Getting %PIX-3-305005: No translation group found

Unanswered Question
Nov 7th, 2008

I have a PIX 535 running

Cisco PIX Security Appliance Software Version 7.2(3)

Device Manager Version 5.2(3)

the problem I am getting is when I have servers in my DMZ that do not have STATIC Nat statement attached to them get the error code "%PIX-3-305005: No translation group found" when trying to get to the Internet. I have a NAT 0 access list assigning the non static nat servers to the NAT 0 pool (Nat Exempt).

So I am at a loss now. Anyone with an Idea would help thanks

I have this problem too.
1 vote
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
husycisco Fri, 11/07/2008 - 13:48

Hello William,

Its OK to use exempt NAT and connect to hosts on their real IP addresses internally but you need a NAT statement for connecting to internet, something like following

nat (DMZ) 1 0 0

global (outside) 1 interface

Please post your config if above suggestion does not help

Regards

husycisco Fri, 11/07/2008 - 14:03

Ah, hosts have got Public IPs already. Assuming that they are publicly routable try adding the following

access-list dmz_nat0_outbound extended permit ip 205.203.54.0 255.255.255.0 any

logan-7 Fri, 11/07/2008 - 14:07

thanks, will have to wait untill Monday to test. the server manager ( has left the building) will get back with you.

thanks

husycisco Fri, 11/07/2008 - 14:09

Ok then. If you apply the above suggestion, hosts will appear in internet with their own IPs

If you type "nat (dmz) 1 0 0" instead, dmz hosts will connect internet via PATed IP address of outside interface

logan-7 Mon, 11/10/2008 - 11:51

Question:

Will this commain "nat (dmz) 1 0 0" over right Static Nat statement already in place or just dynamically nat devices that do not have any static nat?

husycisco Mon, 11/10/2008 - 13:53

No it wont.

"just dynamically nat devices that do not have any static nat? "

exactly

logan-7 Tue, 11/11/2008 - 07:41

That did work for the Non-static machines.

But I am still having the problem with the machines that has 205.203.54.50.

This one has a static nat to (outside)205.203.58.9. there is a ACL on the outside interface that allows Http and Https to come into the DMZ, and a ACL on the DMZ interface that allows all to go out. But they still cant hit the internet.

any idea

thanks

husycisco Tue, 11/11/2008 - 10:02

Try adding this

access-list dmz_access_in extended permit udp 205.203.54.0 255.255.255.0 any eq dns

Actions

This Discussion