PIX 501, IOS 6.3(5) Static Nat from outside to inside not working

Unanswered Question
Jul 23rd, 2007
User Badges:


I am stuck on an NAT for an incoming connection. On a command like

static (outside, inside) interface netmask

[outside is the name of the outside interface to the DMZ,

inside is the name of the inside interface, is the IP of the pinging computer from the DMZ to inside (on port TCP 20050)]

Nothing pass through to the inside side. The syslog messages I recieve during the attempt are

"build local-host outside:

build static translation from outside: to inside


no translation group found found for tcp src outside dst inside"

Has anyone any idea of what I should correct?

Greath thanks,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Jon Marshall Mon, 07/23/2007 - 08:41
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi Laurent

If the host is on the DMZ then should the static statement not read

static (dmzint, inside) interface netmask

note: dmzint should be substituted with whatever your DMZ interface is called.



laurentElens Mon, 07/23/2007 - 12:21
User Badges:

"outside" is the name I gave to the "dmzint" interface (there's only two interface on the 501: one "in", one "out" ).

Thank you for your support Ion,

If you have any other idea, don't hesitate.


I'll attach the complete pix config to clarify the situation.

sundar.palaniappan Mon, 07/23/2007 - 14:01
User Badges:
  • Green, 3000 points or more


Reconfigure your static to as follows and test.

static (inside, outside) interface netmask



laurentElens Mon, 07/23/2007 - 15:16
User Badges:

It looks to make it!

Thank you very much Sundar.

(I still have no connection and a "pix-2-106001: inbound TCP connection denied from to flags SYN on interface outside" syslog message instead, but I look to be a big step further).



sundar.palaniappan Mon, 07/23/2007 - 15:34
User Badges:
  • Green, 3000 points or more

That's good :-)

Can you resequence the access list named 'outworldACL' to as follows. The network in the object group RFC1918 denies the traffic from the outside host before the explicit permit for the host comes into effect.

access-list outworldACL permit tcp host eq www any

access-list outworldACL permit icmp any any log

access-list outworldACL permit ip host any

access-list outworldACL deny ip object-group RFC1918 any



laurentElens Tue, 07/24/2007 - 07:11
User Badges:

There's a good and a bad news:

The good news is: you are correct about the ACL, I did mix up there just before the test with the static NATcommand suggestion # static (inside, outside) interface netmask #, and that was indeed the cause of the result.

The bad new is : now it appears that the static NATcommand suggestion doesn't help:

The packet still doesn't come from the DMZ,

the syslog message is still "pix-3-305006: portmap translation creation failed for tcp src inside: dst outside:"

+ now I lost connectivity from inside to the dmz, with a syslog like : [pix-3-305006: portmap translation creation failed for tcp src inside: dst outside:]

==> The experimentation was interesting, but at least that part of the command # static (outside, inside) interface netmask # looks ok.

Do you have any idea of what else could be failing?



acomiskey Tue, 07/24/2007 - 07:18
User Badges:
  • Green, 3000 points or more

If is inside it would actually be...

static (inside, outside) interface netmask

access-list outworldACL permit tcp host eq 20050

Am I reading this wrong?

laurentElens Tue, 07/24/2007 - 08:15
User Badges:

Well typing your suggestion, the syslog shows: # pix-6-305009: "Built static translation from inside: to outside

The aim is to build a static nat to allow the outside ip to reach the ip computer.

I had a nice looking log # build static translation from outside: to inside ( is the ip of the pix inside interface) with the

" static (outside, inside) interface netmask"

but indeed still the annoying #no translation group found found for tcp src outside dst inside and no packet passing through the nat from outside.

But thank you for your contribution.


acomiskey Tue, 07/24/2007 - 09:10
User Badges:
  • Green, 3000 points or more

So from the outside you want to do "ping" or you want to do "ping"?

laurentElens Tue, 07/24/2007 - 09:36
User Badges:

From a test computer outside (on the DMZ) I want to ping another test computer inside.



acomiskey Tue, 07/24/2007 - 09:40
User Badges:
  • Green, 3000 points or more

Yes, I understand you want to ping but to do that from the outside you must exempt from nat.

static (inside,outside) netmask


access-list nat0 permit ip host host

nat (inside) 0 access-list nat0

What I was asking above is if you wanted to ping by that address or did you want to ping using the outside interface address of the pix?

laurentElens Tue, 07/24/2007 - 10:38
User Badges:

Ok, I'll describe the network.

On the outside interface of the pix (the DMZ), the network is, on the inside the network is

I ping from (outside) to (inside). Using whatever working ip for the translation (but who have by consequence to belong to

laurentElens Tue, 07/31/2007 - 17:17
User Badges:

So for now the situation is this:

the command static (outside, inside) interface netmask

should work and should be the same than static (outside, inside) netmask

When I send data from (outside) to

the log I recieve are indeed

pix-6-609001: Built local-host outside:

pix-6-609009: Built static translation from outside to inside

...then what I wich not to see...

Pix-3-305005: No translation group found for udp src outside: dst inside


mattiaseriksson Tue, 07/31/2007 - 22:56
User Badges:
  • Bronze, 100 points or more


Ok so the outside source translation is successful, but do you have a static in place for the inside destination address

Like this: static (inside, outside) netmask

laurentElens Wed, 08/01/2007 - 15:21
User Badges:

Hello Mattia,

That's a good idea for a for a further step thanks.

But don't worry, I am waiting with an Ethereal on promiscuous mode on both side of the pix and it's not on the way back that my packets are blocked.

In fact nothing pass through from outside to inside. (Well, except the Xlates initiated on the inside interface).


laurentElens Wed, 08/01/2007 - 18:17
User Badges:

I have to add than a "show xlate debug" command show the translation

1 in use, 7 most used

Flags: D - DNS, d - dump, I - identity, i - inside, n - no random,

o - outside, r - portmap, s - static

NAT from outside: to inside: flags s idle 0:00:06 timeout


with the idle timer updated on every attempt.

SO looks like the packets are translated but don't go out of the pix.

BUT I don't see a problematic ACL neither do I receive log from ACL blocked packet.

+ why then these log 3-305005: No translation ground found for ..."my packets"


mattiaseriksson Thu, 08/02/2007 - 02:18
User Badges:
  • Bronze, 100 points or more

Well, I repeat that you _must_ define a static for the destination address or network, not just the source. I did not see that in your config. Perhaps you can attached your new config?

laurentElens Thu, 08/02/2007 - 13:30
User Badges:

Well Mattia, indeed that was the line which makes it work. I have to understand a bit further about the process, but indeed even to allow a simple a packet to pass through the pix from out to in, a translation from the destination address inside to that same address outside looks to be required.

Thank you very much for your help, I don't think I would have make it without you!


This Discussion