Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Firewalls Community


ASA-FWSM NAT (Low,High) issue/Concept

Hello All,

We run into NAT issue when we configure NAT on our  ASA and FWSM (low,high).

The request is came in reverse way, where our servers is located on zone with low security level while the Clients located at High security zone.

to make the topolog very easy, the firewall contains two interfaces, inside and outside only,

while the servers located at (outside) and Clients at (inside), thus to allow Client to access the server we configure reverse static nat for the server:




Inside/outside  ACL: permit IP any any / ICMP any any





static (outside,inside) netmask


because Nat-control is on, i need to configure nat back to outside from inside, either static or nat exemption, we choice second one.


the logic is is to configure the access list seem to be like this:

access-list nonat-inside extended permit ip host host

nat (inside) 0 access-list nonat-inside


Here is the issue pop up, when we test ping from Client to server,  it  does not work and we got this error that mean no reverse transulation is there:

"No translation group found for icmp src inside: dst outside:",

then we replace the access-list to be from Real Client IP to Real Server IP and it work:

access-list nonat-inside extended permit ip host host

nat (inside) 0 access-list nonat-inside

Now 2-way communication is working.

the test done to configure this in production FWSM, the FWSM work with first ACL which is logic not the second.

first test done on ASA running on GNS 8.0, thus to confirm we use (Physical) ASA 5505 and replicate the same configureation.

can any one advice if this Normal for ASA and FWSM or not.

tested on:

GNS ASA:  ASA5520 (8.0)

ASA 5505 (8.2)

FWSM: 3.2

thanks alot.


Everyone's tags (2)
CreatePlease to create content
Content for Community-Ad
FusionCharts will render here