Cisco Support Community
Community Member

PIX-3-305005: No translation group found .....

Here's my conundrum in its simplest form:

PIX 515E-DMZ; PIX OS 6.3(3)

interface outside: security 0

interface dmz: security 50

interface inside: security 100

1. Reset the PIX to factory defaults

2. Enter a basic config with nothing more than interface and IP address details

3. Add the following translation rule and access-list:

pix-central# static (dmz,outside)

pix-central# access-list outside_acl permit icmp any any

pix-central# access-group outside_acl in interface outside

This configuration allows me to send icmp packets from dmz interface to outside and from outside to dmz without address translation. All is well!

Now if I move things around to try and get data between the DMZ and the inside interfaces:

pix-central# static (inside,dmz)

pix-central# access-list dmz_acl permit icmp any any

pix-central# access-group dmz_acl in interface dmz

All I can successfully achieve is this wretched error log message:

%PIX-3-305005: No translation group found for icmp src dmz: dst inside:

when I send an echo request from dmz to inside.

There is no difference in the relative relationship between the interfaces in the two examples. outside -> dmz is the same as dmz -> inside, i.e. the data flow is from a low security interface to a high security interface.

Anybody out there have any ideas what I'm doing wrong?


Re: PIX-3-305005: No translation group found .....

Thanks for the information and documentation. Your second static is wrong however. You always want to translate the address from the higher security interface onto the lower security interface (much like you did with your first static example - dmz to outside). In this case, you would want to remove the following static:

static (inside,dmz)

and replace it with:

static (inside,dmz)

This statement is translating the address (an inside address) onto the DMZ interface. Now, you should be able to send traffic from the host to the

Hope this helps explain matters.


CreatePlease to create content