topic Re: Cisco ASA 5510 NAT Issue in Network Security

Cisco ASA 5510 NAT Issue

jjizzle1985 — Fri, 21 Feb 2020 16:23:00 GMT

Hey Guys;

I've seen to be having an issue with this ASA 5510 FW; I don't wanna use NAT for inside/outside; since im natted on my router; I just want this FW to inspect packages and denied packages; that's it;

when I check the logs on the 5510; it keeps saying this error

3|Oct 22 2018 16:24:12|305005: No translation group found for udp src IN:1.8.8.4/49611 dst OUT:8.8.4.4/53
3|Oct 22 2018 16:24:12|305005: No translation group found for udp src IN:1.8.8.4/50818 dst OUT:8.8.4.4/53
3|Oct 22 2018 16:24:12|305005: No translation group found for udp src IN:1.8.8.4/49486 dst OUT:8.8.4.4/53
3|Oct 22 2018 16:24:12|305005: No translation group found for udp src IN:1.8.8.4/57103 dst OUT:8.8.4.4/53
3|Oct 22 2018 16:24:13|305005: No translation group found for udp src IN:1.8.8.4/61703 dst OUT:8.8.4.4/53

I also saw this alert

6|Oct 22 2018 16:45:00|110002: Failed to locate egress interface for UDP from IN:1.8.8.4/49817 to 8.8.4.4/53;

This is the only error/alert I see that's causing me not to get onto the internet.

I have a simple and easy setup; please see attach on network layout and FW config.

Re: Cisco ASA 5510 NAT Issue

Mohammed al Baqari — Tue, 23 Oct 2018 05:31:00 GMT

If you don't want natting why are you applying it on ASA. There is natting
configuration on your ASA

Re: Cisco ASA 5510 NAT Issue

jjizzle1985 — Tue, 23 Oct 2018 06:11:57 GMT

Hello;

I'm trying to apply an exempt for NAT; so ASA won't nat any traffic from inside/outside; just denied and/or permit packages.

Isn't this the command to exempt traffic that you don't wanna to nat from inside-outside

access-list NO-NAT extended permit ip INNET 255.255.255.0 OUTNET 255.255.255.252

Please advise

Thanks

Re: Cisco ASA 5510 NAT Issue

Marius Gunnerud — Tue, 23 Oct 2018 09:33:50 GMT

If you do not want to do any NAT on the ASA then remove the following commands.

nat-control

global (OUT) 1 interface
nat (IN) 0 access-list NO-NAT

Nat-control forces you to use NAT or traffic will be dropped. So once you remove that you will be able to remove the global and nat commands without affecting traffic.

Re: Cisco ASA 5510 NAT Issue

jjizzle1985 — Tue, 23 Oct 2018 18:05:18 GMT

Hello;

After removing the configurate you recommend; I can see I can build outbound packets for DNS; but I don't see any inbound packets coming back to my inside network; and when I try to access a website I still can't view website; it saying can't find DNS Server name and/or DNS Timeout

idk what else I'm missing for this to work as a simple network setup; I would like to use the gui but I keep getting server not trusted from java even with the ip address in the exception site list; still nothing

this is what I see on java console when trying to launch Cisco ASDM

java.lang.ClassCastException: sun.security.ssl.X509TrustManagerImpl cannot be cast to com.sun.deploy.security.X509ExtendedDeployTrustManager

javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Java couldn't trust Server

Caused by: java.security.cert.CertificateException: Java couldn't trust Server

I've seen this before but with the ip address in the exception list its still not working

Please help

please anyone can direct me on how to fix the web and ASA 5510 problem