Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1202
Views
0
Helpful
6
Replies

ASA Syslog - No Translation Group Found

Robert Juric
Level 1
Level 1

‎12-09-2010 10:21 AM - edited ‎03-11-2019 12:20 PM

I recently noticed I'm getting flooded with these messages saying No Translation Group Found for an inside to an inside IP address. I'm not sure what could be causing this. Below is my NAT configuration:

global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 1 10.60.2.0 255.255.255.0
nat (outside) 2 10.103.13.0 255.255.255.0

Any suggestions on where to look?

Labels:
0 Helpful
6 Replies 6

mirober2
Cisco Employee
Cisco Employee

‎12-09-2010 11:21 AM

Hi Robert,

The syslogs indicate that the packet is destined to a host on your inside interface and sourced from a host on the same interface? Does this seem like legitimate traffic or a spoofing/routing issue? If the traffic seems legitimate, you'll need to setup the ASA to allow traffic to be u-turned on the inside interface:

same-security-traffic permit intra-interface

static (inside,inside) netmask

Otherwise, I would suggest investigating why these packets are in the network. Packet captures on the inside interface would be a good starting place to help you trace the packet back through the network via MAC address.

Hope that helps.

-Mike

0 Helpful

Robert Juric
Level 1
Level 1
In response to mirober2

‎12-09-2010 11:37 AM

One address is my NMS, the other is a remote location via S2S VPN tunnel. I'm not sure if that qualifies as inside to inside.

0 Helpful

mirober2
Cisco Employee
Cisco Employee
In response to Robert Juric

‎12-09-2010 11:45 AM

Hi Robert,

In that case, make sure you have an entry in your NAT 0 ACL (nonat) for this traffic. That will prevent NAT from taking place and the packet should be sent over the tunnel.

-Mike

0 Helpful

Robert Juric
Level 1
Level 1
In response to mirober2

‎12-10-2010 10:10 AM

There is an entry in my nonat ACL for this subnet. I did some further research and found out that this alert is being generated by

my printer server trying to communicate with a printer on the remote end of the S2S VPN tunnel. The tunnel is currently

down at the moment as well. Could the fact that the ASA doesn't know where to send the traffic be causing this error?

Also, is there any way to correct this issue (other than bringing the VPN tunnel up)? Or should I possibly adjust my logging level?

Thanks for the help everyone,

Robert

0 Helpful

lcuevas1
Level 1
Level 1
In response to Robert Juric

‎12-09-2010 11:59 AM

when you configure a Site to Site VPN there is a NO-NAT rule between both subnets, source and destination, yes or no?

0 Helpful

lcuevas1
Level 1
Level 1

‎12-09-2010 11:35 AM

Hi Robert, you cant apply a NAT from the inside to the inside, i think.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card