Getting %PIX-3-305005: No translation group found

Unanswered Question
Nov 7th, 2008
User Badges:

I have a PIX 535 running

Cisco PIX Security Appliance Software Version 7.2(3)

Device Manager Version 5.2(3)


the problem I am getting is when I have servers in my DMZ that do not have STATIC Nat statement attached to them get the error code "%PIX-3-305005: No translation group found" when trying to get to the Internet. I have a NAT 0 access list assigning the non static nat servers to the NAT 0 pool (Nat Exempt).


So I am at a loss now. Anyone with an Idea would help thanks



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
husycisco Fri, 11/07/2008 - 13:48
User Badges:
  • Gold, 750 points or more

Hello William,

Its OK to use exempt NAT and connect to hosts on their real IP addresses internally but you need a NAT statement for connecting to internet, something like following


nat (DMZ) 1 0 0

global (outside) 1 interface


Please post your config if above suggestion does not help

Regards

husycisco Fri, 11/07/2008 - 14:03
User Badges:
  • Gold, 750 points or more

Ah, hosts have got Public IPs already. Assuming that they are publicly routable try adding the following


access-list dmz_nat0_outbound extended permit ip 205.203.54.0 255.255.255.0 any

logan-7 Fri, 11/07/2008 - 14:07
User Badges:

thanks, will have to wait untill Monday to test. the server manager ( has left the building) will get back with you.


thanks

husycisco Fri, 11/07/2008 - 14:09
User Badges:
  • Gold, 750 points or more

Ok then. If you apply the above suggestion, hosts will appear in internet with their own IPs

If you type "nat (dmz) 1 0 0" instead, dmz hosts will connect internet via PATed IP address of outside interface

logan-7 Mon, 11/10/2008 - 11:51
User Badges:

Question:


Will this commain "nat (dmz) 1 0 0" over right Static Nat statement already in place or just dynamically nat devices that do not have any static nat?



husycisco Mon, 11/10/2008 - 13:53
User Badges:
  • Gold, 750 points or more

No it wont.


"just dynamically nat devices that do not have any static nat? "

exactly


logan-7 Tue, 11/11/2008 - 07:41
User Badges:

That did work for the Non-static machines.


But I am still having the problem with the machines that has 205.203.54.50.


This one has a static nat to (outside)205.203.58.9. there is a ACL on the outside interface that allows Http and Https to come into the DMZ, and a ACL on the DMZ interface that allows all to go out. But they still cant hit the internet.


any idea


thanks

husycisco Tue, 11/11/2008 - 10:02
User Badges:
  • Gold, 750 points or more

Try adding this

access-list dmz_access_in extended permit udp 205.203.54.0 255.255.255.0 any eq dns

Actions

This Discussion