Cisco PIX - 'No translation group found' with statics

Yet again, my lack of knowledge about Cisco lets me down, and I find myself asking for help for what is probably a really simple question.

I've just taken delivery of a new PIX at our hosting company.
They'd configured it so we had things like:

name 192.168.0.200 Protected-Host1-Local
name 1.2.3.200 Host1 Protected-Host1      (real IP address changed to protect the innocent)
name 192.168.0.254 Fw-PIX-Inside
name 1.2.3.1 Fw-Pix-Outside                    (ditto)
ip address outside Fw-PIX-Outside 255.255.255.0
ip address inside Fw-PIX-Inside 255.255.255.0
static (inside,outside) Protected-Host1 Protected-Host1-Local netmask 255.255.255.255 0 0

I need to NAT some of the ports for Host1, so I did:

no static (inside,outside) Protected-Host1 Protected-Host1-Local netmask 255.255.255.255 0 0
static (inside,outside) tcp Protected-Host1 https Protected-Host1-Local 5223 netmask 255.255.255.255 0 0
static (inside,outside) tcp Protected-Host1 ssh Protected-Host1-Local ssh netmask 255.255.255.255 0 0

That all seemed to work OK, ssh connections ended up at the correct host, and https connections were mapped to port 5223 on the host.

However...I then found that the host could no longer send email.
Further investigation showed the following in the syslog:

Nov  5 13:59:35 192.168.0.254 Nov 05 2004 12:59:16: %PIX-3-305005: No translation group found for udp src inside:Protected-Host3-Local/32819 dst outside:212.67.202.2/53

So, the static's I added seem to have broken outgoing connections.

The outgoing access-list contains the following:
access-list ACL-OUT permit tcp any any eq domain
access-list ACL-OUT permit udp any any eq domain

What magical runes do I need to enter to allow hosts with static NAT to continue connecting to external hosts?


LVL 2
j_dyerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

grbladesCommented:
Hi j_dyer,
> static (inside,outside) Protected-Host1 Protected-Host1-Local netmask
> 255.255.255.255 0 0
This is a NAT translation and all inbound and outbound connections will be NAT's. This is the best thing to do if you dont want to add address translations destined to other internal machines from the same external IP address.
By default all inbound connections are denied so you still have to edit the inbound access-list to permit the connections you want.

0
lrmooreCommented:
Do you have a global (outside) x   command?

0
j_dyerAuthor Commented:
grblades - the PIX actually has 5 external addresses, currently mapped to the five physical hosts in the protected area.
The other hosts all have static lines as you suggest, it's just this one host which needs to have it's port 443 forwarded to port 5223
(the answering process won't run as root, and we need to allow connections to it on port 443).

lrmoore - no, there are no global commands in the config.
0
lrmooreCommented:
If you add a global, then you won't see that error and everything might work..

global (outside) 1 interface
nat (inside) 1 0 0 0

Also, highly suggest removing anything like:
   access-group ACL-OUT in interface inside  <== do not apply to inside until you want to restrict something outbound..
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
j_dyerAuthor Commented:
lrmoore - thanks for that - worked a treat.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.