https://community.cisco.com/t5/network-security/problem-configuring-a-simple-nat-exemption/m-p/2180555#M359963 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>As you say, one would expect that if you have specifically configured a rule for this traffic that you wouldnt see this Syslog message anymore.</P><P></P><P>Can you check that the "packet-tracer" says for the traffic in question?</P><P></P><P><STRONG>packet-tracer input DMZHandoff tcp <SOURCE ip=""> <SOURCE port=""> <DESTINATION ip=""> 443</DESTINATION></SOURCE></SOURCE></STRONG></P><P></P><P>Just to see what the ASA really says.</P><P></P><P>Are you absolutely sure that you didnt make any typo in the source IP address. (As we cant really see the exact configuration)</P><P></P><P>- Jouni</P></BODY></HTML> Mon, 18 Mar 2013 18:37:38 GMT Jouni Forss 2013-03-18T18:37:38Z https://community.cisco.com/t5/network-security/problem-configuring-a-simple-nat-exemption/m-p/2180554#M359962 <P>I am receiving the following error in my ASA syslog</P><P></P><P>%ASA-7-609001: Built local-host DMZHandoff:x.x.x.1</P><P>%ASA-3-305005: No translation group found for tcp src DMZHandoff:x.x.x.1/21920 dst Core_Handoff:y.y.y.2/443</P><P>%ASA-6-106015: Deny TCP (no connection) from x.x.x.1/21920 to y.y.y.2/443 flags RST ACK&nbsp; on interface DMZHandoff</P><P></P><P>so I created a simple NAT exemption configuration that I thought would resolve the error.&nbsp; The complete configuration is:</P><P></P><P>access-list DMZHandoff-NAT-Exempt permit ip host x.x.x.1 any</P><P>nat (DMZHandoff) 0 access-list DMZHandoff-NAT-Exempt</P><P></P><P>I am still getting the same error. This seems pretty straightforward to me.&nbsp; Can someone point out what I'm doing wrong?</P><P></P><P>Thanks!&nbsp; Glenn</P> Tue, 12 Mar 2019 01:15:36 GMT https://community.cisco.com/t5/network-security/problem-configuring-a-simple-nat-exemption/m-p/2180554#M359962 gamorr50265_AHM 2019-03-12T01:15:36Z https://community.cisco.com/t5/network-security/problem-configuring-a-simple-nat-exemption/m-p/2180555#M359963 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>As you say, one would expect that if you have specifically configured a rule for this traffic that you wouldnt see this Syslog message anymore.</P><P></P><P>Can you check that the "packet-tracer" says for the traffic in question?</P><P></P><P><STRONG>packet-tracer input DMZHandoff tcp <SOURCE ip=""> <SOURCE port=""> <DESTINATION ip=""> 443</DESTINATION></SOURCE></SOURCE></STRONG></P><P></P><P>Just to see what the ASA really says.</P><P></P><P>Are you absolutely sure that you didnt make any typo in the source IP address. (As we cant really see the exact configuration)</P><P></P><P>- Jouni</P></BODY></HTML> Mon, 18 Mar 2013 18:37:38 GMT https://community.cisco.com/t5/network-security/problem-configuring-a-simple-nat-exemption/m-p/2180555#M359963 Jouni Forss 2013-03-18T18:37:38Z https://community.cisco.com/t5/network-security/problem-configuring-a-simple-nat-exemption/m-p/2180556#M359964 <HTML><HEAD></HEAD><BODY><P>Jouni; Thanks, I should have tried packet tracer first before posting!&nbsp; It shows the packet is being dropped due to rpf-check error.&nbsp; I'll track that down and repost if it doesn't fix the problem.</P><P></P><P>Glenn</P></BODY></HTML> Mon, 18 Mar 2013 18:48:10 GMT https://community.cisco.com/t5/network-security/problem-configuring-a-simple-nat-exemption/m-p/2180556#M359964 gamorr50265_AHM 2013-03-18T18:48:10Z