No translation group found error

ktwaddell · ‎06-01-2011

Hi

I have a 5510 with just a inside and outside interface, everything works on the lan inc internet access and exchange hosting to the net, but I have another exchange server on the wan and I can't get to that because I'm not natting inbound traffic and the default route sends traffic elsewhere.

Soooooooooo

If I put a nat any statement on the inside interface inbound it works, however all LAN internet traffic fails with a No translation group found error!!

I've removed the static nat commands as they are all named anyway, but below is what I have before I do a nat any inside inbound command

global (outside) 1 interface
global (inside) 2 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0

Any help please?

Thanks

Kev

mirober2 · ‎06-01-2011

Hi Kev,

If I understand your requirements correctly, you need the following:

1. Dynamic PAT to allow LAN hosts to get to the Internet (translate internal IPs to the outside interface IP)
2. Static NAT to allow the Exchange server on the WAN to talk to your Exchange server on the LAN

Is that correct?

If so, you should setup something like this:

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside)   netmask 255.255.255.255

The first 2 statements will take care of requirement number 1. The static statement will take care of requirement number 2 and will be used to translate your LAN Exchange server to a public IP on the WAN that the WAN Exchange server can talk to (so, will be the LAN Exchange server's public IP, and will be the LAN Exchange server's internal/real IP).

You'll also need to make sure the inbound access-list on your outside interface allows the WAN Exchange server to talk to the LAN Exchange server's public IP on the appropriate ports.

Hope that helps.

-Mike

ktwaddell · ‎06-01-2011

Hi Mike

Thanks for the reply, half right

Yes the inside users do need access to the internet which they do have, but it's the https accces to both exchange servers from the internet needed.

Server1 is local lan where the ASA is

Server2 is on a remote a site

The problem is we have a default route for 0.0.0.0 going to another site with internet access, so server2 is sending it's replys to that other site. I put a blanket nat everything coming from the internet to inside interface ip address and we have access to server2................. however it went t1ts up on the local lan which is why I got the above error message.

global (outside) 1 interface
global (inside) 2 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp server1_EXT server1-INT netmask 255.255.255.255
static (inside,outside) tcp server2_EXT server2-INT netmask 255.255.255.255

I need to nat any global ip address to a inside address going to any 192.168.0.0/16 & 172.16.0.0/16 but not 172.17.0.0/16

what do you think?

ktwaddell · ‎06-01-2011

Hi

Ok, a mate (scott) sorted it for me, he isn't on here so I can't give the rating, but this sorted it.

I was trying to map many to 1 real addresses to 1 mapped address with static NAT

access-list SOURCENAT permit ip 0.0.0.0 0.0.0.0 192.168.9.245 255.255.255.255

nat (outside) 2 access-list SOURCENAT

global (inside) 2 173.17.2.4

cheers kev