Solved: Cisco 5510 No translation group found for UDP src inside

Duong Nguyen · ‎01-11-2013

I have seen many of these errors lately. We have just moved to a new office and I have basically only assigned a new IP to the outside interface.

Jan 11 2013 14:42:08: %ASA-3-305005: No translation group found for udp src inside:192.168.4.224/1363 dst outside:192.168.200.202/69

Jan 11 2013 14:42:12: %ASA-3-305005: No translation group found for udp src inside:192.168.4.224/1363 dst outside:192.168.200.202/69

Jan 11 2013 14:42:16: %ASA-3-305005: No translation group found for udp src inside:192.168.4.224/1363 dst outside:192.168.200.202/69

Jan 11 2013 14:42:20: %ASA-3-305005: No translation group found for udp src inside:192.168.4.224/1364 dst outside:192.168.200.202/69

Jan 11 2013 14:42:29: %ASA-3-305005: No translation group found for udp src inside:192.168.4.224/1364 dst outside:192.168.200.202/69

Jan 11 2013 14:46:48: %ASA-3-305005: No translation group found for udp src inside:192.168.4.228/1685 dst outside:192.168.200.202/69

Please help.

Jouni Forss · ‎01-11-2013

Hi,

This is what I get from reading through the configuration and referring back to the log messages you are seeing.

You have a L2L VPN configured with the following networks

Defined by the ACL named = outside_crypto_map_20
Local Source networks
- 192.168.20.0 255.255.252.0
Remote Destination networks
- 192.168.100.0 255.255.252.0
- 192.168.101.0 255.255.255.0
- 192.168.200.0 255.255.255.0

On the basis of the of the above as you can see the network 192.168.200.0/24 is located behind a L2L VPN connection. The only source network on your side able to use that L2L VPN connections is 192.168.20.0/22 which naturally already by itself means that hosts 192.168.4.x/24 CANT connect through the L2L VPN

Now when you also consider that you have configuration "nat-control", it means that all traffic going through the firewall must have an NAT configuration available or they wont get through the firewall. And as you can see the network 192.168.4.0/24 only has one NAT0 rule for VPN Client connections BUT nothing for Internet traffic or NAT0 for traffic to the L2L VPN

So as long as the IP Phones try to connect to the remote site address that might be a Call Manager then I guess (without knowing more about the VOIP in general) you will be seeing these log messages.

Now the question at this point for me is that are the IP Phones supposed to connect to the remote host behind the L2L VPN and if they are why dont they have any rules for the L2L VPN connections? Have the Phones been moved from some 192.168.20.0/22 network segment to the 192.168.4.0/24 segment at some point recently and this has not been taken into account with regards to the L2L VPN configurations?

These are the things that I can see looking at the log message and the above configurations.

Please ask more questions if needed.

Please do rate if you find the information helpfull

- Jouni

View solution in original post

Jouni Forss · ‎01-11-2013

Hi,

The only thing I know from some of our customer IP Phones is the following.

The customer LAN router is usually configured with DHCP and that DHCP service provides a configurations to the IP Phones with an "option" parameter. This parameter constains the IP address of a Call Manager server (atleast in our case) to which the IP Phones then connect with TFTP after they are booted up. After downloading something from the Call Manager (I assume somekind of configurations?) it forms a connection with destination port TCP/2000

Taking consideration the above, it would seem your network 192.168.4.0/24 is routed towards some other L3/Router device behind the ASA.

route inside 192.168.4.0 255.255.255.0 192.168.20.1 1

So I would look for the device in your network which contains the gateway for the network 192.168.4.0/24 and look for a DHCP Pool configuration that refers to the the log destination IP address with the "option" parameter. If thegateway interface on the router has an "ip helper-address" configuration instead of a DHCP Pool directly, then you will need to check the DHCP server configurations that is possibly giving this option to the phones.

I can't think of anything else at the moment.

- Jouni

View solution in original post

Jouni Forss · ‎01-11-2013

Hi,

It would seem like traffic that is hitting the firewall but doesnt have a Translation rule for it.

Also about the actual traffic

It seems to be between "inside" and "outside" segments of the firewall
It is between two private networks
Considering the 2 points above it would point to a possible L2L VPN connection?
It seems to be a TFTP connection (destination port UDP/69)
- What device is 192.168.4.224 and 192.168.4.228?
- What device is 192.168.200.202?

You can share the configuration of the ASA if you want us to go through them (Remove any sensitive information like complete public IP addresses etc)

- Jouni

Duong Nguyen · ‎01-11-2013

You are correct, it is a VPN connection.

192.168.4.0/24 is our IP phone subnet so the IPs should be phone IPs.

This Firewall existed before I arrived so I am nervous to mess with it since I am not an firewall expert.

I do wish I could clean it up more.

Cryptochecksum: 890fe7da 6b725a66 480d885a fac2b25d

: Saved

: Written by dnguyen at 15:23:59.453 PST Fri Jan 11 2013

!

ASA Version 8.2(1)

!

hostname ASA5510-HQ

domain-name xxxxxxxx.com

names

dns-guard

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 173.xx.xx.xx 255.255.255.248

!

interface Ethernet0/1

description DMZ between ASA and L3 switch

nameif inside

security-level 100

ip address 192.168.20.8 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa821-k8.bin

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00

dns domain-lookup outside

dns server-group DefaultDNS

name-server 192.168.21.114

name-server 192.168.21.112

domain-name mng-inc.com

same-security-traffic permit inter-interface

object-group service ftp-service tcp

port-object range ftp-data ftp

object-group network ftp-svr_ref

description Public FTP Server

network-object host 173.164.xx.xx

object-group network ftp-svr

description Public FTP Server

network-object 192.168.21.13 255.255.255.255

object-group network BlockedOutsideIP

description External IP range that are blocked to access any internal IP

network-object 128.241.0.0 255.255.0.0

network-object 208.111.128.0 255.255.192.0

access-list outside_access_in extended deny ip object-group BlockedOutsideIP any log

access-list outside_access_in extended permit tcp any object-group ftp-svr_ref range ftp-data ftp

access-list outside_access_in extended permit tcp any object-group ftp-svr_ref gt 1024

access-list outside_access_in remark Allow ICMP

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit ip any host 173.164.xx.xx

access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.252.0 192.168.20.128 255.255.255.192

access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.252.0 192.168.100.0 255.255.252.0

access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.252.0 192.168.200.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.4.0 255.255.255.0 192.168.20.192 255.255.255.254

access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.252.0 host 172.16.121.11

access-list Pleasanton_splitTunnelAcl standard permit 192.168.20.0 255.255.252.0

access-list outside_cryptomap_20 extended permit ip 192.168.20.0 255.255.252.0 192.168.100.0 255.255.252.0

access-list outside_cryptomap_20 extended permit ip 192.168.20.0 255.255.252.0 192.168.200.0 255.255.255.0

access-list outside_cryptomap_20 extended permit ip 192.168.20.0 255.255.252.0 192.168.101.0 255.255.255.0

access-list PhoneVendor_splitTunnelAcl standard permit 192.168.4.0 255.255.255.0

access-list ACL2PBX extended permit tcp any host 192.168.4.97

access-list Nasa6700_splitTunnelAcl standard permit 192.168.20.0 255.255.252.0

access-list Apollo_splitTunnelAcl standard permit 192.168.20.0 255.255.252.0

!

tcp-map mss-map

!

pager lines 24

logging enable

logging timestamp

logging list office_test level debugging

logging buffer-size 500000

logging console informational

logging monitor office_test

logging buffered warnings

logging trap errors

logging history debugging

logging asdm office_test

logging mail warnings

logging from-address itmonitor@mng-xxxx

logging recipient-address dnguyen@mng-xxx level emergencies

logging host inside 192.168.21.30 format emblem

logging debug-trace

logging permit-hostdown

logging message 100000 level informational

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool hq-vpn-net 192.168.20.128-192.168.20.160 mask 255.255.255.0

ip local pool PhoneVendor 192.168.20.192-192.168.20.193 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 192.168.20.0 255.255.252.0

static (inside,outside) 173.xx.xx.xx 192.168.21.13 netmask 255.255.255.255

static (inside,outside) 173.xx.xx.xx 192.168.21.43 netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 173.164.xx.xx 1

route inside 192.168.4.0 255.255.255.0 192.168.20.1 1

route inside 192.168.20.0 255.255.252.0 192.168.20.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

aaa authentication http console LOCAL

aaa authentication enable console LOCAL

http server enable

http 192.168.20.0 255.255.252.0 inside

http 192.168.1.0 255.255.255.0 management

snmp-server group snmpv3Group v3 priv

snmp-server user firstwatch snmpv3Group v3 encrypted auth md5 24:19:a1:26:88:93:f2:9e:a0:a8:a9:3c:f8:e9:d0:ba priv des b2:74:76:4e:14:42:cd:7a:4b:87:b5:b8:45:eb:d5:30

snmp-server host inside 172.16.121.11 version 3 firstwatch

snmp-server location HQ

snmp-server contact

snmp-server enable traps snmp linkup linkdown coldstart

snmp-server enable traps syslog

snmp-server enable traps ipsec start stop

snmp-server enable traps entity config-change fru-insert fru-remove

snmp-server enable traps remote-access session-threshold-exceeded

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-128-SHA

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer 64.124.xx.xx

crypto map outside_map 20 set transform-set ESP-AES-128-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp ipsec-over-tcp port 10000

telnet 192.168.20.0 255.255.252.0 inside

telnet timeout 10

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 55

console timeout 0

management-access inside

dhcpd address 192.168.1.10-192.168.1.100 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 192.83.249.28 source outside prefer

ntp server 208.66.174.71 source outside

ntp server 148.167.132.201 source outside

ssl encryption 3des-sha1 aes128-sha1 aes256-sha1

webvpn

default-idle-timeout 7200

group-policy duong internal

group-policy duong attributes

dns-server value 192.168.21.114 192.168.21.112

vpn-tunnel-protocol IPSec

default-domain value xxxxx.com

group-policy PhoneVendor internal

group-policy PhoneVendor attributes

vpn-tunnel-protocol IPSec l2tp-ipsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value PhoneVendor_splitTunnelAcl

group-policy Pleasanton internal

group-policy Pleasanton attributes

dns-server value 192.168.21.112 192.168.21.114

vpn-tunnel-protocol IPSec l2tp-ipsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Pleasanton_splitTunnelAcl

default-domain value office.xxxxxx

group-policy Nasa6700 internal

group-policy Nasa6700 attributes

dns-server value 192.168.21.114 192.168.21.112

vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Nasa6700_splitTunnelAcl

default-domain value xxxxxx.com

vpn-access-hours none

vpn-simultaneous-logins 3

vpn-idle-timeout none

vpn-session-timeout none

tunnel-group DefaultL2LGroup general-attributes

default-group-policy Nasa6700

tunnel-group Pleasanton type remote-access

tunnel-group Pleasanton general-attributes

address-pool hq-vpn-net

default-group-policy Pleasanton

tunnel-group Pleasanton ipsec-attributes

pre-shared-key xxxxxxxxxxxxxxxxxxxx

peer-id-validate cert

tunnel-group 64.124.xx.xx type ipsec-l2l

tunnel-group 64.124.xx.xx ipsec-attributes

pre-shared-key xxxxxxxxxxxxxx

tunnel-group PhoneVendor type remote-access

tunnel-group PhoneVendor general-attributes

address-pool PhoneVendor

default-group-policy PhoneVendor

tunnel-group PhoneVendor ipsec-attributes

pre-shared-key xxxxxxxxx

tunnel-group Nasa6700 type remote-access

tunnel-group Nasa6700 general-attributes

address-pool hq-vpn-net

default-group-policy Nasa6700

tunnel-group Nasa6700 ipsec-attributes

pre-shared-key xxxxxxxxxxx

!

class-map inspection_default

match default-inspection-traffic

class-map CM2PBX

match access-list ACL2PBX

!

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

policy-map PM2PBX

class CM2PBX

set connection advanced-options mss-map

!

service-policy global_policy global

service-policy PM2PBX interface outside

smtp-server xx.xx.xx.xx

prompt hostname context

Cryptochecksum:890fe7da6b725a66480d885afac2b25d

: end

Jouni Forss · ‎01-11-2013

Hi,

This is what I get from reading through the configuration and referring back to the log messages you are seeing.

You have a L2L VPN configured with the following networks

Defined by the ACL named = outside_crypto_map_20
Local Source networks
- 192.168.20.0 255.255.252.0
Remote Destination networks
- 192.168.100.0 255.255.252.0
- 192.168.101.0 255.255.255.0
- 192.168.200.0 255.255.255.0

On the basis of the of the above as you can see the network 192.168.200.0/24 is located behind a L2L VPN connection. The only source network on your side able to use that L2L VPN connections is 192.168.20.0/22 which naturally already by itself means that hosts 192.168.4.x/24 CANT connect through the L2L VPN

Now when you also consider that you have configuration "nat-control", it means that all traffic going through the firewall must have an NAT configuration available or they wont get through the firewall. And as you can see the network 192.168.4.0/24 only has one NAT0 rule for VPN Client connections BUT nothing for Internet traffic or NAT0 for traffic to the L2L VPN

So as long as the IP Phones try to connect to the remote site address that might be a Call Manager then I guess (without knowing more about the VOIP in general) you will be seeing these log messages.

Now the question at this point for me is that are the IP Phones supposed to connect to the remote host behind the L2L VPN and if they are why dont they have any rules for the L2L VPN connections? Have the Phones been moved from some 192.168.20.0/22 network segment to the 192.168.4.0/24 segment at some point recently and this has not been taken into account with regards to the L2L VPN configurations?

These are the things that I can see looking at the log message and the above configurations.

Please ask more questions if needed.

Please do rate if you find the information helpfull

- Jouni

Duong Nguyen · ‎01-11-2013

Thank you for the information, it was very helpful.

I guess I want the IP phones to stop trying trying to get to the 192.168.200.202 device since such device no longer exist so tftp to is is no needed. Did you see something in the config that say to send anything to a tftp server on 192.168.200.202? I guess there may se a setup to tftp to 192.168.200.202 by the IP phones, but thta it is no longer being used. Is there a way to make it stop?

Jouni Forss · ‎01-11-2013

Hi,

The only thing I know from some of our customer IP Phones is the following.

The customer LAN router is usually configured with DHCP and that DHCP service provides a configurations to the IP Phones with an "option" parameter. This parameter constains the IP address of a Call Manager server (atleast in our case) to which the IP Phones then connect with TFTP after they are booted up. After downloading something from the Call Manager (I assume somekind of configurations?) it forms a connection with destination port TCP/2000

Taking consideration the above, it would seem your network 192.168.4.0/24 is routed towards some other L3/Router device behind the ASA.

route inside 192.168.4.0 255.255.255.0 192.168.20.1 1

So I would look for the device in your network which contains the gateway for the network 192.168.4.0/24 and look for a DHCP Pool configuration that refers to the the log destination IP address with the "option" parameter. If thegateway interface on the router has an "ip helper-address" configuration instead of a DHCP Pool directly, then you will need to check the DHCP server configurations that is possibly giving this option to the phones.

I can't think of anything else at the moment.

- Jouni

Duong Nguyen · ‎01-16-2013

You are correct again, finally got a hold of the phone guy and he said 192.168.200.202 is a default IP of one of the IP phone cards. It is a coincidence that the default IP happens to be one belonging to an existing network of ours.