×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Client VPN on PIX needs to access DMZ

Answered Question
Dec 9th, 2002
User Badges:

VPN clients 3.5 terminating on PIX 6.X cannot access hosts on PIX DMZ interface. Error log states that there is not "translation group available from outside" for the VPN Client subnet (from the vpngroup pool).

Do I need to add the client VPN subnet to a nat (outside) ?

Do I add it to the nat inside?

Do I just add statics for the DMZ hosts to the inside interface subnet since the VPN clients can access inside hosts?

(I do have the subnets in the nat 0 nonat ACL)

Thanks and Regards

JT



Correct Answer by kdurrett about 14 years 8 months ago

What you will need to add is nat 0. You state in your () that you have a nonat acl, is it for the DMZ or the inside interface? Are you using the same access-list for the nonat for both inside and dmz? You should separate them if you are, use separate access-list. Is your client pool on a separate subnet than your inside network and dmz? So should be something like this:

ip local pool client pool 192.168.1.1-192.168.1.254

ip add inside 10.10.10.1 255.255.255.0

ip add dmz 10.10.20.1 255.255.255.0

access-list nonat per ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list nonatdmz per ip 10.10.20.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list nonat

nat (dmz) 0 access-list nonatdmz


If this is correct then clear x, wr mem, reload. Hope this helps.


Kurtis Durrett

PS

If it don't, only can recommend upgrading your client and pix as thats exactly how it should look like and if its not working you are running into a extra feature that you dont want.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
ajagadee Mon, 12/09/2002 - 11:24
User Badges:
  • Cisco Employee,

Hi,


This is what the error means

%PIX-3-305005: No translation group found for .

Explanation An outbound packet does not match any of the outbound nat rules.

Action This message signals a configuration error. If dynamic NAT is desired for the source host, ensure that the nat command matches the source IP address. If static NAT is desired for the source host, ensure that the local IP address of the static command matches. If no NAT is desired for the source host, check the access-list bound to the nat 0 access-list.

From the error you have pasted in the case notes, you are missing

nat (dmz) 0 access-list no_nat


From your notes, I see that you have mentioned regarding nat 0 command but is this configured for the DMZ that you are trying to access.


Pls do let me know how it goes.


Regards,

Arul

Correct Answer
kdurrett Mon, 12/09/2002 - 11:32
User Badges:

What you will need to add is nat 0. You state in your () that you have a nonat acl, is it for the DMZ or the inside interface? Are you using the same access-list for the nonat for both inside and dmz? You should separate them if you are, use separate access-list. Is your client pool on a separate subnet than your inside network and dmz? So should be something like this:

ip local pool client pool 192.168.1.1-192.168.1.254

ip add inside 10.10.10.1 255.255.255.0

ip add dmz 10.10.20.1 255.255.255.0

access-list nonat per ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list nonatdmz per ip 10.10.20.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list nonat

nat (dmz) 0 access-list nonatdmz


If this is correct then clear x, wr mem, reload. Hope this helps.


Kurtis Durrett

PS

If it don't, only can recommend upgrading your client and pix as thats exactly how it should look like and if its not working you are running into a extra feature that you dont want.

jtorjman Wed, 01/08/2003 - 18:13
User Badges:

Did the trick.

Thanks for the help.

Regards

JT


Actions

This Discussion