Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

PIX Firewall - Accessing multiple internal networks

Unanswered Question
Feb 23rd, 2008
User Badges:

Hi everyone,

I have a PIX Firewall which I'd like to configure to allow IP addresses from the external interface (private IP range) to access multiple networks that exist on the internal network.

For example:

The internal network has a layer 3 switch with multiple vlans and I'd like to allow some IP addresses on the external lan access these internal networks. I've added the necessary 'route' commands on the pix and it can properly ping these internal networks/hosts. However, when trying to access them from the external network, I receive the 'no translation group found' error.

Assume the following setup:


Where 192.168.10.x is the internal network and 192.168.11.x the external.

I've also added:

route inside so that the pix can reach the network.

I need to access the network from the external network.

Many thanks for any input or suggestions.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
vantipov Sat, 02/23/2008 - 04:47
User Badges:

If you already permited 192.168.10.x with an ACL attached to outside interface then the only thing left to add is either a static no NAT statement or a policy based no NAT (Assume mask /24):

static (inside,outside) netmask

Or you can do:

access-list nonat extended permit ip

nat (inside) 0 access-list nonat

Either one of those will tell Pix to not translate the return traffic.

cpartsenidis Sun, 02/24/2008 - 02:18
User Badges:


I have already tried your suggestion and the debugging shows the original error I mentioned: "no translation group found" for

Again, this error occurs when 192.168.11.x (outside) tries to access 192.168.14.x which is an internal network that's not directly attached to the pix inside interface (the pix has an internal IP as a gateway in order to get to the 192.168.14.x network).

Perhaps a static (inside,outside) netmask would do the job ?

vantipov Mon, 02/25/2008 - 07:38
User Badges:

Yes, if you are trying to reach on the inside then I would rewrite the static and give that a shot.


This Discussion