12-09-2002 08:30 AM - edited 02-21-2020 12:13 PM
VPN clients 3.5 terminating on PIX 6.X cannot access hosts on PIX DMZ interface. Error log states that there is not "translation group available from outside" for the VPN Client subnet (from the vpngroup pool).
Do I need to add the client VPN subnet to a nat (outside) ?
Do I add it to the nat inside?
Do I just add statics for the DMZ hosts to the inside interface subnet since the VPN clients can access inside hosts?
(I do have the subnets in the nat 0 nonat ACL)
Thanks and Regards
JT
Solved! Go to Solution.
12-09-2002 11:32 AM
What you will need to add is nat 0. You state in your () that you have a nonat acl, is it for the DMZ or the inside interface? Are you using the same access-list for the nonat for both inside and dmz? You should separate them if you are, use separate access-list. Is your client pool on a separate subnet than your inside network and dmz? So should be something like this:
ip local pool client pool 192.168.1.1-192.168.1.254
ip add inside 10.10.10.1 255.255.255.0
ip add dmz 10.10.20.1 255.255.255.0
access-list nonat per ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonatdmz per ip 10.10.20.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list nonat
nat (dmz) 0 access-list nonatdmz
If this is correct then clear x, wr mem, reload. Hope this helps.
Kurtis Durrett
PS
If it don't, only can recommend upgrading your client and pix as thats exactly how it should look like and if its not working you are running into a extra feature that you dont want.
12-09-2002 11:24 AM
Hi,
This is what the error means
%PIX-3-305005: No translation group found for
Explanation An outbound packet does not match any of the outbound nat rules.
Action This message signals a configuration error. If dynamic NAT is desired for the source host, ensure that the nat command matches the source IP address. If static NAT is desired for the source host, ensure that the local IP address of the static command matches. If no NAT is desired for the source host, check the access-list bound to the nat 0 access-list.
From the error you have pasted in the case notes, you are missing
nat (dmz) 0 access-list no_nat
From your notes, I see that you have mentioned regarding nat 0 command but is this configured for the DMZ that you are trying to access.
Pls do let me know how it goes.
Regards,
Arul
01-08-2003 06:15 PM
Worked.
Thanks for the help.
Regards
JT
12-09-2002 11:32 AM
What you will need to add is nat 0. You state in your () that you have a nonat acl, is it for the DMZ or the inside interface? Are you using the same access-list for the nonat for both inside and dmz? You should separate them if you are, use separate access-list. Is your client pool on a separate subnet than your inside network and dmz? So should be something like this:
ip local pool client pool 192.168.1.1-192.168.1.254
ip add inside 10.10.10.1 255.255.255.0
ip add dmz 10.10.20.1 255.255.255.0
access-list nonat per ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonatdmz per ip 10.10.20.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list nonat
nat (dmz) 0 access-list nonatdmz
If this is correct then clear x, wr mem, reload. Hope this helps.
Kurtis Durrett
PS
If it don't, only can recommend upgrading your client and pix as thats exactly how it should look like and if its not working you are running into a extra feature that you dont want.
01-08-2003 06:13 PM
Did the trick.
Thanks for the help.
Regards
JT
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide