06-27-2011 04:53 AM - edited 03-11-2019 01:51 PM
Error message
305005: No translation group found for udp src c_dmz:10.0.176.120/51910 dst inside:195.244.192.16/53
305005: No translation group found for udp src c_dmz:10.0.176.120/51910 dst inside:195.244.192.166/53
Config
:
PIX Version 6.3(4)
nameif ethernet0 c_dmz security0
nameif ethernet1 g_dmz security25
nameif ethernet2 inside security100
access-list acl-c_dmz permit udp host 10.0.176.120 host 195.244.192.166 eq domain
access-list acl-c_dmz permit udp host 10.0.176.120 host 195.244.192.16 eq domain
ip address c_dmz 10.0.176.1 255.255.255.0
ip address g_dmz 10.0.172.1 255.255.255.0
ip address inside 10.0.232.1 255.255.255.0
nat (c_dmz) 0 0.0.0.0 0.0.0.0 0 0
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
static (inside,c_dmz) 10.0.232.0 10.0.232.0 netmask 255.255.255.0 0 0
static (inside,_dmz) 10.0.232.0 10.0.232.0 netmask 255.255.255.0 0 0
static (g_dmz,c_dmz) 10.0.172.0 10.0.172 netmask 255.255.255.0 0 0
static (c_dmz,inside) 10.0.176.0 10.0.176.0 netmask 255.255.255.0 0 0
access-group acl-c_dmz in interface c_dmz
access-group acl-g_dmz in interface g_dmz
Issue
Servers are trying to access 2 DNS servers via the inside interface.
There is no outside interface, default route is via inside interface.
I thought it needed a nat (c_dmz) command but I got the following error message
PIX(config)# nat (c_dmz) 0 0.0.0.0 0.0.0.0 0 0
nat 0 0.0.0.0 will be identity translated for outbound
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.
Any idea where I am going wrong?
Solved! Go to Solution.
06-27-2011 05:18 AM
"nat (c_dmz) 0 0.0.0.0 0.0.0.0 0 0" command only works for outbound connection, ie: from high to low security level.
Since you would like to pass traffic from c_dmz (security level 0) to inside (security level 100), ie: from low to high security level, then you would need the following command:
static (inside,c_dmz) 195.244.192.166 195.244.192.166 netmask 255.255.255.255
static (inside,c_dmz) 195.244.192.16 195.244.192.16 netmask 255.255.255.255
Hope that helps.
06-27-2011 05:18 AM
"nat (c_dmz) 0 0.0.0.0 0.0.0.0 0 0" command only works for outbound connection, ie: from high to low security level.
Since you would like to pass traffic from c_dmz (security level 0) to inside (security level 100), ie: from low to high security level, then you would need the following command:
static (inside,c_dmz) 195.244.192.166 195.244.192.166 netmask 255.255.255.255
static (inside,c_dmz) 195.244.192.16 195.244.192.16 netmask 255.255.255.255
Hope that helps.
07-04-2011 06:43 AM
That worked a treat. Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide