Hi Frederico,

Thanks for the response - The are no nat exemptions configured on the firewall. Are there any known bug for 6.3(5)?  I know earlier 6.x releases were buggy but can't see any specific related bug for this release. I have two other static NATs configured for other services and they're working fine. This NAT is to pass thru a VPN between a VPN endpoint within our network and a third party concentrator across a private network. The translastion thats failing is outbound ISAKMP if that's significant. I've done something similar on an ASA (8.X) and this worked fine - so I'm thinking bug...??

Thanks

Sorry, sorry, sorry - IP blindness!

That line should have read every time 192.168.1.1 makes a request.

192.168.1.1 is the inside host

10.1.1.1 is it's translated address on the outside

Sorry to mislead!

The log is copy/paste ?

'no translation group found for udp src inside 10.1.1.1/port dst outside x.x.x.x/port

Dan

Hi,

this is the message from the log. The is the IP address of a third party's VPN concentrator

as you can is this is outbound ISAKMP from a VPN endpoint (Juniper Netscreen) which is hosted on a segment of our internal network. The juniper box alos belongs to a third party - they are trying to set up a L2L IPSec VPN using out network as transit to their network

305005: No translation group found for udp src inside:192.168.1.1/500 dst outside:/500

Iv'e run a capture on the PIX. No traffic is transmitted out of the outside interface towards the VPN concentrator and I get the above message!

Can't figure it - Either I'm doing something dumb or there's a bug. Both equally likely I guess!

The static nat is made with the ip interface of the outside interface ?

Dan

Hi Dan,

No, but it is using an IP on the same subnet. The pix will proxy arp.

Save

Sent from Cisco Technical Support iPhone App

BTW how is that iPhone APP working for you?

Well obviously there is some typo.  You masking the "true" IPs is not helping as there could be some typos in what you typed. We cannot see that if you mask them.

So, if it is not a problem pls. copy the output of

sh run | i nat

sh run | i gobal

conf t

logging buffered 7

exit

sh logg | i 192.168.1.x (when the inside hosts tried to go out)

There are two types of translation related syslog messages:

1. No translation group - This indicates there is a problem with nat config on the ingress interface where the client lives. (nat line missing)

2. Port map translation failed - Messages indicates the problem with the egress interface global. (global line missing)

-KS

Hi,

Here is the info you asked for - hopefully it is what you need...Thanks for your help so far!

nameif ethernet0 outside security0

nameif ethernet1 inside security100

object-group network VPN-CONC

  network-object

object-group network VPN-ENDPOINTS

  network-object host

access-list PERMIT-INSIDE permit esp object-group VPN-ENDPOINTS object-group VPN-CONC

access-list PERMIT-INSIDE permit udp object-group VPN-ENDPOINTS object-group VPN-CONC eq isakmp

access-list PERMIT1-INSIDE permit udp object-group VPN-ENDPOINTS object-group VPN-CONC eq 4500

access-list PERMIT-OUTSIDE permit esp object-group VPN-CONC object-group VPN-ENDPOINTS

access-list PERMIT-OUTSIDE permit udp object-group VPN-CONC object-group VPN-ENDPOINTS eq isakmp

access-list PERMIT-OUTSIDE permit udp object-group VPN-CONC object-group VPN-ENDPOINTS eq 4500

ip address outside 10.1.1.126 255.255.255.128

ip address inside 192.168.10.1 255.255.255.0

static (inside,outside) 10.1.1.1 192.168.1.1 netmask 255.255.255.255 0 0

access-group PERMIT-OUTSIDE in interface outside

access-group PERMIT-INSIDE in interface inside

Show Log:

305005: No translation group found for udp src inside:192.168.1.1/500 dst outside:

There are no NAT or GLOBAL statements relating to the IP addresses listed above, no nat exemptions