Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
908
Views
5
Helpful
5
Replies

asa 5520 nat problem

Go to solution
Shakespeare Rodas
Level 1
Level 1

‎06-11-2014 01:18 PM - edited ‎02-21-2020 05:12 AM

 

Hi I have an Cisco Asa 5520 and i want to make vpn site to site using another interface with a lan to lan carrier, the problem is when i try to pass traffic have the follow syslog error:

No translation group found for udp src lan2lan:10.5.50.63/44437 dst colo:biggiesmalls/897
 
The interface for lan to lan service is called: lan2lan
one of the internal interfaces is called: colo

I think is problem with Nat on the ASA but i need help with this.
 
Config:
 
!
interface GigabitEthernet0/0
 nameif external
 security-level 0
 ip address fw-ext 255.255.255.0 standby XXaaaNNaa
 ospf cost 10
 ospf network point-to-point non-broadcast
!
interface GigabitEthernet0/1
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/1.50
 vlan 50
 nameif lb
 security-level 20
 ip address 10.1.50.11 255.255.255.0 
 ospf cost 10
!
interface GigabitEthernet0/1.501
 vlan 501
 nameif colo
 security-level 90
 ip address fw-int 255.255.255.0 standby 172.16.2.253 
 ospf cost 10
!
!
interface GigabitEthernet1/1
 description Lan2Lan-Carrier
 nameif lan2lan
 security-level 0
 ip address 10.100.50.1 255.255.255.248 
!
access-list lan2lan_cryptomap_51 extended permit ip 10.1.0.0 255.255.0.0 object-group elo 
access-list lan2lan_cryptomap_51 extended permit ip sfnet 255.255.255.0 object-group elo 
pager lines 24
logging enable
logging host colo biggiesmalls
no logging message 313001
mtu external 1500
mtu lb 1500
mtu colo 1500
mtu lan2lan 1500
icmp unreachable rate-limit 1 burst-size 1
arp timeout 14400
nat-control
global (external) 1 interface
global (lb) 1 interface
global (colo) 1 interface
nat (lb) 1 10.1.50.0 255.255.255.0
nat (colo) 0 access-list colo_nat0_outbound
nat (colo) 1 10.1.13.0 255.255.255.0
nat (colo) 1 10.1.16.0 255.255.255.0
nat (colo) 1 0.0.0.0 0.0.0.0
access-group external_access_in in interface external
access-group lb_access_in in interface lb
access-group colo_access_in in interface colo
access-group management_access_in in interface management
access-group lan2lan in interface lan2lan
!
service resetoutside
crypto map lan2lan_map 51 match address lan2lan_cryptomap_51
crypto map lan2lan_map 51 set peer 10.100.50.2 
crypto map lan2lan_map 51 set transform-set ESP-3DES-SHA
crypto map lan2lan_map 51 set reverse-route
crypto map lan2lan_map interface lan2lan
  quit
crypto isakmp identity hostname 
crypto isakmp enable lan2lan
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
client-update enable
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key xxXnnAA
tunnel-group 10.100.50.2 type ipsec-l2l
tunnel-group 10.100.50.2 general-attributes
 default-group-policy site2site
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 5
!
 
Preview file
62 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-11-2014 03:48 PM

Is the VPN establishing OK? ("show crypto isakmp sa" should show a MM_Active tunnel to the peer address)

We normally exempt site-site VPN traffic from NAT. That could be your problem. If you can share your configuration we can have a look at it.

p.s. you should recategorize the question to the Security / VPN forum.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-11-2014 03:48 PM

Is the VPN establishing OK? ("show crypto isakmp sa" should show a MM_Active tunnel to the peer address)

We normally exempt site-site VPN traffic from NAT. That could be your problem. If you can share your configuration we can have a look at it.

p.s. you should recategorize the question to the Security / VPN forum.

0 Helpful

Go to solution
Shakespeare Rodas
Level 1
Level 1
In response to Marvin Rhoads

‎06-11-2014 07:10 PM

Thanks changed to Security Vpn Forum, i will try with extempt the vpn traffic now...

0 Helpful

Go to solution
Shakespeare Rodas
Level 1
Level 1
In response to Marvin Rhoads

‎06-11-2014 07:15 PM

Thank you and the other question is what is the correct security level for the interfaces on this scenario with lan to lan carrier?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Shakespeare Rodas

‎06-12-2014 06:33 AM

You're welcome. The security levels can range from 0 (lowest security - typically thought of as outside) to 100 (highest security or inside).

Your screenshot indicates your have a nat statement that references pool 1 but there's no matching global. You would typically have a line being "global 1 ..."

If you can share the configuration, we could answer better.

 

Go to solution
Shakespeare Rodas
Level 1
Level 1
In response to Marvin Rhoads

‎06-12-2014 09:09 AM

Thank you i uploaded part of the fw config!!

https://supportforums.cisco.com/discussion/12230351/asa-5520-nat-problem

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card