Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
945
Views
0
Helpful
4
Replies

Cisco ASA 5510 NAT Issue

jjizzle1985
Level 1
Level 1

‎10-22-2018 06:03 PM - edited ‎02-21-2020 08:23 AM

Hey Guys;

I've seen to be having an issue with this ASA 5510 FW; I don't wanna use NAT for inside/outside; since im natted on my router; I just want this FW to inspect packages and denied packages; that's it;

when I check the logs on the 5510; it keeps saying this error

3|Oct 22 2018 16:24:12|305005: No translation group found for udp src IN:1.8.8.4/49611 dst OUT:8.8.4.4/53
3|Oct 22 2018 16:24:12|305005: No translation group found for udp src IN:1.8.8.4/50818 dst OUT:8.8.4.4/53
3|Oct 22 2018 16:24:12|305005: No translation group found for udp src IN:1.8.8.4/49486 dst OUT:8.8.4.4/53
3|Oct 22 2018 16:24:12|305005: No translation group found for udp src IN:1.8.8.4/57103 dst OUT:8.8.4.4/53
3|Oct 22 2018 16:24:13|305005: No translation group found for udp src IN:1.8.8.4/61703 dst OUT:8.8.4.4/53

 

I also saw this alert 

6|Oct 22 2018 16:45:00|110002: Failed to locate egress interface for UDP from IN:1.8.8.4/49817 to 8.8.4.4/53;

 

This is the only error/alert I see that's causing me not to get onto the internet.

 

I have a simple and easy setup; please see attach on network layout and FW config.

Preview file
10 KB
Preview file
50 KB
0 Helpful
4 Replies 4

Mohammed al Baqari
Level 11
Level 11

‎10-22-2018 10:31 PM

If you don't want natting why are you applying it on ASA. There is natting
configuration on your ASA
0 Helpful

jjizzle1985
Level 1
Level 1
In response to Mohammed al Baqari

‎10-22-2018 11:02 PM - edited ‎10-22-2018 11:11 PM

Hello;

 

I'm trying to apply an exempt for NAT; so ASA won't nat any traffic from inside/outside; just denied and/or permit packages.

 

Isn't this the command to exempt traffic that you don't wanna to nat from inside-outside

access-list NO-NAT extended permit ip INNET 255.255.255.0 OUTNET 255.255.255.252

 

Please advise

 

Thanks

0 Helpful

Marius Gunnerud
VIP
VIP
In response to jjizzle1985

‎10-23-2018 02:33 AM

If you do not want to do any NAT on the ASA then remove the following commands.

 

nat-control

global (OUT) 1 interface
nat (IN) 0 access-list NO-NAT

 

Nat-control forces you to use NAT or traffic will be dropped. So once you remove that you will be able to remove the global and nat commands without affecting traffic.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

jjizzle1985
Level 1
Level 1
In response to Marius Gunnerud

‎10-23-2018 11:05 AM

Hello;

 

After removing the configurate you recommend; I can see I can build outbound packets for DNS; but I don't see any inbound packets coming back to my inside network; and when I try to access a website I still can't view website; it saying can't find DNS Server name and/or DNS Timeout

 

idk what else I'm missing for this to work as a simple network setup; I would like to use the gui but I keep getting server not trusted from java even with the ip address in the exception site list; still nothing

 

this is what I see on java console when trying to launch Cisco ASDM

java.lang.ClassCastException: sun.security.ssl.X509TrustManagerImpl cannot be cast to com.sun.deploy.security.X509ExtendedDeployTrustManager

javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Java couldn't trust Server

Caused by: java.security.cert.CertificateException: Java couldn't trust Server

 

I've seen this before but with the ip address in the exception list its still not working

 

Please help 

 

please anyone can direct me on how to fix the web and ASA 5510 problem

Preview file
18 KB
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card