Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

"nat 0" on more than one interface?


I have the need to use nat 0 on more than one Pix (6.3) interface.

I have:

nat (inside) 0 access-list NoNAT

nat (XYZ) 0 access-list XYZ-NoNAT

the NoNAT and XYZ-NoNAT acls are different as the interfaces protect different networks.

I would have imagined there would be no issue with doing this but logs are telling me there is "%PIX-3-305005: No translation group found for tcp src [...]" for the:

nat (XYZ) 0 access-list XYZ-NoNAT

nat (inside) 0 access-list NoNAT is working fine

There could be other issues but a quick answer as to whether the PIX can handle this config will narrow down what I have to troubleshoot.

Thanks in advance,


  • Other Security Subjects

Re: "nat 0" on more than one interface?

there should be no doubt that pix can definitely handle this scenario.


nat (inside) 0 access-list 100

nat (DMZ) 0 access-list 110

access-list 100 permit ip

access-list 110 permit ip

New Member

Re: "nat 0" on more than one interface?

Cheers Jackko,

that has answered my immediate question. Unfortunately traffic that should match the acl of the the DMZ nat 0 does not. That same acl is also used for an IPSec match-address statement but as the acl is not hit it is not encrypted and is merely pumped out the default gateway with a syslog msg:

%PIX-3-305005: No translation group found for tcp src DMZ: dst inside:

(Yes "inside" is the default gateway ... don't ask!)

I have a question in the VPN > General forum under the heading "Not hitting match-address ACL therefore routing out default" which goes into this in more detail. If you have any ideas it would be much appreciated.

Thanks again,


This widget could not be displayed.