I found that out on CCO!

My question is what's the best way to resolve this config problem?

I don't want to create a static for every registered network, which is what I'd have to do at the moment. There must be a better way of fixing this config error.

Right Guys I've tried the suggested config changes but still get exactly the same problem.

Remember that the internet is actually via the inside interface (outisde isn't used on this FW).

I'm still seeing these errors messages

305005: No translation group found for udp src DMZ-slot:3:192.168.*.*/1080 dst inside:192.12.94.30/53

So I'm going from a low to high security rating to access the internet, and the only way I can see to get this working is to add a static for every external net I want to access.

There must be a better way of doing this!

Hi Steve,

I can hardly believe that you tried my solution, cause this is the only way to achieve what you want.

So, did some searching for you, and found the right document for you, with an example config. So, please take a look at the following URL:

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml#topic12

This is the only way to do it (yeah, I know, it still isn't nice as you might want it to be, but hey, it works and it's easy to configure)

Let us know how your doing.

Kind Regards,

Leo

I have CCO access but we're not a partner so I can't access that link, is there a different link for that page?

Thanks

Sorry for that, Steve.

Here's the non-partner link:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml#topic12

Kind Regards,

Leo

In addition to my earlier reply, you can always post your config (remove passwords) and I can have a look at it, cause there is also a change that you have overlapping NAT/PAT statements which requires some nonat ACL's (combinde with nat 0) to prevent returning traffic from being translated (ASA has to take care of this in normal situations). This kind of configurations can be complex and difficult to troubleshoot when having not to much experience (with which I'm not doubting your experience ;-))

Kind Regards,

Leo

Thanks Leo

The link has a section on outside NAT which I've read and understand, but! that specific example is for a specific host. I want to allow all traffic (that has passed the ACL) out from the DMZ onto the Inside.

What I believe I need is a stat(inside,DMZ3) any any net 0.0.0.0

Here is the relevant config

nameif ethernet1 inside security100

nameif ethernet3 DMZ-slot:3 security20

icmp permit any inside

icmp permit any DMZ-slot:3

no ip address outside

ip address inside 10.*.*.* 255.255.252.0

ip address DMZ-slot:3 192.168.161.* 255.255.255.0

nat (inside) 0 0.0.0.0 0.0.0.0 0 0

nat (DMZ-slot:3) 0 0.0.0.0 0.0.0.0 0 0

static (inside,DMZ-slot:3) 193.35.0.0 193.35.0.0 netmask 255.255.0.0 0 0

static (inside,DMZ-slot:3) 192.168.17.0 192.168.17.0 netmask 255.255.255.0 0 0

static (inside,DMZ-slot:3) 195.188.208.0 195.188.208.0 netmask 255.255.255.0 0 0

static (inside,DMZ-slot:3) 192.33.0.0 192.33.0.0 netmask 255.255.0.0 0 0

static (inside,DMZ-slot:3) 192.112.0.0 192.112.0.0 netmask 255.255.0.0 0 0

static (inside,DMZ-slot:3) 192.168.101.0 192.168.101.0 netmask 255.255.255.0 0 0

access-group ACL-inside in interface inside

access-group ACL-DMZ-slot:3 in interface DMZ-slot:3

route inside 0.0.0.0 0.0.0.0 10.*.*.1 1

route inside 10.0.0.0 255.0.0.0 10.*.*.1 1

route inside 172.0.0.0 255.0.0.0 10.*.*.1 1

route inside 192.168.0.0 255.255.0.0 10.*.*.1 1

Hi Steve,

Nope, not correct, you can not do such thing as stat(inside,DMZ3) any any net 0.0.0.0

This would be NAT for all internal networks (on the Internet in your case), but this is not the way to achieve this.

Here's what you should do:

static (DMZ-slot3, inside) 192.168.161.0 192.168.161.0 netmask 255.255.255.0

This static rule creates a static translation (and arranges the needed proxy ARP) for the network on the DMZ-slot3 interface. This is needed for all traffic initiated from the DMZ-slot3 to the Internet (on the inside interface as I understand)

Then you need to prevent the returning traffic for this traffic from being translated with the following:

nat (inside) 0 access-list ReturnTrafficToDMZ

access-list ReturnTrafficToDMZ permit ip any 192.168.161.0 255.255.255.0

These last two rules do also prevent traffic initiated from the Internet to the DMZ-slot3 from being translated.

I see other static commands within your config, are these for internal used networks? I guess so :-)

Ofcourse you need to configure your access-list ACL-inside for the appropiate permits on the connection, but I'll guess you have that in place allready.

The reason for the message no translation group found is due to the missing commands which I just gave you. I'm not able to test this particular config right now, but this should be it (or at least it points to the right direction)

Let me know if I can be of any more help.

Kind Regards,

Leo

Leo

Those statics you can see are in there so 192.168.161.3 can access an external hosts, ie DNS queries.

OK I entered the command you suggested.

static (DMZ-slot:3,inside) 192.168.161.3 192.168.161.3 netmask 255.255.255.255 0 0

did a clear x

I'm not doing NAT anywhere so there's no need for the NAT 0 commands (already there).

nat (inside) 0 0.0.0.0 0.0.0.0 0 0

nat (DMZ-slot:3) 0 0.0.0.0 0.0.0.0 0 0

Here's the output when I connect to an IP for which there is a static

302013: Built inbound TCP connection 16308 for DMZ-slot:3:192.168.161.3/2257 (192.168.161.3/2257) to

inside:193.35.*.*/2002 (193.35.*.*/80)

302014: Teardown TCP connection 16308 for DMZ-slot:3:192.168.161.3/2257 to inside:193.35.*.*/80

duration 0:00:01 bytes 478 TCP FINs

Now here's what I get when trying to do a DNS lookup to an external DNS server for which there isn't a static

305005: No translation group found for udp src DMZ-slot:3:192.168.161.3/1080 dst inside:192.5.6.30/5

3

305005: No translation group found for udp src DMZ-slot:3:192.168.161.3/1080 dst inside:192.55.83.30

/53

hi Steve, this can only mean one thing, there most be an overlap somewhere within you NAT/PAT commands. This could be difficult to troubleshoot.

I think I can only help you if I have your full config. Remove passwords and other sensitive stuff, but keep all nat, global, static, sysopt, access-list, access-group and ip numbers in (can remove the outside if you like) cause this is needed to get into this problem in detail.

I myself do not like posting my whole config on a public forum, so, if you like you can also send it by email and I will have a look at it (mailaddress can be found by viewing profile)

I´m still sure that the static command I gave is the right one, but there must be an overlap which is bothering you.

Kind Regards,

Leo

I have been screening you whole config and you have to re-configure some things.

Here are the thing you need to change to your PIX to get it to work as you want.

no nat (inside) 0 0.0.0.0 0.0.0.0 0 0

*you can take this one out, with the new ines I will provide here you do not need it anymore*

no static (inside,DMZ-slot:3) 193.35.0.0 193.35.0.0 netmask 255.255.0.0 0 0

no static (inside,DMZ-slot:3) 192.168.17.0 192.168.17.0 netmask 255.255.255.0 0 0

no static (inside,DMZ-slot:3) 195.188.208.0 195.188.208.0 netmask 255.255.255.0 0 0

no static (inside,DMZ-slot:3) 192.33.0.0 192.33.0.0 netmask 255.255.0.0 0 0

no static (inside,DMZ-slot:3) 192.112.0.0 192.112.0.0 netmask 255.255.0.0 0 0

no static (inside,DMZ-slot:3) 192.168.101.0 192.168.101.0 netmask 255.255.255.0 0 0

*these were all tests I´ll guess for users to reach the DMZ´s*

*not needed though when configured the right way*

Then I would do an clear xlate first, to make sure all the current entries are gone.

Next thing is to put in some new lines:

static (DMZ-slot:3,inside) 192.168.161.0 192.168.161.0 netmask 255.255.255.0

*this makes sure that the PIX does proxy-ARP for the addresses on the DMZ-slot:3*

*which is now needed because of the allready removed nat (inside) 0*

I saw some other routes to this interface DMZ-slot:3, if you want users on the inside to reach anything within these subnets you need to add a line for every subnet on your DMZ-slot3 interface, so, for all your subnets on this interface this would be:

static (DMZ-slot:3,inside) 192.168.37.0 192.168.37.0 netmask 255.255.255.0

static (DMZ-slot:3,inside) 192.168.50.0 192.168.50.0 netmask 255.255.255.252

static (DMZ-slot:3,inside) 192.168.50.4 192.168.50.4 netmask 255.255.255.252

static (DMZ-slot:3,inside) 192.168.50.8 192.168.50.8 netmask 255.255.255.252

static (DMZ-slot:3,inside) 192.168.50.12 192.168.50.12 netmask 255.255.255.252

static (DMZ-slot:3,inside) 192.168.51.0 192.168.51.0 netmask 255.255.255.248

static (DMZ-slot:3,inside) 192.168.51.8 192.168.51.8 netmask 255.255.255.248

static (DMZ-slot:3,inside) 192.168.51.16 192.168.51.16 netmask 255.255.255.248

static (DMZ-slot:3,inside) 192.168.51.24 192.168.51.24 netmask 255.255.255.248

For inside users to start sessions to hosts on DMZ-slot:4 you will need:

static (DMZ-slot:3,inside) 192.168.151.0 192.168.151.0 netmask 255.255.255.0

I don´t know if this is the case, but if for any reason you also want hosts on the DMZ-slot4 to initialize sessions to the DMZ-slot:3 you need to add this:

static (DMZ-slot:3,DMZ-slot:4) 192.168.37.0 192.168.37.0 netmask 255.255.255.0

static (DMZ-slot:3,DMZ-slot:4) 192.168.50.0 192.168.50.0 netmask 255.255.255.252

et cetera (smae as DMZ-slot:3,inside)

Or, the other way around, if the DMZ-slot:3 starts sessions to DMZ-slot:4 you need to add:

static (DMZ-slot:4,DMZ-slot:3) 192.168.151.0 192.168.151.0 netmask 255.255.255.0

This should do the trick. Hope you allready seen how it works.

Keep me informed on how you´re doing.

Kind Regards,

Leo