Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member


NAT services have been reduced to only 2 vlans.

The computers on the remaining vlans use ISA_Server for access to the internet.

The syslog server has tremendous amounts of the following messages:


Error Message IREFO BJ:24101%PIX-3-305005: No translation group found for protocol src interface_name:dest_address/dest_port dst interface_name:source_address/source_port

Explanation A packet does not match any of the outbound nat rules.

Recommended Action This message signals a configuration error. If dynamic NAT is desired for the source host, ensure that the nat command matches the source IP address. If static NAT is desired for the source host, ensure that the local IP address of the static command matches. If no NAT is desired for the source host, check the ACL bound to the nat 0 ACL.

To remove the enormous amount of messages i will use the no logging message 305005 command. However, this configuration change will not stop the actual events from happening.

Is this type of message common or can do I have a misconfiguration on the PIX itself or are there changes that need to be made on the routers?

As I see it. A client makes a http request to the internet. The browser has the proxy IP. The traffic is directed to the proxy. the proxy requests the page

Is this correct? .

Why is the firewall deny a translation for the client on the PIX?

Community Member


Without looking at a trace of the traffic, I think your assumption is correct. The PIX sees traffic initiated by the ISA retuning on it's outside interface. Because it didn't exit the PIX, there is not dynamic ACL created for that returning traffic and it fails. Other than the syslog messages, are you seeing anything fail on the client side?

BTW If I were offered the opportunity I would make every attempt to scrap the ISA server

Community Member



the clients experience no problems. they browse the way they should via proxy. I will look into this in depth with a trace.

Your thoughts on ISA can you can you elaborate?

Can you provide any links supporting this?

Thank you

Community Member


The trace should help, although I am surprised that clients are not experiencing any problems.

I currently work for M'soft in Enterprise Network Support, supporting ISA. ISA unnecessarily complicates the network, unless you're exclusively using it as a web proxy to restrict web traffic, and even in that case I would use Websense instead. I am simply speaking from opinion ;-)

CreatePlease to create content