topic Cisco Asa No translation group found!! in Network Security

Cisco Asa No translation group found!!

essa.anas — Mon, 11 Mar 2019 19:29:12 GMT

Hello All,

It is 31 of Decemeber 2010, happy new Year.

I have very strange issue:

Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(1)

I have also :

nat (inside) 0 0.0.0.0 0.0.0.0 , because I don’t want to do NAT translation.

and enable traffic through the firewall without address translation is activated: no nat-control command

I allow traffic to pass through from outside (security level = 0) to inside (security level = 100) and it is working.

The strange thing is that I have windows cluster of two Servers with cluster IP address and to ip addresses for the physical servers as you know.

Locally I can ping these interfaces without problem and the users on the local site are happy, I can ping them also from the inside interfaces, and the IP/MAC address list shows on the ASA ARP list.

On the remote sites however, the issue is that I can ping the physical ip of the servers but I cannot ping the ip address of the cluster, ASA gives the following error message on the log:

3|Dec 31 2010|09:05:16|305005|10.213.12.13||||No translation group found for icmp src outside:Router_172.16.1.2 dst inside:10.213.12.13 (type 8, code 0)

I have exactly the same case with virtual interface of a virtual server on a VMWARE machine.

HOWEVER everything can work if I ping from the Cluster server or from the virtual machine outside (in the inside network) to any IP address outside the network. If I explain it well in means that If I just pass traffic from the cluster server to outside then pinging and other services from outside-in start working.

Did I miss something in the configuration

ASA Version 8.2(1)
!
hostname ciscoasa

names
name XX.XXX.0.0 Remote_PO
name 172.16.1.2 Router_172.16.1.2
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 172.16.1.1 255.255.255.252
!
interface Ethernet0/1
nameif inside
security-level 100
ip address XX.XXX.12.200 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address XX.XXX.72.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
object-group icmp-type ICMP_GRP
icmp-object echo-reply
object-group network DM_INLINE_NETWORK_1
network-object Remote_PO 255.255.0.0
network-object host Router_172.16.1.2
access-list inside_access_in extended permit icmp any any object-group ICMP_GRP
access-list inside_access_in extended permit ip any any
access-list dmz_access_in extended permit icmp any any object-group ICMP_GRP
access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_1 XX.XXX.12.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside) 0 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 Router_172.16.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http XX.XXX.12.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet XX.XXX.12.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:a5b9f09e919607c4c09f01132b2eebcb
: end
ciscoasa#

I also want to mention couple of things, before I did this configuration, ASA was configured in context mode and I change it to single mode. I also delete the startup file to start from scratch.

copy flash:old_running.cfg startup-config; single mode

The second thing is that the local PCs on the network sometimes they are losing connectivity with the firewall, which means I cannot ping the ASA or go to the Internet, only if I change the IP address of the PC.

Any Suggestions will be appreciated

Re: Cisco Asa No translation group found!!

Jennifer Halim — Fri, 31 Dec 2010 07:59:38 GMT

To pass traffic from low security level to high security level, you would need to configure either static NAT 1:1 or NAT exemption (NAT 0 with ACL). The NAT 0 that you configure is dynamic NAT 0 and only works from high to low security level.

If you do not want to NAT anything from inside subnet then I would suggest that you configure the following:

access-list nonat permit ip 10.213.12.0 255.255.255.0 any

nat (inside) 0 access-list nonat

Please also remove the NAT 0 without ACL:

no nat (inside) 0 0.0.0.0 0.0.0.0

Then "clear xlate" after configuring the above.

Re: Cisco Asa No translation group found!!

Dan-Ciprian Cicioiu — Fri, 31 Dec 2010 08:15:51 GMT

Hello Jennifer,

Why is nat 0 needit at all if it has configured "no nat-control"

Dan

Re: Cisco Asa No translation group found!!

Jennifer Halim — Fri, 31 Dec 2010 08:22:52 GMT

nat-control is only for traffic from inside (high security level) to outside (low security level). For traffic from low to high security level, you still require to configure 1:1 translation whether it is static 1:1 or NAT 0 with ACL.

Here is the reference guide for nat-control:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/no.html#wp1746857

Quoted from the doc:

"NAT control requires that packets traversing from an inside interface to an outside interface match a NAT rule; for any host on the inside network to access a host on the outside network, you must configure NAT to translate the inside host address."

Re: Cisco Asa No translation group found!!

Dan-Ciprian Cicioiu — Fri, 31 Dec 2010 08:34:32 GMT

Okay

But the return traffic from a flow initiated by an inside host will be permited without any nat, in case of disabling nat-control (thats because the connection exists)

My understanding of disabling nat-control was that there will be no nat requirement at all for any bidirectional communication.

In the old software version <7.0 there was by default a requirement of nat-ing the flows from a higher to a lower - and that couldnt be disabled.And this feature makes it more flexible (nat-control)

But there was not specified anyway that after disabling nat-control there is still a requirement to do nat exempt.

Dan

Re: Cisco Asa No translation group found!!

Dan-Ciprian Cicioiu — Fri, 31 Dec 2010 08:48:59 GMT

I lab a setup

Router0 .11 ------inside 10.10.10/24------.10 pix .10 -------- outside 11.11.11/24 ---------.11 Router1

default route thoward the pix from R1 and R2

no nat-control

access-list permit ip any any on both interfaces of the pix

And here it is :

pixfirewall# sh conn
2 in use, 4 most used
ICMP outside 11.11.11.11:6 inside 10.10.10.11:0, idle 0:00:01, bytes 360
ICMP outside 11.11.11.11:6 inside 10.10.10.11:0, idle 0:00:01, bytes 360

R1#ping 10.10.10.11

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.11, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 132/148/208 ms
R1#

pixfirewall# sh ip address
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
Ethernet0                outside                11.11.11.10     255.255.255.0   manual
Ethernet1                inside                 10.10.10.10     255.255.255.0   manual

pixfirewall# sh run access-list
access-list out extended permit ip any any
access-list in extended permit ip any any
pixfirewall#
pixfirewall#
pixfirewall# sh run access-group
access-group in in interface inside
access-group out in interface outside
pixfirewall#

Also :

%PIX-5-111005: console end configuration: OK
%PIX-7-609001: Built local-host outside:11.11.11.11
%PIX-7-609001: Built local-host inside:10.10.10.11
%PIX-6-302020: Built inbound ICMP connection for faddr 11.11.11.11/12 gaddr 10.10.10.11/0 laddr 10.10.10.11/0
%PIX-6-302020: Built outbound ICMP connection for faddr 11.11.11.11/12 gaddr 10.10.10.11/0 laddr 10.10.10.11/0

pixfirewall# sh run nat
pixfirewall# sh run global
pixfirewall# sh run static
pixfirewall# sh xlate
0 in use, 0 most used
pixfirewall#

Dan

Re: Cisco Asa No translation group found!!

Jennifer Halim — Fri, 31 Dec 2010 12:15:56 GMT

You are right. If you disable nat-control, and have no NAT statement at all on the interfaces, then you are not required to configure NAT exemption either.

So when nat-control is disabled, you don't need to configure "nat (inside) 0 0.0.0.0 0.0.0.0", traffic from all interfaces would be able to pass without any nat statement.