03-26-2012 06:33 AM - edited 03-11-2019 03:46 PM
Hi,
Help me to understand!!!
We have an internet link from ISP whic is terminated in a router(say Fa 0/0). ISP have provided me a public ip pool for our use. we have configured one of the ip from this pool in other interface of the router(say Fa 0/1) and ASA outside also in the same subnet.
ISP---(Fa 0/0) RTR (Fa 0/1)---ASA----10.50.x.x
When we ping any inside ip with source as Fa 0/0 from router i am getting a reply. But when i ping the same with source as Fa 0/1 i am getting the below log in asa firewall.
No translation group found for icmp src outside:x.x.x.x dst inside:10.50.x.x (type 8, code 0)
But ping is success when we add static NAT command for 10.50.x.x to translate as 10.50.x.x.
Like
static (inside,outside) 10.50.x.x 10.50.x.x netmask 255.255.0.0
My question is
Why i didnt get same log when i ping with source as Fa 0/0
03-26-2012 07:22 AM
Hi,
I dont understand why you would need to ping your local LAN private address range IP addresses from public network? You can't use the local private IP addresses to connect to Internet anyway.
Also having no configuration attached I can't really say what the situation is on the ASA.
The log message itself says theres no translation configured for the traffic. So I guess you have some rule for the ISP link network (Fa0/0 -> ISP) but not for the address pool (Fa0/1 -> ASA)? Still doesnt make sense why you would need to ping inside hosts from outside with their original IP address.
I'd imagine the syslog id of the message that you mentioned was the following:
305005
Error Message %ASA-3-305005: No translation group found for protocol src interface_name: source_address/source_port dst interface_name: dest_address/dest_portExplanation A packet does not match any of the outbound nat command rules. If NAT is not configured for the specified source and destination systems, the message will be generated frequently.
Recommended Action This message indicates a configuration error. If dynamic NAT is desired for the source host, ensure that the nat command matches the source IP address. If static NAT is desired for the source host, ensure that the local IP address of the static command matches. If no NAT is desired for the source host, check the ACL bound to the NAT 0 ACL.
Can you copy/paste here all your basic ASA configurations while ofcourse changing the public IP addresses/passwords etc. if needed from the output. It would be easy to see then how the translations/traffic works on your ASA
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide