topic Re: Outbound NAT problem on ASA5520 in Network Security

Outbound NAT problem on ASA5520

fsebera — Mon, 11 Mar 2019 17:15:02 GMT

I have an ASA 5520 firewall running in single context router mode.

I.E. Single routed firewall.

Interface TAPPY, IP 192.168.1.1/24

Interface INSIDE, IP 10.0.0.1/24

Host 192.168.1.6/24 (on TAPPY interface) needs to communicate with host 10.0.0.2/24 (on INSIDE interface)

Host 10.0.0.2 must receive packets that appear they came from the firewalls address.

When I set up a static NAT, I continue to receive this error message:

No translation group found for tcp src TAPPY:192.168.1.6/2345 dst INSIDE:10.0.0.2/4444

Cisco’s explanation is:

A packet does not match any of the outbound NAT command rules.

My cli NAT command is:

STATIC (INSIDE,TAPPY) 192.168.1.6 host 10.0.0.2 netmask 255.255.255.255

I know I have something configured incorrectly but cannot figure it out.

ANY help would be greatly appreciated

Tks

Frank

Re: Outbound NAT problem on ASA5520

Kureli Sankar — Thu, 25 Feb 2010 23:29:48 GMT

You need to have

nat (TAPPY) 50 192.168.1.6 255.255.255.255 outside

global (INISIDE) 50 interface

The above will translate the TAPPY IP address and make it look like it was coming from the inside interface IP.

STATIC (INSIDE,TAPPY) host 10.0.0.2 host 10.0.0.2 netmask 255.255.255.255

This will provide identity translation for the inside hosts when they go to the TAPPY to look like themselves.

With the above lines you can only initiate traffic from the TAPPY to the INSIDE.

P.S. I am assuming TAPPY has a lower security level than the INSIDE.

-KS

Re: Outbound NAT problem on ASA5520

fsebera — Sat, 27 Feb 2010 17:19:03 GMT

Hi Kusankar,

THANK YOU!!!!!!

This solved my issue completely - . . . and my non-technical folks are VERY happy!!!!

And yes your assumption of TAPPY having a lower security level than INSIDE was correct.

Communication can only be initiated from a host on TAPPY.

What if I needed a host on INSIDE to initiate communication to a host on TAPPY?

Since INSIDE has a higher security level than TAPPY, seems there should not be a problem - RIGHT?

Now that I (we) have this working, I have time to read more of the ASA configuration guide for future issues.

It's folks like you that make this Group Discussion work.

Thanks again!!

Frank

Re: Outbound NAT problem on ASA5520

Kureli Sankar — Sat, 27 Feb 2010 17:22:12 GMT

Very glad to hear. Rate the post that helps.

Kudos to you. The problem description (except the missing security level) was very clear.

Inside, even though on a higher security interface cannot initiate because now TAPPY host is behind a PAT (port address translation).

You can however be able to initiate connections to other hosts in TAPPY from the inside.

-KS