No translation group found for tcp src outside

I keep getting this syslog message from one of my PIXs:

No translation group found for tcp src outside:(host1)/6464 dst inside:(host2)/2326

My ACL is:

access-list inside_access_in permit tcp any object-group (groupname that includes host1) eq 6464

I'm not sure why I keep getting the no translation group message. Is it because a previous session timed out?

Any help is greatly appreciated


Re: No translation group found for tcp src outside

Two things to look at are if you have valid nat/global or static statements on the inside and outside interfaces, and if you allow the host on the outside interface (host1) to initiate inbound connections.

For the 1st area: insure that host2 on the inside has a valid xlate to the outside interface. This is done via either a static, an nat (inside) xxx along with a valid global (outside) xxx statement, or a no nat (i.e., nat (inside) 0 access-list nonat_acl).

For the 2nd area: I assume that your security policy is such that host2 always contacts host1 (the dmz host) and that host1 never initiates/starts inbound connections. Is that true? I ask because I have seen this message when you want host1 to contact host2 and have the correct acl on the outside interface, but you forgot to configure the static to allow host2 to be visible by host1.

Let me know if this helps. Ed Hirsel

