Showing results for 
Search instead for 
Did you mean: 

No matching global


I have an outdate ASA 5510 with 8.0 OS.

With the old command set, I created inside, DMZ and outside. The DMZ provides a web server host az, the translation from outside to DMZ works very well.

The problem is the access from the inside interface to the web server at the DMZ. The ASDM packet tracer comes through until NAT, then the tool generates the following message:

"nat (inside) 101 match ip inside DMZ any dynamic translation to pool 101 (No matching global) translate_hits = 15, untranslate_hits = 0" statement. Unfortunately, I have no idea how to resolve this...

Here is my config, where I would appreciate any hint:

interface Ethernet0/0
 nameif inside
 security-level 100
 ip address
interface Ethernet0/1
 nameif DMZ
 security-level 50
 ip address
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
interface Ethernet0/3
 nameif outside
 security-level 0
 ip address (not true, just as example)
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

access-list out2dmz extended permit tcp any any eq www
access-list out2dmz extended permit tcp any any eq https

global (outside) 101 interface

nat (inside) 101
nat (DMZ) 101
static (DMZ,outside) tcp interface www www netmask
static (DMZ,outside) tcp interface https https netmask
access-group out2dmz in interface outside
route outside <external IP> 1

5 Replies 5


The problem you are getting is caused by nat control which is a feature in old code as 8.0 this means that basically you have to have a nat rule for everything, the no matching global means that although you have nat ( inside) x statement you do not have a matching global (dmz) for the dmz to make a translation, an easy way to fix this is creating a static nat for inside and dmz like the following:

Static(inside,DMZ) netmask

Static(DMZ,inside) netmask

Hope this helps.

Hi Kornelia,

thanks a lot for working on it. I tried your static entries, but as soon as I wr mem the updated configuration, the Internet access does not work anymore. Seems like all traffic is then sent to the DMZ interface?

Where did I make the mistake?

Thanks for supporting,

Hello Mario,


That is odd, the two nat statements that I provided should only affect the traffic between the inside and DMZ interface and not the internet traffic. You mention that if you save the configuration the internet breaks, what happens if you do not save it?

The following nat, that was already in place takes care of the internet traffic:

global (outside) 101 interface

nat (inside) 101
nat (DMZ) 101

The  other two nat rules  affect the traffic between the Inside and DMZ server

Static(inside,DMZ) netmask

Static(DMZ,inside) netmask

Could you kindly please run the following two packet tracers and share the outputs?

packet-tracer input inside tcp 1026 80

packet-tracer input DMZ tcp 1028 80

packet-tracer input inside tcp 1025 80

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers