01-11-2013 02:48 PM - edited 03-11-2019 05:46 PM
I have seen many of these errors lately. We have just moved to a new office and I have basically only assigned a new IP to the outside interface.
Jan 11 2013 14:42:08: %ASA-3-305005: No translation group found for udp src inside:192.168.4.224/1363 dst outside:192.168.200.202/69
Jan 11 2013 14:42:12: %ASA-3-305005: No translation group found for udp src inside:192.168.4.224/1363 dst outside:192.168.200.202/69
Jan 11 2013 14:42:12: %ASA-3-305005: No translation group found for udp src inside:192.168.4.224/1363 dst outside:192.168.200.202/69
Jan 11 2013 14:42:16: %ASA-3-305005: No translation group found for udp src inside:192.168.4.224/1363 dst outside:192.168.200.202/69
Jan 11 2013 14:42:16: %ASA-3-305005: No translation group found for udp src inside:192.168.4.224/1363 dst outside:192.168.200.202/69
Jan 11 2013 14:42:20: %ASA-3-305005: No translation group found for udp src inside:192.168.4.224/1364 dst outside:192.168.200.202/69
Jan 11 2013 14:42:29: %ASA-3-305005: No translation group found for udp src inside:192.168.4.224/1364 dst outside:192.168.200.202/69
Jan 11 2013 14:46:48: %ASA-3-305005: No translation group found for udp src inside:192.168.4.228/1685 dst outside:192.168.200.202/69
Please help.
Solved! Go to Solution.
01-11-2013 04:03 PM
Hi,
This is what I get from reading through the configuration and referring back to the log messages you are seeing.
You have a L2L VPN configured with the following networks
On the basis of the of the above as you can see the network 192.168.200.0/24 is located behind a L2L VPN connection. The only source network on your side able to use that L2L VPN connections is 192.168.20.0/22 which naturally already by itself means that hosts 192.168.4.x/24 CANT connect through the L2L VPN
Now when you also consider that you have configuration "nat-control", it means that all traffic going through the firewall must have an NAT configuration available or they wont get through the firewall. And as you can see the network 192.168.4.0/24 only has one NAT0 rule for VPN Client connections BUT nothing for Internet traffic or NAT0 for traffic to the L2L VPN
So as long as the IP Phones try to connect to the remote site address that might be a Call Manager then I guess (without knowing more about the VOIP in general) you will be seeing these log messages.
Now the question at this point for me is that are the IP Phones supposed to connect to the remote host behind the L2L VPN and if they are why dont they have any rules for the L2L VPN connections? Have the Phones been moved from some 192.168.20.0/22 network segment to the 192.168.4.0/24 segment at some point recently and this has not been taken into account with regards to the L2L VPN configurations?
These are the things that I can see looking at the log message and the above configurations.
Please ask more questions if needed.
Please do rate if you find the information helpfull
- Jouni
01-11-2013 04:24 PM
Hi,
The only thing I know from some of our customer IP Phones is the following.
The customer LAN router is usually configured with DHCP and that DHCP service provides a configurations to the IP Phones with an "option" parameter. This parameter constains the IP address of a Call Manager server (atleast in our case) to which the IP Phones then connect with TFTP after they are booted up. After downloading something from the Call Manager (I assume somekind of configurations?) it forms a connection with destination port TCP/2000
Taking consideration the above, it would seem your network 192.168.4.0/24 is routed towards some other L3/Router device behind the ASA.
route inside 192.168.4.0 255.255.255.0 192.168.20.1 1
So I would look for the device in your network which contains the gateway for the network 192.168.4.0/24 and look for a DHCP Pool configuration that refers to the the log destination IP address with the "option" parameter. If thegateway interface on the router has an "ip helper-address" configuration instead of a DHCP Pool directly, then you will need to check the DHCP server configurations that is possibly giving this option to the phones.
I can't think of anything else at the moment.
- Jouni
01-11-2013 03:00 PM
Hi,
It would seem like traffic that is hitting the firewall but doesnt have a Translation rule for it.
Also about the actual traffic
You can share the configuration of the ASA if you want us to go through them (Remove any sensitive information like complete public IP addresses etc)
- Jouni
01-11-2013 03:38 PM
You are correct, it is a VPN connection.
192.168.4.0/24 is our IP phone subnet so the IPs should be phone IPs.
This Firewall existed before I arrived so I am nervous to mess with it since I am not an firewall expert.
I do wish I could clean it up more.
Cryptochecksum: 890fe7da 6b725a66 480d885a fac2b25d
: Saved
: Written by dnguyen at 15:23:59.453 PST Fri Jan 11 2013
!
ASA Version 8.2(1)
!
hostname ASA5510-HQ
domain-name xxxxxxxx.com
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 173.xx.xx.xx 255.255.255.248
!
interface Ethernet0/1
description DMZ between ASA and L3 switch
nameif inside
security-level 100
ip address 192.168.20.8 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.21.114
name-server 192.168.21.112
domain-name mng-inc.com
same-security-traffic permit inter-interface
object-group service ftp-service tcp
port-object range ftp-data ftp
object-group network ftp-svr_ref
description Public FTP Server
network-object host 173.164.xx.xx
object-group network ftp-svr
description Public FTP Server
network-object 192.168.21.13 255.255.255.255
object-group network BlockedOutsideIP
description External IP range that are blocked to access any internal IP
network-object 128.241.0.0 255.255.0.0
network-object 208.111.128.0 255.255.192.0
access-list outside_access_in extended deny ip object-group BlockedOutsideIP any log
access-list outside_access_in extended permit tcp any object-group ftp-svr_ref range ftp-data ftp
access-list outside_access_in extended permit tcp any object-group ftp-svr_ref gt 1024
access-list outside_access_in remark Allow ICMP
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit ip any host 173.164.xx.xx
access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.252.0 192.168.20.128 255.255.255.192
access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.252.0 192.168.100.0 255.255.252.0
access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.252.0 192.168.200.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.4.0 255.255.255.0 192.168.20.192 255.255.255.254
access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.252.0 host 172.16.121.11
access-list Pleasanton_splitTunnelAcl standard permit 192.168.20.0 255.255.252.0
access-list outside_cryptomap_20 extended permit ip 192.168.20.0 255.255.252.0 192.168.100.0 255.255.252.0
access-list outside_cryptomap_20 extended permit ip 192.168.20.0 255.255.252.0 192.168.200.0 255.255.255.0
access-list outside_cryptomap_20 extended permit ip 192.168.20.0 255.255.252.0 192.168.101.0 255.255.255.0
access-list PhoneVendor_splitTunnelAcl standard permit 192.168.4.0 255.255.255.0
access-list ACL2PBX extended permit tcp any host 192.168.4.97
access-list Nasa6700_splitTunnelAcl standard permit 192.168.20.0 255.255.252.0
access-list Apollo_splitTunnelAcl standard permit 192.168.20.0 255.255.252.0
!
tcp-map mss-map
!
pager lines 24
logging enable
logging timestamp
logging list office_test level debugging
logging buffer-size 500000
logging console informational
logging monitor office_test
logging buffered warnings
logging trap errors
logging history debugging
logging asdm office_test
logging mail warnings
logging from-address itmonitor@mng-xxxx
logging recipient-address dnguyen@mng-xxx level emergencies
logging host inside 192.168.21.30 format emblem
logging debug-trace
logging permit-hostdown
logging message 100000 level informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool hq-vpn-net 192.168.20.128-192.168.20.160 mask 255.255.255.0
ip local pool PhoneVendor 192.168.20.192-192.168.20.193 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.20.0 255.255.252.0
static (inside,outside) 173.xx.xx.xx 192.168.21.13 netmask 255.255.255.255
static (inside,outside) 173.xx.xx.xx 192.168.21.43 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 173.164.xx.xx 1
route inside 192.168.4.0 255.255.255.0 192.168.20.1 1
route inside 192.168.20.0 255.255.252.0 192.168.20.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
http server enable
http 192.168.20.0 255.255.252.0 inside
http 192.168.1.0 255.255.255.0 management
snmp-server group snmpv3Group v3 priv
snmp-server user firstwatch snmpv3Group v3 encrypted auth md5 24:19:a1:26:88:93:f2:9e:a0:a8:a9:3c:f8:e9:d0:ba priv des b2:74:76:4e:14:42:cd:7a:4b:87:b5:b8:45:eb:d5:30
snmp-server host inside 172.16.121.11 version 3 firstwatch
snmp-server location HQ
snmp-server contact
snmp-server enable traps snmp linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-128-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 64.124.xx.xx
crypto map outside_map 20 set transform-set ESP-AES-128-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
telnet 192.168.20.0 255.255.252.0 inside
telnet timeout 10
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 55
console timeout 0
management-access inside
dhcpd address 192.168.1.10-192.168.1.100 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.83.249.28 source outside prefer
ntp server 208.66.174.71 source outside
ntp server 148.167.132.201 source outside
ssl encryption 3des-sha1 aes128-sha1 aes256-sha1
webvpn
default-idle-timeout 7200
group-policy duong internal
group-policy duong attributes
dns-server value 192.168.21.114 192.168.21.112
vpn-tunnel-protocol IPSec
default-domain value xxxxx.com
group-policy PhoneVendor internal
group-policy PhoneVendor attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value PhoneVendor_splitTunnelAcl
group-policy Pleasanton internal
group-policy Pleasanton attributes
dns-server value 192.168.21.112 192.168.21.114
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Pleasanton_splitTunnelAcl
default-domain value office.xxxxxx
group-policy Nasa6700 internal
group-policy Nasa6700 attributes
dns-server value 192.168.21.114 192.168.21.112
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Nasa6700_splitTunnelAcl
default-domain value xxxxxx.com
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
tunnel-group DefaultL2LGroup general-attributes
default-group-policy Nasa6700
tunnel-group Pleasanton type remote-access
tunnel-group Pleasanton general-attributes
address-pool hq-vpn-net
default-group-policy Pleasanton
tunnel-group Pleasanton ipsec-attributes
pre-shared-key xxxxxxxxxxxxxxxxxxxx
peer-id-validate cert
tunnel-group 64.124.xx.xx type ipsec-l2l
tunnel-group 64.124.xx.xx ipsec-attributes
pre-shared-key xxxxxxxxxxxxxx
tunnel-group PhoneVendor type remote-access
tunnel-group PhoneVendor general-attributes
address-pool PhoneVendor
default-group-policy PhoneVendor
tunnel-group PhoneVendor ipsec-attributes
pre-shared-key xxxxxxxxx
tunnel-group Nasa6700 type remote-access
tunnel-group Nasa6700 general-attributes
address-pool hq-vpn-net
default-group-policy Nasa6700
tunnel-group Nasa6700 ipsec-attributes
pre-shared-key xxxxxxxxxxx
!
class-map inspection_default
match default-inspection-traffic
class-map CM2PBX
match access-list ACL2PBX
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
policy-map PM2PBX
class CM2PBX
set connection advanced-options mss-map
!
service-policy global_policy global
service-policy PM2PBX interface outside
smtp-server xx.xx.xx.xx
prompt hostname context
Cryptochecksum:890fe7da6b725a66480d885afac2b25d
: end
01-11-2013 04:03 PM
Hi,
This is what I get from reading through the configuration and referring back to the log messages you are seeing.
You have a L2L VPN configured with the following networks
On the basis of the of the above as you can see the network 192.168.200.0/24 is located behind a L2L VPN connection. The only source network on your side able to use that L2L VPN connections is 192.168.20.0/22 which naturally already by itself means that hosts 192.168.4.x/24 CANT connect through the L2L VPN
Now when you also consider that you have configuration "nat-control", it means that all traffic going through the firewall must have an NAT configuration available or they wont get through the firewall. And as you can see the network 192.168.4.0/24 only has one NAT0 rule for VPN Client connections BUT nothing for Internet traffic or NAT0 for traffic to the L2L VPN
So as long as the IP Phones try to connect to the remote site address that might be a Call Manager then I guess (without knowing more about the VOIP in general) you will be seeing these log messages.
Now the question at this point for me is that are the IP Phones supposed to connect to the remote host behind the L2L VPN and if they are why dont they have any rules for the L2L VPN connections? Have the Phones been moved from some 192.168.20.0/22 network segment to the 192.168.4.0/24 segment at some point recently and this has not been taken into account with regards to the L2L VPN configurations?
These are the things that I can see looking at the log message and the above configurations.
Please ask more questions if needed.
Please do rate if you find the information helpfull
- Jouni
01-11-2013 04:16 PM
Thank you for the information, it was very helpful.
I guess I want the IP phones to stop trying trying to get to the 192.168.200.202 device since such device no longer exist so tftp to is is no needed. Did you see something in the config that say to send anything to a tftp server on 192.168.200.202? I guess there may se a setup to tftp to 192.168.200.202 by the IP phones, but thta it is no longer being used. Is there a way to make it stop?
01-11-2013 04:24 PM
Hi,
The only thing I know from some of our customer IP Phones is the following.
The customer LAN router is usually configured with DHCP and that DHCP service provides a configurations to the IP Phones with an "option" parameter. This parameter constains the IP address of a Call Manager server (atleast in our case) to which the IP Phones then connect with TFTP after they are booted up. After downloading something from the Call Manager (I assume somekind of configurations?) it forms a connection with destination port TCP/2000
Taking consideration the above, it would seem your network 192.168.4.0/24 is routed towards some other L3/Router device behind the ASA.
route inside 192.168.4.0 255.255.255.0 192.168.20.1 1
So I would look for the device in your network which contains the gateway for the network 192.168.4.0/24 and look for a DHCP Pool configuration that refers to the the log destination IP address with the "option" parameter. If thegateway interface on the router has an "ip helper-address" configuration instead of a DHCP Pool directly, then you will need to check the DHCP server configurations that is possibly giving this option to the phones.
I can't think of anything else at the moment.
- Jouni
01-16-2013 04:57 PM
You are correct again, finally got a hold of the phone guy and he said 192.168.200.202 is a default IP of one of the IP phone cards. It is a coincidence that the default IP happens to be one belonging to an existing network of ours.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide