06-01-2015 08:30 AM - edited 03-11-2019 11:02 PM
I added a new dmz subnet 172.16.2.0/24. The server I have there that is being statically nat'd is working fine but not the regular hosts. They can't get Internet access and I'm seeing the following error:
%ASA-3-305005: No translation group found for udp src dmz:172.16.2.5/34491 dst outside:8.8.8.8/53
I'm sure it has something to do with global nat but I'm missing it.
sh run
: Saved
:
ASA Version 8.2(5)
!
hostname gw
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 1.10.136.113 255.255.255.240
!
interface Vlan3
nameif dmz
security-level 50
ip address 172.16.2.1 255.255.255.0
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
object-group network mxlogic
network-object 28.65.144.0 255.255.248.0
network-object 28.81.64.0 255.255.248.0
object-group service Datto tcp
port-object range 2200 2250
object-group network net-local
network-object 192.168.0.0 255.255.255.0
object-group network host-12-remote
network-object host 10.128.12.11
object-group network host-30-remote
network-object host 10.128.30.51
object-group network net-mgmt-remote
network-object 10.128.6.0 255.255.255.0
network-object 10.128.11.0 255.255.255.0
network-object 10.128.12.0 255.255.255.0
access-list inbound2 extended permit icmp any any
access-list inbound2 extended permit icmp any host 1.10.136.115
access-list inbound2 extended deny ip 200.161.124.0 255.255.255.0 any
access-list inbound2 extended permit tcp any host 1.10.136.115 eq 82
access-list inbound2 extended permit tcp any host 1.10.136.116 eq https
access-list inbound2 extended permit tcp any host 1.10.136.117 eq www
access-list inbound2 extended permit tcp any host 1.10.136.117 eq https
access-list inbound2 extended permit tcp any host 1.10.136.118 eq https
access-list inbound2 extended permit icmp any any unreachable
access-list inbound2 extended permit tcp any host 1.10.136.116 eq smtp
access-list inbound2 extended permit tcp any host 1.10.136.114 eq 3389
access-list inbound2 extended permit tcp any host 1.10.136.114 eq www
access-list inbound2 extended permit tcp any host 1.10.136.114 eq https
access-list inbound2 extended permit tcp 28.65.144.0 255.255.248.0 host 1.10.136.114 eq smtp
access-list inbound2 extended permit tcp 28.81.64.0 255.255.248.0 host 1.10.136.114 eq smtp
access-list 8 extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 8 extended permit ip object-group net-local object-group host-12-remote
access-list 8 extended permit ip object-group net-local object-group host-30-remote
access-list 8 extended permit ip object-group net-local object-group net-mgmt-remote
access-list mar-split standard permit host 192.168.0.150
access-list mar-split standard permit host 192.168.0.161
access-list mar-split standard permit host 192.168.0.200
access-list mar-split standard permit host 192.168.0.162
access-list dynmap standard permit 192.168.0.0 255.255.255.0
access-list outbound extended permit tcp any any eq 4443
access-list outbound extended permit ip host 192.168.0.249 any
access-list outbound extended permit tcp any any eq 3389
access-list outbound extended permit tcp any any eq 4899
access-list outbound extended permit ip host 192.168.0.7 any
access-list outbound extended permit ip host 192.168.0.9 any
access-list outbound extended permit ip host 192.168.0.31 any
access-list outbound extended permit ip host 192.168.0.6 any
access-list outbound extended permit ip host 192.168.0.209 any
access-list outbound extended permit ip host 192.168.0.3 any
access-list outbound extended permit ip host 192.168.0.4 any
access-list outbound extended permit ip host 192.168.0.2 any
access-list outbound extended permit ip host 192.168.0.25 any
access-list outbound extended permit ip host 192.168.0.18 any
access-list outbound extended permit ip 10.0.0.0 255.0.0.0 any
access-list outbound extended permit tcp any any eq www
access-list outbound extended permit tcp any any eq https
access-list outbound extended permit tcp any any eq ftp
access-list outbound extended permit tcp any any eq ssh
access-list outbound extended permit tcp any any eq 10000
access-list outbound extended permit udp any any eq 10000
access-list outbound extended permit udp any any eq isakmp
access-list outbound extended permit udp any any eq 4500
access-list outbound extended permit esp any any
access-list outbound extended permit udp any any eq ntp
access-list outbound extended permit ip host 192.168.0.240 any
access-list outbound extended permit tcp any any eq pptp
access-list outbound extended permit gre any any
access-list outbound extended permit tcp any any eq 444
access-list outbound extended permit tcp any any eq 4430
access-list outbound extended permit tcp any any eq 9000
access-list outbound extended permit udp any any eq domain
access-list outbound extended permit tcp any any eq domain
access-list outbound extended permit icmp any any
access-list outbound extended permit tcp any any eq 5999
access-list outbound extended permit ip host 192.168.0.12 any
access-list outbound extended permit tcp any any eq 3101
access-list outbound extended permit tcp any any eq 65535
access-list outbound extended permit tcp any any eq 8080
access-list outbound extended permit ip host 192.168.0.13 any
access-list outbound extended permit tcp any any eq 8005
access-list outbound extended permit tcp any any eq 9090
access-list outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outbound extended permit ip host 192.168.0.165 any
access-list outbound extended permit tcp 192.168.0.0 255.255.255.0 object-group Datto any object-group Datto
access-list outbound extended permit tcp any any eq 5222
access-list outbound extended permit ip host 172.16.2.10 any
access-list mar-filter extended permit ip 192.168.2.0 255.255.255.0 host 192.168.0.161
access-list mar-filter extended permit ip 192.168.2.0 255.255.255.0 host 192.168.0.162
access-list mar-filter extended permit udp 192.168.2.0 255.255.255.0 host 192.168.0.150 eq domain
access-list mar-filter extended permit udp 192.168.2.0 255.255.255.0 host 192.168.0.200 eq domain
access-list mar-filter extended deny ip 192.168.2.0 255.255.255.0 any
access-list cap_outside extended permit ip any host 1.10.136.117
access-list remote_10_cryptomap extended permit ip object-group net-local object-group host-12-remote
access-list remote_10_cryptomap extended permit ip object-group net-local object-group host-30-remote
access-list remote_10_cryptomap extended permit ip object-group net-local object-group net-mgmt-remote
access-list capin extended deny ip host 8.20.58.194 host 1.10.136.113
access-list capin extended permit ip any host 1.10.136.119
access-list capin extended permit ip host 8.20.58.194 host 1.10.136.118
access-list capin extended permit ip host 8.20.58.194 any
access-list capdmz extended permit ip any host 172.16.2.1
access-list swvpnclient standard permit 172.16.2.0 255.255.255.0
access-list dmz-no-nat extended permit ip 172.16.2.0 255.255.255.0 172.16.3.0 255.255.255.0
pager lines 24
logging enable
logging monitor notifications
logging buffered warnings
logging asdm informational
no logging message 402127
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool remote 192.168.2.1-192.168.2.254
ip local pool swvpnpool 172.16.3.1-172.16.3.254
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (dmz) 1 1.10.136.113
nat (inside) 0 access-list 8
nat (inside) 1 192.168.0.0 255.255.255.0
nat (dmz) 0 access-list dmz-no-nat
static (inside,outside) 1.10.136.118 192.168.0.12 netmask 255.255.255.255
static (inside,outside) 1.10.136.117 192.168.0.20 netmask 255.255.255.255
static (inside,outside) 1.10.136.116 192.168.0.165 netmask 255.255.255.255
static (dmz,outside) 1.10.136.114 172.16.2.10 netmask 255.255.255.255
access-group outbound in interface inside
access-group inbound2 in interface outside
route outside 0.0.0.0 0.0.0.0 1.10.136.126 1
timeout xlate 3:00:00
timeout conn 8:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:03
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.0.150
key *****
aaa-server swVPNClient protocol radius
aaa-server swVPNClient (inside) host 172.16.2.10
key *****
aaa-server swRADIUS protocol radius
aaa-server swRADIUS (inside) host 172.16.2.10
key *****
filter java 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
http server enable
http 192.168.0.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set strong2 esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map rtg 1 set transform-set strong2
crypto map remote 10 match address remote_10_cryptomap
crypto map remote 10 set peer 1.130.39.52
crypto map remote 10 set transform-set strong2
crypto map remote 65000 ipsec-isakmp dynamic rtg
crypto map remote interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
crypto isakmp policy 15
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.0.0 255.255.255.0 inside
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 30
ssh 192.168.0.0 255.255.255.0 inside
ssh 192.168.2.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 1.102.46.78
webvpn
group-policy remote internal
group-policy remote attributes
dns-server value 192.168.0.201 192.168.0.200
vpn-idle-timeout 30
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value dynmap
default-domain value rockporttech.com
split-dns value rockporttech.com
split-tunnel-all-dns disable
group-policy mar internal
group-policy mar attributes
dns-server value 192.168.0.150 192.168.0.200
vpn-idle-timeout 30
vpn-filter value mar-filter
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value mar-split
default-domain value rockporttech.com
split-dns value rockporttech.com
group-policy remote internal
group-policy remote attributes
dns-server value 172.16.2.10
split-tunnel-policy tunnelspecified
split-tunnel-network-list value swvpnclient
default-domain value srinvestments.com
split-dns value srinvestments.com
username swvpn password b23yCAArcUUDsLqY encrypted
username admin password PulsCK2HzfuLpAyL encrypted privilege 15
username marquis password /z5v8kWQs6.soQFt encrypted
username marquis attributes
service-type remote-access
tunnel-group remote type remote-access
tunnel-group remote general-attributes
address-pool remote
authentication-server-group (outside) RADIUS LOCAL
default-group-policy remote
tunnel-group remote ipsec-attributes
pre-shared-key *****
tunnel-group mar type remote-access
tunnel-group mar general-attributes
address-pool remote
default-group-policy mar
tunnel-group mar ipsec-attributes
pre-shared-key *****
tunnel-group 2.130.39.52 type ipsec-l2l
tunnel-group 2.130.39.52 ipsec-attributes
pre-shared-key *****
tunnel-group remote type remote-access
tunnel-group remote general-attributes
address-pool swvpnpool
default-group-policy remote
tunnel-group remote ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns dns_map
parameters
message-length maximum 4000
policy-map global_policy
class inspection_default
inspect dns dns_map
inspect ftp
inspect http
inspect netbios
inspect pptp
inspect rsh
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect ipsec-pass-thru
inspect h323 h225
inspect h323 ras
inspect sip
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:4dccecdd051690aa4f9b3ea0d19d7d27
: end
06-01-2015 09:41 AM
Found it:
no global (dmz) 1 1.10.136.113
nat (dmz) 1 172.16.2.0 255.255.255.0
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: