cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
309
Views
5
Helpful
4
Replies

Client VPN on PIX needs to access DMZ

joet8591
Level 1
Level 1

VPN clients 3.5 terminating on PIX 6.X cannot access hosts on PIX DMZ interface. Error log states that there is not "translation group available from outside" for the VPN Client subnet (from the vpngroup pool).

Do I need to add the client VPN subnet to a nat (outside) ?

Do I add it to the nat inside?

Do I just add statics for the DMZ hosts to the inside interface subnet since the VPN clients can access inside hosts?

(I do have the subnets in the nat 0 nonat ACL)

Thanks and Regards

JT

1 Accepted Solution

Accepted Solutions

kdurrett
Level 3
Level 3

What you will need to add is nat 0. You state in your () that you have a nonat acl, is it for the DMZ or the inside interface? Are you using the same access-list for the nonat for both inside and dmz? You should separate them if you are, use separate access-list. Is your client pool on a separate subnet than your inside network and dmz? So should be something like this:

ip local pool client pool 192.168.1.1-192.168.1.254

ip add inside 10.10.10.1 255.255.255.0

ip add dmz 10.10.20.1 255.255.255.0

access-list nonat per ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list nonatdmz per ip 10.10.20.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list nonat

nat (dmz) 0 access-list nonatdmz

If this is correct then clear x, wr mem, reload. Hope this helps.

Kurtis Durrett

PS

If it don't, only can recommend upgrading your client and pix as thats exactly how it should look like and if its not working you are running into a extra feature that you dont want.

View solution in original post

4 Replies 4

ajagadee
Cisco Employee
Cisco Employee

Hi,

This is what the error means

%PIX-3-305005: No translation group found for .

Explanation An outbound packet does not match any of the outbound nat rules.

Action This message signals a configuration error. If dynamic NAT is desired for the source host, ensure that the nat command matches the source IP address. If static NAT is desired for the source host, ensure that the local IP address of the static command matches. If no NAT is desired for the source host, check the access-list bound to the nat 0 access-list.

From the error you have pasted in the case notes, you are missing

nat (dmz) 0 access-list no_nat

From your notes, I see that you have mentioned regarding nat 0 command but is this configured for the DMZ that you are trying to access.

Pls do let me know how it goes.

Regards,

Arul

Worked.

Thanks for the help.

Regards

JT

kdurrett
Level 3
Level 3

What you will need to add is nat 0. You state in your () that you have a nonat acl, is it for the DMZ or the inside interface? Are you using the same access-list for the nonat for both inside and dmz? You should separate them if you are, use separate access-list. Is your client pool on a separate subnet than your inside network and dmz? So should be something like this:

ip local pool client pool 192.168.1.1-192.168.1.254

ip add inside 10.10.10.1 255.255.255.0

ip add dmz 10.10.20.1 255.255.255.0

access-list nonat per ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list nonatdmz per ip 10.10.20.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list nonat

nat (dmz) 0 access-list nonatdmz

If this is correct then clear x, wr mem, reload. Hope this helps.

Kurtis Durrett

PS

If it don't, only can recommend upgrading your client and pix as thats exactly how it should look like and if its not working you are running into a extra feature that you dont want.

Did the trick.

Thanks for the help.

Regards

JT

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: