Getting %PIX-3-305005: No translation group found

Unanswered Question
Nov 7th, 2008
User Badges:

I have a PIX 535 running

Cisco PIX Security Appliance Software Version 7.2(3)

Device Manager Version 5.2(3)

the problem I am getting is when I have servers in my DMZ that do not have STATIC Nat statement attached to them get the error code "%PIX-3-305005: No translation group found" when trying to get to the Internet. I have a NAT 0 access list assigning the non static nat servers to the NAT 0 pool (Nat Exempt).

So I am at a loss now. Anyone with an Idea would help thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
husycisco Fri, 11/07/2008 - 13:48
User Badges:
  • Gold, 750 points or more

Hello William,

Its OK to use exempt NAT and connect to hosts on their real IP addresses internally but you need a NAT statement for connecting to internet, something like following

nat (DMZ) 1 0 0

global (outside) 1 interface

Please post your config if above suggestion does not help


husycisco Fri, 11/07/2008 - 14:03
User Badges:
  • Gold, 750 points or more

Ah, hosts have got Public IPs already. Assuming that they are publicly routable try adding the following

access-list dmz_nat0_outbound extended permit ip any

logan-7 Fri, 11/07/2008 - 14:07
User Badges:

thanks, will have to wait untill Monday to test. the server manager ( has left the building) will get back with you.


husycisco Fri, 11/07/2008 - 14:09
User Badges:
  • Gold, 750 points or more

Ok then. If you apply the above suggestion, hosts will appear in internet with their own IPs

If you type "nat (dmz) 1 0 0" instead, dmz hosts will connect internet via PATed IP address of outside interface

logan-7 Mon, 11/10/2008 - 11:51
User Badges:


Will this commain "nat (dmz) 1 0 0" over right Static Nat statement already in place or just dynamically nat devices that do not have any static nat?

husycisco Mon, 11/10/2008 - 13:53
User Badges:
  • Gold, 750 points or more

No it wont.

"just dynamically nat devices that do not have any static nat? "


logan-7 Tue, 11/11/2008 - 07:41
User Badges:

That did work for the Non-static machines.

But I am still having the problem with the machines that has

This one has a static nat to (outside) there is a ACL on the outside interface that allows Http and Https to come into the DMZ, and a ACL on the DMZ interface that allows all to go out. But they still cant hit the internet.

any idea


husycisco Tue, 11/11/2008 - 10:02
User Badges:
  • Gold, 750 points or more

Try adding this

access-list dmz_access_in extended permit udp any eq dns


This Discussion