- A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
Re: %PIX-3-305005: No translation group found for udp posted 01/06/2003
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]

Well, the makers of the PIX were aptly named Network Translations, Inc. The product is inherently a NAT box...

So it is kind of unfair to say you can't turn off NAT on a PIX but, you can't :-) You can masquerade it, but it will still create a XLATE entry. It will rewrite the headers and re calculate the checksum but of course, it will come out the same. NAT 0 does not turn off nat, it just translates to the same IP address. I believe the ports are still scrambled for TCP.


Jim wrote:
No answers here but a related question.....

Why would you not use NAT with a PIX?  Are all addresses on the inside and DMZ visible to the world?  I take it if they are visible that the inside is still a higher security and the world cannot access the inside except with a static/conduit or ACL?


 --- On Sun 01/05, Przemyslaw Karwasiecki  wrote:From: Przemyslaw Karwasiecki [mailto:]To: security@groupstudy.comDate: 05 Jan 2003 12:49:09 -0500Subject: %PIX-3-305005: No translation group found for udpAll,I am confused with very simple issue:I have PIX connected to 3 networks: outside, inside, DMZ.PIX is not supposed to NAT any of those, hence it is configuredwith following:nat (inside) 0 0 0nat (servers) 0 0 0There are neither "global" nor "static" commands configured.Some traffic from outside needs to be allowed to DMZ,so there is an ACL applied to outside interface:...access-list outside_acl permit udp any host xxx.yyy.29.22 eq domain access-list outside_acl permit udp any host xxx.yyy.29.23 eq domain access-list outside_acl permit udp any host xxx.yyy.29.80 eq domain ...access-group outside_acl in interface outsideNow, is the confusing part:I am receiving a lot of:  %PIX-3-305005: No translation group found for ud
p sr!
c outside:aaa.bbb.ccc.ddd/53 dst servers:xxx.yyy.29.80/53but only for this 1 DNS server. The other 2 are working fine.What exactly %PIX-3-305005 means? And why I see it despite wide open NAT 0?Thanks,Przemek

Join Excite! -
The most personalized portal on the Web!

Manny Gonzalez ..................... CCIE# 9013
CORE Resources ....... NY Presbyterian Hospital