Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

"no translation group found for tcp src dmz..."?

Just when you think you've got it sussed...

I'm not getting on too well with PIX OS 7.0.x. To try and get back to basics, I've created a short config in the cli. Essentially, its a 3 legged config; inside, outside, dmz.

All I really want to do is:

1)Allow any to talk to a host in the dmz on http.

This works fine.

2)Allow the dmz host to talk to a host on the inside on http.

This doesnt. Message I get is (seen in ASDM):

"no translation group found for tcp src dmz:SG01/1262 dst inside:inside-web-server/80".

Anyone have any ideas? My names, static, acl, access-group: all look fine. I've cleared xlate a gazillion times.

Is the fact that both the acl allowing access from the outside to the dmz host and the acl allowing the dmz host access

to the inside host are both http breaking things?

Config is below:

PIX Version 7.0(4)


hostname pixfirewall


enable password


name SG01 description SG01's internal ip address

name inside-web-server description internal web server ip address

name ( outside-web-server description aone of my publics is a web server


interface Ethernet0

description The outside interface

nameif outside

security-level 0

ip address ( (


interface Ethernet1

nameif inside

security-level 100

ip address


interface Ethernet2

description The dmz interface

nameif dmz

security-level 50

ip address



ftp mode passive

access-list outside_access_in remark Added an 'access rule' permitting any source/any port on the outside to access SG01

access-list outside_access_in remark as long as its http traffic.

access-list outside_access_in extended permit tcp any host outside-web-server eq www

access-list dmz_access_in remark Test rule, to allow SG01 to talk to inside-web-host

access-list dmz_access_in remark as long as its http traffic.

access-list dmz_access_in extended permit tcp host SG01 host inside-web-server eq www

pager lines 200

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

no failover

icmp permit any inside

asdm image flash:/asdm

no asdm history enable

arp timeout 14400

static (dmz,outside) outside-web-server SG01 netmask

static (inside,dmz) SG01 inside-web-server netmask

access-group outside_access_in in interface outside

access-group dmz_access_in in interface dmz

route outside (next hop) 1

class-map inspection_default

match default-inspection-traffic



policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp


Re: "no translation group found for tcp src dmz..."?


I think this is because you already used the SG01's IP ( for a host in DMZ.

To allow DMZ host to talk to inside/internal segment host, you need to use unused IP, e.g:

static (inside,dmz) inside-web-server netmask

*assuming is a free IP

or use "static (inside,dmz) netmask -> allow DMZ to access inside hosts using inside host's physical/original IP.

Apply ACL to allow specific TCP/UDP services.

BTW, your inside interface should use host IP, e.g, instead of network ID of ""



New Member

Re: "no translation group found for tcp src dmz..."?

Thanks AK, I'll try that out-



CreatePlease to create content