GroupStudy.com - CCIE, CCNA, CCNP and other Cisco Certifications

Home

BookStore

StudyNotes

Links

[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]

Subject: Re: %PIX-3-305005: No translation group found for udp
From: Manny Gonzalez <gonzalu@xxxxxxx>
Date: Mon, 06 Jan 2003 00:02:01 -0500
Organization: New York Presbyterian
References: <20030105191714.2E81F3D13@xmxpita.excite.com>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0.2) Gecko/20021120 Netscape/7.01

Well, the makers of the PIX were aptly named Network Translations, Inc. The product is inherently a NAT box...

http://www.cisco.com/warp/public/146/pressroom/1995/oct95/242.html

So it is kind of unfair to say you can't turn off NAT on a PIX but, you can't :-) You can masquerade it, but it will still create a XLATE entry. It will rewrite the headers and re calculate the checksum but of course, it will come out the same. NAT 0 does not turn off nat, it just translates to the same IP address. I believe the ports are still scrambled for TCP.

MG

Jim wrote:

No answers here but a related question.....

Why would you not use NAT with a PIX?  Are all addresses on the inside and DMZ visible to the world?  I take it if they are visible that the inside is still a higher security and the world cannot access the inside except with a static/conduit or ACL?

JT



 --- On Sun 01/05, Przemyslaw Karwasiecki  wrote:From: Przemyslaw Karwasiecki [mailto: karwas@bellsouth.net]To: security@groupstudy.comDate: 05 Jan 2003 12:49:09 -0500Subject: %PIX-3-305005: No translation group found for udpAll,I am confused with very simple issue:I have PIX connected to 3 networks: outside, inside, DMZ.PIX is not supposed to NAT any of those, hence it is configuredwith following:nat (inside) 0 0.0.0.0 0.0.0.0 0 0nat (servers) 0 0.0.0.0 0.0.0.0 0 0There are neither "global" nor "static" commands configured.Some traffic from outside needs to be allowed to DMZ,so there is an ACL applied to outside interface:...access-list outside_acl permit udp any host xxx.yyy.29.22 eq domain access-list outside_acl permit udp any host xxx.yyy.29.23 eq domain access-list outside_acl permit udp any host xxx.yyy.29.80 eq domain ...access-group outside_acl in interface outsideNow, is the confusing part:I am receiving a lot of:  %PIX-3-305005: No translation group found for ud

p sr!

c outside:aaa.bbb.ccc.ddd/53 dst servers:xxx.yyy.29.80/53but only for this 1 DNS server. The other 2 are working fine.What exactly %PIX-3-305005 means? And why I see it despite wide open NAT 0?Thanks,Przemek

_______________________________________________
Join Excite! - http://www.excite.com
The most personalized portal on the Web!


--
_______________________________________________
Manny Gonzalez ..................... CCIE# 9013
CORE Resources ....... NY Presbyterian Hospital

Follow-Ups:
- RE: %PIX-3-305005: No translation group found for udp
  - From: Scott Morris

References:
- RE: %PIX-3-305005: No translation group found for udp
  - From: Jim

Prev by Date: Re: I have lab 2/6/2003 would like to swap for March/April
Next by Date: RE: %PIX-3-305005: No translation group found for udp
Previous by thread: RE: %PIX-3-305005: No translation group found for udp
Next by thread: RE: %PIX-3-305005: No translation group found for udp
Index(es):
- Date
- Thread