Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

"no translation group found for tcp src dmz..."?

Just when you think you've got it sussed...

I'm not getting on too well with PIX OS 7.0.x. To try and get back to basics, I've created a short config in the cli. Essentially, its a 3 legged config; inside, outside, dmz.

All I really want to do is:

1)Allow any to talk to a host in the dmz on http.

This works fine.

2)Allow the dmz host to talk to a host on the inside on http.

This doesnt. Message I get is (seen in ASDM):

"no translation group found for tcp src dmz:SG01/1262 dst inside:inside-web-server/80".

Anyone have any ideas? My names, static, acl, access-group: all look fine. I've cleared xlate a gazillion times.

Is the fact that both the acl allowing access from the outside to the dmz host and the acl allowing the dmz host access

to the inside host are both http breaking things?

Config is below:

PIX Version 7.0(4)

!

hostname pixfirewall

domain-name

enable password

names

name 192.168.168.11 SG01 description SG01's internal ip address

name 10.100.10.20 inside-web-server description internal web server ip address

name (xxx.xxx.xxx.xxx) outside-web-server description aone of my publics is a web server

!

interface Ethernet0

description The outside interface

nameif outside

security-level 0

ip address (xxx.xxx.xxx.xxx) (255.255.255.240)

!

interface Ethernet1

nameif inside

security-level 100

ip address 10.100.10.0 255.255.0.0

!

interface Ethernet2

description The dmz interface

nameif dmz

security-level 50

ip address 192.168.168.1 255.255.255.0

!

passwd

ftp mode passive

access-list outside_access_in remark Added an 'access rule' permitting any source/any port on the outside to access SG01

access-list outside_access_in remark as long as its http traffic.

access-list outside_access_in extended permit tcp any host outside-web-server eq www

access-list dmz_access_in remark Test rule, to allow SG01 to talk to inside-web-host

access-list dmz_access_in remark as long as its http traffic.

access-list dmz_access_in extended permit tcp host SG01 host inside-web-server eq www

pager lines 200

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

no failover

icmp permit any inside

asdm image flash:/asdm

no asdm history enable

arp timeout 14400

static (dmz,outside) outside-web-server SG01 netmask 255.255.255.255

static (inside,dmz) SG01 inside-web-server netmask 255.255.255.255

access-group outside_access_in in interface outside

access-group dmz_access_in in interface dmz

route outside 0.0.0.0 0.0.0.0 (next hop) 1

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

2 REPLIES

Re: "no translation group found for tcp src dmz..."?

Hi,

I think this is because you already used the SG01's IP (192.168.168.11) for a host in DMZ.

To allow DMZ host to talk to inside/internal segment host, you need to use unused IP, e.g:

static (inside,dmz) 192.168.168.100 inside-web-server netmask 255.255.255.255

*assuming 192.168.168.100 is a free IP

or use "static (inside,dmz) 10.100.10.0 10.100.10.0 netmask 255.255.255.0 -> allow DMZ to access inside hosts using inside host's physical/original IP.

Apply ACL to allow specific TCP/UDP services.

BTW, your inside interface should use host IP, e.g 10.100.10.1, instead of network ID of "10.100.10.0 255.255.255.0"

Rgds,

AK

New Member

Re: "no translation group found for tcp src dmz..."?

Thanks AK, I'll try that out-

regards,

Gary

1506
Views
5
Helpful
2
Replies
CreatePlease to create content