Cisco PIX - 'No translation group found' with statics
Posted on 2004-11-05
Yet again, my lack of knowledge about Cisco lets me down, and I find myself asking for help for what is probably a really simple question.
I've just taken delivery of a new PIX at our hosting company.
They'd configured it so we had things like:
name 192.168.0.200 Protected-Host1-Local
name 22.214.171.124 Host1 Protected-Host1 (real IP address changed to protect the innocent)
name 192.168.0.254 Fw-PIX-Inside
name 126.96.36.199 Fw-Pix-Outside (ditto)
ip address outside Fw-PIX-Outside 255.255.255.0
ip address inside Fw-PIX-Inside 255.255.255.0
static (inside,outside) Protected-Host1 Protected-Host1-Local netmask 255.255.255.255 0 0
I need to NAT some of the ports for Host1, so I did:
no static (inside,outside) Protected-Host1 Protected-Host1-Local netmask 255.255.255.255 0 0
static (inside,outside) tcp Protected-Host1 https Protected-Host1-Local 5223 netmask 255.255.255.255 0 0
static (inside,outside) tcp Protected-Host1 ssh Protected-Host1-Local ssh netmask 255.255.255.255 0 0
That all seemed to work OK, ssh connections ended up at the correct host, and https connections were mapped to port 5223 on the host.
However...I then found that the host could no longer send email.
Further investigation showed the following in the syslog:
Nov 5 13:59:35 192.168.0.254 Nov 05 2004 12:59:16: %PIX-3-305005: No translation group found for udp src inside:Protected-Host3-Local/32819 dst outside:188.8.131.52/53
So, the static's I added seem to have broken outgoing connections.
The outgoing access-list contains the following:
access-list ACL-OUT permit tcp any any eq domain
access-list ACL-OUT permit udp any any eq domain
What magical runes do I need to enter to allow hosts with static NAT to continue connecting to external hosts?