11-09-2010 05:44 AM - edited 03-11-2019 12:06 PM
Hello,
I have the following problem doing natting in between my inside and dmz_sp interface here is the diagram:
· I need to, whenever these three hosts on the dmz_sp access the inside network, it should be translated to the Inside interface IP address.
· Static configuration is not an option, once that they don't have Inside addresses for this;
· NAT0 is not an option, because internal network overlaps
Based on these needs, I deployed the following configuration:
nat (dmz_sp) 2 10.241.48.136 255.255.255.255 outside
nat (dmz_sp) 2 10.241.48.151 255.255.255.255 outside
nat (dmz_sp) 2 10.241.48.171 255.255.255.255 outside
global (inside) 2 interface
Here's the actual relevant configuration he already had there before I applied the config above:
no nat-control
nat (inside) 0 access-list acl_nonat
nat (dmz) 1 access-list ACL_SCAN_MAIL
nat (inside) 1 172.16.0.0 255.240.0.0
global (dmz) 1 interface
global (dmz_sp) 1 10.120.0.254
global (dmz_net) 1 10.120.3.254
Now, I have the following problem after I added my dmz_sp nat configurartion:
Whenever the hosts in the network on 172.16x.x are trying to access these three servers on dmz_sp, the FW is not even capable to build the connection, showing me the following error message:
Nov 08 2010 16:46:27 FW-1 : %ASA-6-305011: Built dynamic TCP translation from inside:172.21.120.190/1223 to dmz_sp:10.120.0.254/11609
Nov 08 2010 16:46:27 FW-1 : %ASA-3-305005: No translation group found for tcp src inside:172.21.120.190/1223 dst dmz_sp:10.241.48.136/1433
The weird thing is that it shows up in the xlate table but the connection is dropped anyway.
The problem doesn't happen when the Inside network is trying to access any different host in the same network on dmz_SP.
Is this an expected behavior? What should be done in order to work around this issue?
If any configuration is needed, please let me know. But as I said before, we can assume that routing and permissions are ok.
Solved! Go to Solution.
11-09-2010 05:52 AM
If the DMZ_SP host is going to look like the inside interface IP address (hiding behind a pat pool) then, why is the inside host 172.21.120.190 trying to access it using its real IP address 10.241.48.136?
With what you have configured only the DMZ_SP hosts can initiate traffic and the inside hosts can only respond to them. Traffic cannot be initiated from the inside hosts to the dmz hosts.
Nov 08 2010 16:46:27 FW-1 : %ASA-3-305005: No translation group found for tcp src inside:172.21.120.190/1223 dst dmz_sp:10.241.48.136/1433
It appear that you do not have a choice but to use static (inside,dmz_sp) instead of nat/global outside for the dmz hosts.
Remember you cannot reach the hosts hiding behind a pat pool. This will be like google trying to reach all your inside hosts hiding behind a pat pool. Just not possible unless you configure static NAT or PAT.
-KS
11-09-2010 05:52 AM
If the DMZ_SP host is going to look like the inside interface IP address (hiding behind a pat pool) then, why is the inside host 172.21.120.190 trying to access it using its real IP address 10.241.48.136?
With what you have configured only the DMZ_SP hosts can initiate traffic and the inside hosts can only respond to them. Traffic cannot be initiated from the inside hosts to the dmz hosts.
Nov 08 2010 16:46:27 FW-1 : %ASA-3-305005: No translation group found for tcp src inside:172.21.120.190/1223 dst dmz_sp:10.241.48.136/1433
It appear that you do not have a choice but to use static (inside,dmz_sp) instead of nat/global outside for the dmz hosts.
Remember you cannot reach the hosts hiding behind a pat pool. This will be like google trying to reach all your inside hosts hiding behind a pat pool. Just not possible unless you configure static NAT or PAT.
-KS
11-09-2010 09:02 AM
Thanks for your swift answer. It was very useful. I'll talk to my customer in order to re-arrange it. The returning traffic was something he didn't comment before.
Anyway, thanks for this!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide