PIX-3-305005: No translation group found .....

[ghosking]

Here's my conundrum in its simplest form:

PIX 515E-DMZ; PIX OS 6.3(3)
interface outside: security 0
interface dmz: security 50
interface inside: security 100

1. Reset the PIX to factory defaults
2. Enter a basic config with nothing more than interface and IP address details
3. Add the following translation rule and access-list:

pix-central# static (dmz,outside) 10.254.48.1 10.254.48.1
pix-central# access-list outside_acl permit icmp any any
pix-central# access-group outside_acl in interface outside

This configuration allows me to send icmp packets from dmz interface to outside and from outside to dmz without address translation. All is well!

Now if I move things around to try and get data between the DMZ and the inside interfaces:

pix-central# static (inside,dmz) 10.254.48.1 10.254.48.1
pix-central# access-list dmz_acl permit icmp any any
pix-central# access-group dmz_acl in interface dmz

All I can successfully achieve is this wretched error log message:

%PIX-3-305005: No translation group found for icmp src dmz: 10.254.48.1 dst inside: 10.180.8.1

when I send an echo request from dmz to inside.

There is no difference in the relative relationship between the interfaces in the two examples. outside -> dmz is the same as dmz -> inside, i.e. the data flow is from a low security interface to a high security interface.

Anybody out there have any ideas what I'm doing wrong?

 

[guysmyley]

I think in the static statement you need the higher security inside IP address, instead of the dmz address. It should be:

static (inside,dmz) 10.180.8.1 10.180.8.1