Cisco PIX - 'No translation group found' with statics

Posted on 2004-11-05
Last Modified: 2011-08-18
Yet again, my lack of knowledge about Cisco lets me down, and I find myself asking for help for what is probably a really simple question.

I've just taken delivery of a new PIX at our hosting company.
They'd configured it so we had things like:

name Protected-Host1-Local
name Host1 Protected-Host1      (real IP address changed to protect the innocent)
name Fw-PIX-Inside
name Fw-Pix-Outside                    (ditto)
ip address outside Fw-PIX-Outside
ip address inside Fw-PIX-Inside
static (inside,outside) Protected-Host1 Protected-Host1-Local netmask 0 0

I need to NAT some of the ports for Host1, so I did:

no static (inside,outside) Protected-Host1 Protected-Host1-Local netmask 0 0
static (inside,outside) tcp Protected-Host1 https Protected-Host1-Local 5223 netmask 0 0
static (inside,outside) tcp Protected-Host1 ssh Protected-Host1-Local ssh netmask 0 0

That all seemed to work OK, ssh connections ended up at the correct host, and https connections were mapped to port 5223 on the host.

However...I then found that the host could no longer send email.
Further investigation showed the following in the syslog:

Nov  5 13:59:35 Nov 05 2004 12:59:16: %PIX-3-305005: No translation group found for udp src inside:Protected-Host3-Local/32819 dst outside:

So, the static's I added seem to have broken outgoing connections.

The outgoing access-list contains the following:
access-list ACL-OUT permit tcp any any eq domain
access-list ACL-OUT permit udp any any eq domain

What magical runes do I need to enter to allow hosts with static NAT to continue connecting to external hosts?

Question by:j_dyer
    LVL 36

    Expert Comment

    Hi j_dyer,
    > static (inside,outside) Protected-Host1 Protected-Host1-Local netmask
    > 0 0
    This is a NAT translation and all inbound and outbound connections will be NAT's. This is the best thing to do if you dont want to add address translations destined to other internal machines from the same external IP address.
    By default all inbound connections are denied so you still have to edit the inbound access-list to permit the connections you want.

    LVL 79

    Expert Comment

    Do you have a global (outside) x   command?

    LVL 2

    Author Comment

    grblades - the PIX actually has 5 external addresses, currently mapped to the five physical hosts in the protected area.
    The other hosts all have static lines as you suggest, it's just this one host which needs to have it's port 443 forwarded to port 5223
    (the answering process won't run as root, and we need to allow connections to it on port 443).

    lrmoore - no, there are no global commands in the config.
    LVL 79

    Accepted Solution

    If you add a global, then you won't see that error and everything might work..

    global (outside) 1 interface
    nat (inside) 1 0 0 0

    Also, highly suggest removing anything like:
       access-group ACL-OUT in interface inside  <== do not apply to inside until you want to restrict something outbound..
    LVL 2

    Author Comment

    lrmoore - thanks for that - worked a treat.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Free Trending Threat Insights Every Day

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
    #Citrix #Citrix Netscaler #HTTP Compression #Load Balance
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now