cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4309
Views
5
Helpful
6
Replies

Cisco Asa No translation group found!!

essa.anas
Level 1
Level 1

Hello All,

  It is 31 of Decemeber 2010, happy new Year.

I have very strange issue:

 

Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(1)

I have also :

nat (inside) 0 0.0.0.0 0.0.0.0 , because I don’t want to do NAT translation.

and enable traffic through the firewall without address translation is activated: no nat-control   command

I allow traffic to pass through from outside (security level = 0) to inside (security level = 100) and it is working.

The strange thing is that I have windows cluster of two Servers with cluster IP address and to ip addresses for the physical servers as you know.

Locally I can ping these interfaces without problem and the users on the local site are happy, I can ping them also from the inside interfaces, and the IP/MAC address list shows on the ASA ARP list.

      On the remote sites however, the issue is that I can ping the physical ip of the servers but I cannot ping the ip address of the cluster, ASA gives the following error message on the log:

3|Dec 31 2010|09:05:16|305005|10.213.12.13||||No translation group found for icmp src outside:Router_172.16.1.2 dst inside:10.213.12.13 (type 8, code 0)

I have exactly the same case with virtual interface of a virtual server on a VMWARE machine.

HOWEVER everything can work if I ping from the Cluster server or from the virtual machine outside (in the inside network) to any IP address outside the network. If I explain it well in means that If I just pass traffic from the cluster server to outside then pinging and other services from outside-in start working.

Did I miss something in the configuration

ASA Version 8.2(1)
!
hostname ciscoasa

names
name XX.XXX.0.0 Remote_PO
name 172.16.1.2 Router_172.16.1.2
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 172.16.1.1 255.255.255.252
!
interface Ethernet0/1
nameif inside
security-level 100
ip address XX.XXX.12.200 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address XX.XXX.72.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
object-group icmp-type ICMP_GRP
icmp-object echo-reply
object-group network DM_INLINE_NETWORK_1
network-object Remote_PO 255.255.0.0
network-object host Router_172.16.1.2
access-list inside_access_in extended permit icmp any any object-group ICMP_GRP
access-list inside_access_in extended permit ip any any
access-list dmz_access_in extended permit icmp any any object-group ICMP_GRP
access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_1 XX.XXX.12.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside) 0 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 Router_172.16.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http XX.XXX.12.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet XX.XXX.12.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
  inspect icmp error
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:a5b9f09e919607c4c09f01132b2eebcb
: end
ciscoasa#

I also want to mention couple of things, before I did this configuration, ASA was configured in context mode and I change it to single mode. I also delete the startup file to start from scratch.

copy flash:old_running.cfg startup-config; single mode

The second thing is that the local PCs on the network sometimes they are losing connectivity with the firewall, which means I cannot ping the ASA or go to the Internet, only if I change the IP address of the PC.

Any Suggestions will be appreciated

6 Replies 6

Jennifer Halim
Cisco Employee
Cisco Employee

To pass traffic from low security level to high security level, you would need to configure either static NAT 1:1 or NAT exemption (NAT 0 with ACL). The NAT 0 that you configure is dynamic NAT 0 and only works from high to low security level.

If you do not want to NAT anything from inside subnet then I would suggest that you configure the following:

access-list nonat permit ip 10.213.12.0 255.255.255.0 any

nat (inside) 0 access-list nonat

Please also remove the NAT 0 without ACL:

no nat (inside) 0 0.0.0.0 0.0.0.0

Then "clear xlate" after configuring the above.

Hello Jennifer,

Why is nat 0 needit at all if it has configured "no nat-control"

Dan

nat-control is only for traffic from inside (high security level) to outside (low security level). For traffic from low to high security level, you still require to configure 1:1 translation whether it is static 1:1 or NAT 0 with ACL.

Here is the reference guide for nat-control:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/no.html#wp1746857

Quoted from the doc:

"NAT control requires that packets traversing from  an inside interface to an outside interface match a NAT rule; for any  host on the inside network to access a host on the outside network, you  must configure NAT to translate the inside host address."

Okay

But the return traffic from a flow initiated by an inside host will be permited without any nat, in case of disabling nat-control (thats because the connection exists)

My understanding of disabling nat-control was that there will be no nat requirement at all for any bidirectional communication.

In the old software version <7.0 there was by default a requirement of nat-ing the flows from a higher to a lower - and that couldnt be disabled.And this feature makes it more flexible (nat-control)

But there was not specified anyway that after disabling nat-control there is still a requirement to do nat exempt.

Dan

I lab a setup

Router0 .11 ------inside 10.10.10/24------.10  pix .10 -------- outside 11.11.11/24 ---------.11  Router1

default route thoward the pix from R1 and R2

no nat-control

access-list permit ip any any on both interfaces of the pix

And here it is :

pixfirewall# sh conn
2 in use, 4 most used
ICMP outside 11.11.11.11:6 inside 10.10.10.11:0, idle 0:00:01, bytes 360
ICMP outside 11.11.11.11:6 inside 10.10.10.11:0, idle 0:00:01, bytes 360

R1#ping 10.10.10.11

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.11, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 132/148/208 ms
R1#

pixfirewall# sh ip address
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
Ethernet0                outside                11.11.11.10     255.255.255.0   manual
Ethernet1                inside                 10.10.10.10     255.255.255.0   manual

pixfirewall# sh run access-list
access-list out extended permit ip any any
access-list in extended permit ip any any
pixfirewall#
pixfirewall#
pixfirewall# sh run access-group
access-group in in interface inside
access-group out in interface outside
pixfirewall#

Also :

%PIX-5-111005: console end configuration: OK
%PIX-7-609001: Built local-host outside:11.11.11.11
%PIX-7-609001: Built local-host inside:10.10.10.11
%PIX-6-302020: Built inbound ICMP connection for faddr 11.11.11.11/12 gaddr 10.10.10.11/0 laddr 10.10.10.11/0
%PIX-6-302020: Built outbound ICMP connection for faddr 11.11.11.11/12 gaddr 10.10.10.11/0 laddr 10.10.10.11/0

pixfirewall# sh run nat
pixfirewall# sh run global
pixfirewall# sh run static
pixfirewall# sh xlate
0 in use, 0 most used
pixfirewall#


Dan

You are right. If you disable nat-control, and have no NAT statement at all on the interfaces, then you are not required to configure NAT exemption either.

So when nat-control is disabled, you don't need to configure "nat (inside) 0 0.0.0.0 0.0.0.0", traffic from all interfaces would be able to pass without any nat statement.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: