2.0 255.255.255.0 192.168.1.0 255.255.255.0 inactive
    access-list 101 extended deny ip 172.16.2.0 255.255.255.0 any
    access-list 101 extended permit ip any any
    !
    tcp-map mss-map
    exceed-mss allow
    !
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    mtu dmz 1500
    ip local pool clientVPNpool 172.16.2.1-172.16.2.20 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    asdm image flash:/asdm-603.bin
    no asdm history enable
    arp timeout 14400
    nat-control
    global (outside) 1 interface
    global (outside) 1 78.186.13.96 netmask 255.255.255.255
    global (outside) 1 78.186.13.97 netmask 255.255.255.255
    global (outside) 1 78.186.13.98 netmask 255.255.255.255
    nat (inside) 0 access-list nonat
    nat (inside) 1 0.0.0.0 0.0.0.0
    nat (outside) 0 access-list 101 outside
    nat (outside) 0 172.16.1.0 255.255.255.0
    nat (outside) 0 192.168.1.0 255.255.255.0
    nat (dmz) 1 0.0.0.0 0.0.0.0
    static (dmz,outside) tcp 78.186.13.95 www WEB_SERVER www netmask 255.255.255.255
    static (dmz,outside) tcp 78.186.13.95 ftp WEB_SERVER ftp netmask 255.255.255.255
    static (dmz,outside) tcp 78.186.13.95 ftp-data WEB_SERVER ftp-data netmask 255.255.255.255
    static (dmz,outside) tcp 78.186.13.95 smtp WEB_SERVER smtp netmask 255.255.255.255
    static (dmz,outside) tcp 78.186.13.95 ssh WEB_SERVER ssh netmask 255.255.255.255
    static (dmz,outside) tcp 78.186.13.95 https WEB_SERVER https netmask 255.255.255.255
    static (dmz,outside) tcp 78.186.13.95 3389 192.168.1.101 3389 netmask 255.255.255.255
    static (dmz,outside) tcp 78.186.13.95 10000 WEB_SERVER 10000 netmask 255.255.255.255
    access-group ACLOUT in interface outside
    access-group dmz_access_in in interface dmz
    route outside 0.0.0.0 0.0.0.0 GATEWAY 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    aaa-server vpn protocol radius
    aaa-server vpn host 192.168.1.10
    key windows
    http server enable
    http PublicHomeNetwork 255.255.255.0 outside
    http 192.168.1.0 255.255.255.0 dmz
    http 172.16.1.0 255.255.255.0 inside
    http 10.10.10.1 255.255.255.255 inside
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
    crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5
    crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 5
    dhcpd address 172.16.1.2-172.16.1.10 inside
    dhcpd dns 78.186.13.51 interface inside
    dhcpd wins GATEWAY interface inside
    dhcpd domain nonono.com interface inside
    dhcpd enable inside
    !
    threat-detection basic-threat
    threat-detection statistics
    ntp server 78.186.13.101 source outside
    ntp server 78.186.13.68 source outside
    group-policy DefaultRAGroup internal
    group-policy DefaultRAGroup attributes
    dns-server value 78.186.13.51
    vpn-tunnel-protocol IPSec l2tp-ipsec
    default-domain value nonono.com
    username test password Mu2wwwHvbX9dfxenLqIVHNw2gY1A== nt-encrypted
    tunnel-group DefaultRAGroup general-attributes
    address-pool clientVPNpool
    default-group-policy DefaultRAGroup
    tunnel-group DefaultRAGroup ipsec-attributes
    pre-shared-key *
    tunnel-group DefaultRAGroup ppp-attributes
    no authentication chap
    authentication ms-chap-v2
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    policy-map http-map1
    !
    service-policy global_policy global
    service-policy http-map1 interface outside
    smtp-server 192.168.1.100
    prompt hostname context


    LOG Messages:
    3 May 17 2008 18:06:40 305005 WEB_SERVER No translation group found for tcp src outside:172.16.2.1/1261 dst dmz:WEB_SERVER/80

    3 May 17 2008 18:06:43 305005 WEB_SERVER No translation group found for tcp src outside:172.16.2.1/1261 dst dmz:WEB_SERVER/80

    3 May 17 2008 18:06:49 305005 WEB_SERVER No translation group found for tcp src outside:172.16.2.1/1261 dst dmz:WEB_SERVER/80
     
    luciogodoy, May 17, 2008
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Keith B.
    Replies:
    8
    Views:
    35,684
    Keith B.
    Feb 18, 2004
  2. jcharth@hotmail.com
    Replies:
    3
    Views:
    15,151
    jcharth@hotmail.com
    Sep 29, 2005
  3. pkiller
    Replies:
    1
    Views:
    9,632
    Walter Roberson
    Nov 15, 2005
  4. NETADMIN
    Replies:
    0
    Views:
    514
    NETADMIN
    Feb 2, 2006
  5. Arthur Brain
    Replies:
    4
    Views:
    1,735
    Walter Roberson
    Jul 25, 2007
Loading...

Share This Page