cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


138
Views
0
Helpful
1
Replies
Highlighted
Beginner

Global NAT not working for DMZ - "No translation group found"

I added a new dmz subnet 172.16.2.0/24. The server I have there that is being statically nat'd is working fine but not the regular hosts. They can't get Internet access and I'm seeing the following error:

 

%ASA-3-305005: No translation group found for udp src dmz:172.16.2.5/34491 dst outside:8.8.8.8/53

 

 

I'm sure it has something to do with global nat but I'm missing it.


sh run
: Saved
:
ASA Version 8.2(5) 
!
hostname gw
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!

interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 1.10.136.113 255.255.255.240 
!
interface Vlan3
 nameif dmz
 security-level 50
 ip address 172.16.2.1 255.255.255.0 
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
object-group network mxlogic
 network-object 28.65.144.0 255.255.248.0
 network-object 28.81.64.0 255.255.248.0
object-group service Datto tcp
port-object range 2200 2250
object-group network net-local
 network-object 192.168.0.0 255.255.255.0
object-group network host-12-remote
 network-object host 10.128.12.11
object-group network host-30-remote
 network-object host 10.128.30.51
object-group network net-mgmt-remote
 network-object 10.128.6.0 255.255.255.0
 network-object 10.128.11.0 255.255.255.0
 network-object 10.128.12.0 255.255.255.0
access-list inbound2 extended permit icmp any any 
access-list inbound2 extended permit icmp any host 1.10.136.115 
access-list inbound2 extended deny ip 200.161.124.0 255.255.255.0 any 
access-list inbound2 extended permit tcp any host 1.10.136.115 eq 82 
access-list inbound2 extended permit tcp any host 1.10.136.116 eq https 
access-list inbound2 extended permit tcp any host 1.10.136.117 eq www 
access-list inbound2 extended permit tcp any host 1.10.136.117 eq https 
access-list inbound2 extended permit tcp any host 1.10.136.118 eq https 
access-list inbound2 extended permit icmp any any unreachable 
access-list inbound2 extended permit tcp any host 1.10.136.116 eq smtp 
access-list inbound2 extended permit tcp any host 1.10.136.114 eq 3389 
access-list inbound2 extended permit tcp any host 1.10.136.114 eq www 
access-list inbound2 extended permit tcp any host 1.10.136.114 eq https 

access-list inbound2 extended permit tcp 28.65.144.0 255.255.248.0 host 1.10.136.114 eq smtp 
access-list inbound2 extended permit tcp 28.81.64.0 255.255.248.0 host 1.10.136.114 eq smtp 
access-list 8 extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0 
access-list 8 extended permit ip object-group net-local object-group host-12-remote 
access-list 8 extended permit ip object-group net-local object-group host-30-remote 
access-list 8 extended permit ip object-group net-local object-group net-mgmt-remote 
access-list mar-split standard permit host 192.168.0.150 
access-list mar-split standard permit host 192.168.0.161 
access-list mar-split standard permit host 192.168.0.200 
access-list mar-split standard permit host 192.168.0.162 
access-list dynmap standard permit 192.168.0.0 255.255.255.0 
access-list outbound extended permit tcp any any eq 4443 
access-list outbound extended permit ip host 192.168.0.249 any 
access-list outbound extended permit tcp any any eq 3389 
access-list outbound extended permit tcp any any eq 4899 
access-list outbound extended permit ip host 192.168.0.7 any 
access-list outbound extended permit ip host 192.168.0.9 any 
access-list outbound extended permit ip host 192.168.0.31 any 
access-list outbound extended permit ip host 192.168.0.6 any 
access-list outbound extended permit ip host 192.168.0.209 any 
access-list outbound extended permit ip host 192.168.0.3 any 
access-list outbound extended permit ip host 192.168.0.4 any 
access-list outbound extended permit ip host 192.168.0.2 any 
access-list outbound extended permit ip host 192.168.0.25 any 

access-list outbound extended permit ip host 192.168.0.18 any 
access-list outbound extended permit ip 10.0.0.0 255.0.0.0 any 
access-list outbound extended permit tcp any any eq www 
access-list outbound extended permit tcp any any eq https 
access-list outbound extended permit tcp any any eq ftp 
access-list outbound extended permit tcp any any eq ssh 
access-list outbound extended permit tcp any any eq 10000 
access-list outbound extended permit udp any any eq 10000 
access-list outbound extended permit udp any any eq isakmp 
access-list outbound extended permit udp any any eq 4500 
access-list outbound extended permit esp any any 
access-list outbound extended permit udp any any eq ntp 
access-list outbound extended permit ip host 192.168.0.240 any 
access-list outbound extended permit tcp any any eq pptp 
access-list outbound extended permit gre any any 
access-list outbound extended permit tcp any any eq 444 
access-list outbound extended permit tcp any any eq 4430 
access-list outbound extended permit tcp any any eq 9000 
access-list outbound extended permit udp any any eq domain 
access-list outbound extended permit tcp any any eq domain 
access-list outbound extended permit icmp any any 
access-list outbound extended permit tcp any any eq 5999 
access-list outbound extended permit ip host 192.168.0.12 any 
access-list outbound extended permit tcp any any eq 3101 
access-list outbound extended permit tcp any any eq 65535 
access-list outbound extended permit tcp any any eq 8080 
access-list outbound extended permit ip host 192.168.0.13 any 
access-list outbound extended permit tcp any any eq 8005 
access-list outbound extended permit tcp any any eq 9090 
access-list outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0 
access-list outbound extended permit ip host 192.168.0.165 any 
access-list outbound extended permit tcp 192.168.0.0 255.255.255.0 object-group Datto any object-group Datto 
access-list outbound extended permit tcp any any eq 5222 
access-list outbound extended permit ip host 172.16.2.10 any 
access-list mar-filter extended permit ip 192.168.2.0 255.255.255.0 host 192.168.0.161 
access-list mar-filter extended permit ip 192.168.2.0 255.255.255.0 host 192.168.0.162 
access-list mar-filter extended permit udp 192.168.2.0 255.255.255.0 host 192.168.0.150 eq domain 
access-list mar-filter extended permit udp 192.168.2.0 255.255.255.0 host 192.168.0.200 eq domain 
access-list mar-filter extended deny ip 192.168.2.0 255.255.255.0 any 
access-list cap_outside extended permit ip any host 1.10.136.117 
access-list remote_10_cryptomap extended permit ip object-group net-local object-group host-12-remote 
access-list remote_10_cryptomap extended permit ip object-group net-local object-group host-30-remote 
access-list remote_10_cryptomap extended permit ip object-group net-local object-group net-mgmt-remote 
access-list capin extended deny ip host 8.20.58.194 host 1.10.136.113 
access-list capin extended permit ip any host 1.10.136.119 
access-list capin extended permit ip host 8.20.58.194 host 1.10.136.118 
access-list capin extended permit ip host 8.20.58.194 any 
access-list capdmz extended permit ip any host 172.16.2.1 

access-list swvpnclient standard permit 172.16.2.0 255.255.255.0 
access-list dmz-no-nat extended permit ip 172.16.2.0 255.255.255.0 172.16.3.0 255.255.255.0 
pager lines 24
logging enable
logging monitor notifications
logging buffered warnings
logging asdm informational
no logging message 402127
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool remote 192.168.2.1-192.168.2.254
ip local pool swvpnpool 172.16.3.1-172.16.3.254
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (dmz) 1 1.10.136.113
nat (inside) 0 access-list 8
nat (inside) 1 192.168.0.0 255.255.255.0
nat (dmz) 0 access-list dmz-no-nat

static (inside,outside) 1.10.136.118 192.168.0.12 netmask 255.255.255.255 
static (inside,outside) 1.10.136.117 192.168.0.20 netmask 255.255.255.255 
static (inside,outside) 1.10.136.116 192.168.0.165 netmask 255.255.255.255 
static (dmz,outside) 1.10.136.114 172.16.2.10 netmask 255.255.255.255 
access-group outbound in interface inside
access-group inbound2 in interface outside
route outside 0.0.0.0 0.0.0.0 1.10.136.126 1
timeout xlate 3:00:00
timeout conn 8:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:03
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.0.150
 key *****
aaa-server swVPNClient protocol radius
aaa-server swVPNClient (inside) host 172.16.2.10
 key *****
aaa-server swRADIUS protocol radius
aaa-server swRADIUS (inside) host 172.16.2.10
 key *****
 
filter java 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 
http server enable
http 192.168.0.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set strong2 esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map rtg 1 set transform-set strong2
crypto map remote 10 match address remote_10_cryptomap
crypto map remote 10 set peer 1.130.39.52 
crypto map remote 10 set transform-set strong2
crypto map remote 65000 ipsec-isakmp dynamic rtg
crypto map remote interface outside
crypto isakmp enable outside
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 28800
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 28800
crypto isakmp policy 15
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 192.168.0.0 255.255.255.0 inside
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 30
ssh 192.168.0.0 255.255.255.0 inside
ssh 192.168.2.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 1.102.46.78

webvpn
group-policy remote internal
group-policy remote attributes
 dns-server value 192.168.0.201 192.168.0.200
 vpn-idle-timeout 30
 ipsec-udp enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value dynmap
 default-domain value rockporttech.com
 split-dns value rockporttech.com 
 split-tunnel-all-dns disable
group-policy mar internal
group-policy mar attributes
 dns-server value 192.168.0.150 192.168.0.200
 vpn-idle-timeout 30
 vpn-filter value mar-filter
 ipsec-udp enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value mar-split
 default-domain value rockporttech.com
 split-dns value rockporttech.com 
group-policy remote internal
group-policy remote attributes
 dns-server value 172.16.2.10
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value swvpnclient
 default-domain value srinvestments.com
 split-dns value srinvestments.com 
username swvpn password b23yCAArcUUDsLqY encrypted
username admin password PulsCK2HzfuLpAyL encrypted privilege 15
username marquis password /z5v8kWQs6.soQFt encrypted
username marquis attributes
 service-type remote-access
tunnel-group remote type remote-access
tunnel-group remote general-attributes
 address-pool remote
 authentication-server-group (outside) RADIUS LOCAL
 default-group-policy remote
tunnel-group remote ipsec-attributes
 pre-shared-key *****
tunnel-group mar type remote-access
tunnel-group mar general-attributes
 address-pool remote
 default-group-policy mar
tunnel-group mar ipsec-attributes
 pre-shared-key *****
tunnel-group 2.130.39.52 type ipsec-l2l
tunnel-group 2.130.39.52 ipsec-attributes
 pre-shared-key *****
tunnel-group remote type remote-access
tunnel-group remote general-attributes
 address-pool swvpnpool
 default-group-policy remote
tunnel-group remote ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns dns_map
 parameters
  message-length maximum 4000
policy-map global_policy
 class inspection_default
  inspect dns dns_map 
  inspect ftp 
  inspect http 
  inspect netbios 
  inspect pptp 
  inspect rsh 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect xdmcp 
  inspect ipsec-pass-thru 
  inspect h323 h225 
  inspect h323 ras 
  inspect sip  
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:4dccecdd051690aa4f9b3ea0d19d7d27
: end

Everyone's tags (1)
1 REPLY 1
Beginner

Found it:no global (dmz) 1 1

Found it:

no global (dmz) 1 1.10.136.113

nat (dmz) 1 172.16.2.0 255.255.255.0