Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8030
Views
0
Helpful
3
Replies

No translation group found for icmp src outside

gspencer
Level 1
Level 1

‎08-30-2005 06:03 AM - edited ‎03-09-2019 12:17 PM

Hi All,

Can someone assist with this issue. I must be overlooking something, so I'm here.

I have a server connected on the outside of my PIX520. I can start a connection from the inside to the server. But from the server to the inside, I cannot start a connection.

Here's a sample config and the error message I'm receiving.

I tried a few things with nat and static commands but none works. Thanks in advance.

BTW this firewall isn't a public facing firewall.

access-list inbound permit ip any any

access-list inbound permit icmp any any

access-list inbound permit icmp any any echo-reply

ip address outside 10.20.7.13 255.255.255.0

ip address inside 172.20.103.15 255.255.255.0

failover ip address outside 10.20.7.14

failover ip address inside 172.20.103.16

global (outside) 1 10.20.7.20-10.20.7.30 netmask 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (outside,inside) 172.20.125.195 10.20.7.32 netmask 255.255.255.255 0 0

access-group inbound in interface outside

route inside 0.0.0.0 0.0.0.0 172.20.103.10 1

route outside 172.20.125.192 255.255.255.224 10.20.7.13 1

609001: Built local-host inside:172.20.103.11

305009: Built dynamic translation from inside:172.20.103.11 to outside:10.20.7.30

609001: Built local-host outside:10.20.7.32

305009: Built static translation from outside:10.20.7.32 to inside:172.20.125.195

302013: Built outbound TCP connection 22 for outside:10.20.7.32/23 (172.20.125.195/23) to inside:172.20.103.11/15361 (10.20.7.30/15361)

305005: No translation group found for icmp src outside:10.20.7.32 dst inside:172.20.103.15 (type 8, code 0)

305005: No translation group found for icmp src outside:10.20.7.32 dst inside:172.20.103.15 (type 8, code 0)

305005: No translation group found for icmp src outside:10.20.7.32 dst inside:172.20.103.15 (type 8, code 0)

305005: No translation group found for icmp src outside:10.20.7.32 dst inside:172.20.103.15 (type 8, code 0)

305005: No translation group found for

Labels:
0 Helpful
3 Replies 3

rsmith
Level 3
Level 3

‎09-01-2005 03:51 PM

Because you are attempting access from a lower security interface to a higher, and NAT is enabled, unless there is an established session (translation) from the inside, you will not be able to access the inside network.

One option is to use a network NAT, "static (inside,outside) 172.20.103.0 172.20.103.0 netmask 255.255.255.0"

A better way would be to use NAT (0), "nat (inside) 0 172.30.103.0 255.255.255.0" This will keep the same inside IP address across the firewall to the outside interface.

0 Helpful

gspencer
Level 1
Level 1
In response to rsmith

‎09-09-2005 05:15 AM

Thanks for the suggestion. That worked. Is there a shorter command that would specify several subnets at the same time. Or can you point me to the documentation.

Thanks again.

GS

0 Helpful

hecloma
Level 1
Level 1
In response to rsmith

‎11-25-2011 04:48 AM

hello.
I have the same problem. I try to access through a vpn connection to the internal network (192.168.0.0) but when I used the option:

static (inside, outside) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 "

The Internet connection has been dropped.

excuse my English.

Thanks

0 Helpful
Customers Also Viewed These Support Documents