Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
558
Views
0
Helpful
1
Replies

ASA NAT help

uthayaman elangovan
Level 1
Level 1

‎03-26-2012 06:33 AM - edited ‎03-11-2019 03:46 PM

Hi,

Help me to understand!!!

We have an internet link from ISP whic is terminated in a router(say Fa 0/0). ISP have provided me a public ip pool for our use. we have configured one of the ip from this pool in other interface of the router(say Fa 0/1) and  ASA outside also in the same subnet.

ISP---(Fa 0/0) RTR (Fa 0/1)---ASA----10.50.x.x

When we ping any inside ip with source as Fa 0/0 from router i am getting a reply. But when i ping the same with source as Fa 0/1 i am getting the below log in asa firewall.

No translation group found for icmp src outside:x.x.x.x dst inside:10.50.x.x (type 8, code 0)

But ping is success when we add static NAT command for 10.50.x.x to translate as 10.50.x.x.

Like

static (inside,outside) 10.50.x.x 10.50.x.x netmask 255.255.0.0

My question is

Why i didnt get same log when i ping with source as Fa 0/0

Labels:
0 Helpful
1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni

‎03-26-2012 07:22 AM

Hi,

I dont understand why you would need to ping your local LAN private address range IP addresses from public network? You can't use the local private IP addresses to connect to Internet anyway.

Also having no configuration attached I can't really say what the situation is on the ASA.

The log message itself says theres no translation configured for the traffic. So I guess you have some rule for the ISP link network (Fa0/0 -> ISP) but not for the address pool (Fa0/1 -> ASA)? Still doesnt make sense why you would need to ping inside hosts from outside with their original IP address.

I'd imagine the syslog id of the message that you mentioned was the following:

 305005 
Error Message    %ASA-3-305005: No translation group found for protocol src 
interface_name: source_address/source_port dst interface_name: 
dest_address/dest_port





 


Explanation    A packet does not match any of the outbound nat command rules. If NAT is not  configured for the specified source and destination systems, the message will be generated  frequently. 


 


Recommended Action    This message indicates a configuration error. If dynamic NAT is desired for the  source host, ensure that the nat command matches the source IP address. If static NAT is desired for  the source host, ensure that the local IP address of the static command matches. If no NAT is desired  for the source host, check the ACL bound to the NAT 0 ACL.

Can you copy/paste here all your basic ASA configurations while ofcourse changing the public IP addresses/passwords etc. if needed from the output. It would be easy to see then how the translations/traffic works on your ASA

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card