PIX, Vlans and two outside interfaces

Unanswered Question
Feb 19th, 2008
User Badges:


My ISP currently suppies me two VLANs over ethernet, one tagged and one untagged. Until now, I've not used the tagged one.

On a PIX 515E, IOS 6.3, I have created a vlan interface mapped to ethernet0 and called it outsidetwo with security 1. ethernet0 has the role of outside with security 0.

I'm having problems with the NAT translations. I have set up a static translation between the new outsidetwo interface and my DMZ:

global (outside) 1 interface

global (DMZ) 1 interface

global (outsidetwo) 1 interface

static (DMZ,outsidetwo) W.X.Y.Z netmask 0 0

However, I get the following error when sending traffic from

No translation group found for udp src DMZ: dst outside:SOTA_Secondary_DNS/53

The default route is specified as:

route outside X.X.X.X 1

I suspect the error is caused because the PIX wants to route the outgoing traffic via the outside interface and as such can not find a valid translation rule.

Is there any way I can specify two outside interfaces, so traffic listed as being NATted to outsidetwo will go out this VLAN interface and other traffic will go out outside (the untagged vlan interface)?

Any other way I can get this to work, with essentially two outside interfaces?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Tue, 02/19/2008 - 09:01
User Badges:
  • Green, 3000 points or more

What if you add...

nat (DMZ) 1

abinjola Tue, 02/19/2008 - 09:55
User Badges:
  • Cisco Employee,

You must be receiving the error %PIX-3-305005:No translation group found for udp..

This is because you are missing the translation rule when you are trying to go outside

So add

nat (dmz) 1 0 0

The above statement would provide the nat rules for source that originates from inside and tries to access anything on outside Interface


This Discussion