ASA NAT help

uthayaman elangovan — Mon, 11 Mar 2019 22:46:49 GMT

Hi,

Help me to understand!!!

We have an internet link from ISP whic is terminated in a router(say Fa 0/0). ISP have provided me a public ip pool for our use. we have configured one of the ip from this pool in other interface of the router(say Fa 0/1) and ASA outside also in the same subnet.

ISP---(Fa 0/0) RTR (Fa 0/1)---ASA----10.50.x.x

When we ping any inside ip with source as Fa 0/0 from router i am getting a reply. But when i ping the same with source as Fa 0/1 i am getting the below log in asa firewall.

No translation group found for icmp src outside:x.x.x.x dst inside:10.50.x.x (type 8, code 0)

But ping is success when we add static NAT command for 10.50.x.x to translate as 10.50.x.x.

static (inside,outside) 10.50.x.x 10.50.x.x netmask 255.255.0.0

My question is

Why i didnt get same log when i ping with source as Fa 0/0

Re: ASA NAT help

Jouni Forss — Mon, 26 Mar 2012 14:22:17 GMT

Hi,

I dont understand why you would need to ping your local LAN private address range IP addresses from public network? You can't use the local private IP addresses to connect to Internet anyway.

Also having no configuration attached I can't really say what the situation is on the ASA.

The log message itself says theres no translation configured for the traffic. So I guess you have some rule for the ISP link network (Fa0/0 -> ISP) but not for the address pool (Fa0/1 -> ASA)? Still doesnt make sense why you would need to ping inside hosts from outside with their original IP address.

I'd imagine the syslog id of the message that you mentioned was the following:

 305005 
Error Message    %ASA-3-305005: No translation group found for protocol src 
interface_name: source_address/source_port dst interface_name: 
dest_address/dest_port


 
Explanation    A packet does not match any of the outbound nat command rules. If NAT is not  configured for the specified source and destination systems, the message will be generated  frequently. 
 
Recommended Action    This message indicates a configuration error. If dynamic NAT is desired for the  source host, ensure that the nat command matches the source IP address. If static NAT is desired for  the source host, ensure that the local IP address of the static command matches. If no NAT is desired  for the source host, check the ACL bound to the NAT 0 ACL.

Can you copy/paste here all your basic ASA configurations while ofcourse changing the public IP addresses/passwords etc. if needed from the output. It would be easy to see then how the translations/traffic works on your ASA

- Jouni

topic ASA NAT help in Network Security

ASA NAT help

Re: ASA NAT help

305005