topic Thanks changed to Security in Network Security

asa 5520 nat problem

Shakespeare Rodas — Fri, 21 Feb 2020 13:12:28 GMT

Hi I have an Cisco Asa 5520 and i want to make vpn site to site using another interface with a lan to lan carrier, the problem is when i try to pass traffic have the follow syslog error:

No translation group found for udp src lan2lan:10.5.50.63/44437 dst colo:biggiesmalls/897

The interface for lan to lan service is called: lan2lan
one of the internal interfaces is called: colo

I think is problem with Nat on the ASA but i need help with this.

Config:

!
interface GigabitEthernet0/0
nameif external
security-level 0
ip address fw-ext 255.255.255.0 standby XXaaaNNaa
ospf cost 10
ospf network point-to-point non-broadcast
!
interface GigabitEthernet0/1
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.50
vlan 50
nameif lb
security-level 20
ip address 10.1.50.11 255.255.255.0
ospf cost 10
!
interface GigabitEthernet0/1.501
vlan 501
nameif colo
security-level 90
ip address fw-int 255.255.255.0 standby 172.16.2.253
ospf cost 10
!
!
interface GigabitEthernet1/1
description Lan2Lan-Carrier
nameif lan2lan
security-level 0
ip address 10.100.50.1 255.255.255.248
!
access-list lan2lan_cryptomap_51 extended permit ip 10.1.0.0 255.255.0.0 object-group elo
access-list lan2lan_cryptomap_51 extended permit ip sfnet 255.255.255.0 object-group elo
pager lines 24
logging enable
logging host colo biggiesmalls
no logging message 313001
mtu external 1500
mtu lb 1500
mtu colo 1500
mtu lan2lan 1500
icmp unreachable rate-limit 1 burst-size 1
arp timeout 14400
nat-control
global (external) 1 interface
global (lb) 1 interface
global (colo) 1 interface
nat (lb) 1 10.1.50.0 255.255.255.0
nat (colo) 0 access-list colo_nat0_outbound
nat (colo) 1 10.1.13.0 255.255.255.0
nat (colo) 1 10.1.16.0 255.255.255.0
nat (colo) 1 0.0.0.0 0.0.0.0
access-group external_access_in in interface external
access-group lb_access_in in interface lb
access-group colo_access_in in interface colo
access-group management_access_in in interface management
access-group lan2lan in interface lan2lan
!
service resetoutside
crypto map lan2lan_map 51 match address lan2lan_cryptomap_51
crypto map lan2lan_map 51 set peer 10.100.50.2
crypto map lan2lan_map 51 set transform-set ESP-3DES-SHA
crypto map lan2lan_map 51 set reverse-route
crypto map lan2lan_map interface lan2lan
quit
crypto isakmp identity hostname
crypto isakmp enable lan2lan
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
client-update enable
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key xxXnnAA
tunnel-group 10.100.50.2 type ipsec-l2l
tunnel-group 10.100.50.2 general-attributes
default-group-policy site2site
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 5
!

Is the VPN establishing OK? (

Marvin Rhoads — Wed, 11 Jun 2014 22:48:03 GMT

Is the VPN establishing OK? ("show crypto isakmp sa" should show a MM_Active tunnel to the peer address)

We normally exempt site-site VPN traffic from NAT. That could be your problem. If you can share your configuration we can have a look at it.

p.s. you should recategorize the question to the Security / VPN forum.

Thanks changed to Security

Shakespeare Rodas — Thu, 12 Jun 2014 02:10:31 GMT

Thanks changed to Security Vpn Forum, i will try with extempt the vpn traffic now...

Thank you and the other

Shakespeare Rodas — Thu, 12 Jun 2014 02:15:54 GMT

Thank you and the other question is what is the correct security level for the interfaces on this scenario with lan to lan carrier?

You're welcome. The security

Marvin Rhoads — Thu, 12 Jun 2014 13:33:36 GMT

You're welcome. The security levels can range from 0 (lowest security - typically thought of as outside) to 100 (highest security or inside).

Your screenshot indicates your have a nat statement that references pool 1 but there's no matching global. You would typically have a line being "global 1 ..."

If you can share the configuration, we could answer better.

Thank you i uploaded part of

Shakespeare Rodas — Thu, 12 Jun 2014 16:09:09 GMT

Thank you i uploaded part of the fw config!!

https://supportforums.cisco.com/discussion/12230351/asa-5520-nat-problem