I seem to have stumbled on an issue in our test environment. Please see explanation below and relevant lines of the configuration.
We have a PIX that is using 2 interfaces, inside and outside, no DMZ.
The network outside of the PIX is 10.1.0.0/16. The network inside the PIX is 172.16.15.0/27.
Behind the PIX is a web server. NAT is configured so that HTTP traffic to the web server which is directed at its external ip address (10.1.96.2), is port redirected to its real ip address on the inside (172.16.15.30). This is achieved using static NAT.
The web server needs to initiate outbound traffic. In this example I have configured it to be able to do DNS lookups on external servers (10.1.15.98 + 99). The "inside" access-list and nat/global pair achieve this.
OK so far. For arguments sake the web server needs to receive HTTP traffic from the same source IP address. I have achieved this using outside NAT with another nat/global pair. All inbound HTTP requests appear to the web server as 192.168.0.1.
This is when the problem occurs. The inbound HTTP requests still succeed. The destination IP address is changed to the web servers real IP address and the source IP address is changed to the address configured with the inside global. This has been verified by entries in the web server logs.
What now fails to work is any outbound requests. The error I see on the PIX is:
"No translation group found for udp src inside:172.16.15.30/1340 dst outside:10.1.15.99/53"
I am puzzled as this message normally appears when NAT has not been configured yet it has been and has worked up until this point.
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
access-list outside permit tcp any host 10.1.96.2 eq www
access-list outside deny ip any any
access-list policy-nat permit tcp any host 10.1.96.2 eq www
access-list inside permit tcp host 172.16.15.30 host 10.1.15.98 eq domain
access-list inside permit tcp host 172.16.15.30 host 10.1.15.99 eq domain
access-list inside permit udp host 172.16.15.30 host 10.1.15.99 eq domain
access-list inside permit udp host 172.16.15.30 host 10.1.15.98 eq domain
ip address outside 10.1.96.1 255.255.0.0
ip address inside 172.16.15.1 255.255.255.224
global (outside) 2 10.1.96.2
global (inside) 1 192.168.0.1
nat (outside) 1 access-list policy-nat outside 0 0
nat (inside) 2 172.16.15.30 255.255.255.255 0 0
static (inside,outside) tcp 10.1.96.2 www 172.16.15.30 www netmask 255.255.255.255 0 0
access-group outside in interface outside
access-group inside in interface inside