Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Cisco PIX - 'No translation group found' with statics

Posted on 2004-11-05
5
Medium Priority
?
12,691 Views
Last Modified: 2011-08-18
Yet again, my lack of knowledge about Cisco lets me down, and I find myself asking for help for what is probably a really simple question.

I've just taken delivery of a new PIX at our hosting company.
They'd configured it so we had things like:

name 192.168.0.200 Protected-Host1-Local
name 1.2.3.200 Host1 Protected-Host1      (real IP address changed to protect the innocent)
name 192.168.0.254 Fw-PIX-Inside
name 1.2.3.1 Fw-Pix-Outside                    (ditto)
ip address outside Fw-PIX-Outside 255.255.255.0
ip address inside Fw-PIX-Inside 255.255.255.0
static (inside,outside) Protected-Host1 Protected-Host1-Local netmask 255.255.255.255 0 0

I need to NAT some of the ports for Host1, so I did:

no static (inside,outside) Protected-Host1 Protected-Host1-Local netmask 255.255.255.255 0 0
static (inside,outside) tcp Protected-Host1 https Protected-Host1-Local 5223 netmask 255.255.255.255 0 0
static (inside,outside) tcp Protected-Host1 ssh Protected-Host1-Local ssh netmask 255.255.255.255 0 0

That all seemed to work OK, ssh connections ended up at the correct host, and https connections were mapped to port 5223 on the host.

However...I then found that the host could no longer send email.
Further investigation showed the following in the syslog:

Nov  5 13:59:35 192.168.0.254 Nov 05 2004 12:59:16: %PIX-3-305005: No translation group found for udp src inside:Protected-Host3-Local/32819 dst outside:212.67.202.2/53

So, the static's I added seem to have broken outgoing connections.

The outgoing access-list contains the following:
access-list ACL-OUT permit tcp any any eq domain
access-list ACL-OUT permit udp any any eq domain

What magical runes do I need to enter to allow hosts with static NAT to continue connecting to external hosts?


0
Comment
Question by:j_dyer
  • 2
  • 2
5 Comments
 
LVL 36

Expert Comment

by:grblades
ID: 12504796
Hi j_dyer,
> static (inside,outside) Protected-Host1 Protected-Host1-Local netmask
> 255.255.255.255 0 0
This is a NAT translation and all inbound and outbound connections will be NAT's. This is the best thing to do if you dont want to add address translations destined to other internal machines from the same external IP address.
By default all inbound connections are denied so you still have to edit the inbound access-list to permit the connections you want.

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12505188
Do you have a global (outside) x   command?

0
 
LVL 2

Author Comment

by:j_dyer
ID: 12505305
grblades - the PIX actually has 5 external addresses, currently mapped to the five physical hosts in the protected area.
The other hosts all have static lines as you suggest, it's just this one host which needs to have it's port 443 forwarded to port 5223
(the answering process won't run as root, and we need to allow connections to it on port 443).

lrmoore - no, there are no global commands in the config.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 12506376
If you add a global, then you won't see that error and everything might work..

global (outside) 1 interface
nat (inside) 1 0 0 0

Also, highly suggest removing anything like:
   access-group ACL-OUT in interface inside  <== do not apply to inside until you want to restrict something outbound..
0
 
LVL 2

Author Comment

by:j_dyer
ID: 12523144
lrmoore - thanks for that - worked a treat.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question