02-25-2010 03:17 PM - edited 03-11-2019 10:15 AM
I have an ASA 5520 firewall running in single context router mode.
I.E. Single routed firewall.
Interface TAPPY, IP 192.168.1.1/24
Interface INSIDE, IP 10.0.0.1/24
Host 192.168.1.6/24 (on TAPPY interface) needs to communicate with host 10.0.0.2/24 (on INSIDE interface)
Host 10.0.0.2 must receive packets that appear they came from the firewalls address.
When I set up a static NAT, I continue to receive this error message:
No translation group found for tcp src TAPPY:192.168.1.6/2345 dst INSIDE:10.0.0.2/4444
Cisco’s explanation is:
A packet does not match any of the outbound NAT command rules.
My cli NAT command is:
STATIC (INSIDE,TAPPY) 192.168.1.6 host 10.0.0.2 netmask 255.255.255.255
I know I have something configured incorrectly but cannot figure it out.
ANY help would be greatly appreciated
Tks
Frank
Solved! Go to Solution.
02-27-2010 09:22 AM
Very glad to hear. Rate the post that helps.
Kudos to you. The problem description (except the missing security level) was very clear.
Inside, even though on a higher security interface cannot initiate because now TAPPY host is behind a PAT (port address translation).
You can however be able to initiate connections to other hosts in TAPPY from the inside.
-KS
02-25-2010 03:29 PM
You need to have
nat (TAPPY) 50 192.168.1.6 255.255.255.255 outside
global (INISIDE) 50 interface
The above will translate the TAPPY IP address and make it look like it was coming from the inside interface IP.
STATIC (INSIDE,TAPPY) host 10.0.0.2 host 10.0.0.2 netmask 255.255.255.255
This will provide identity translation for the inside hosts when they go to the TAPPY to look like themselves.
With the above lines you can only initiate traffic from the TAPPY to the INSIDE.
P.S. I am assuming TAPPY has a lower security level than the INSIDE.
-KS
02-27-2010 09:19 AM
Hi Kusankar,
THANK YOU!!!!!!
This solved my issue completely - . . . and my non-technical folks are VERY happy!!!!
And yes your assumption of TAPPY having a lower security level than INSIDE was correct.
Communication can only be initiated from a host on TAPPY.
What if I needed a host on INSIDE to initiate communication to a host on TAPPY?
Since INSIDE has a higher security level than TAPPY, seems there should not be a problem - RIGHT?
Now that I (we) have this working, I have time to read more of the ASA configuration guide for future issues.
It's folks like you that make this Group Discussion work.
Thanks again!!
Frank
02-27-2010 09:22 AM
Very glad to hear. Rate the post that helps.
Kudos to you. The problem description (except the missing security level) was very clear.
Inside, even though on a higher security interface cannot initiate because now TAPPY host is behind a PAT (port address translation).
You can however be able to initiate connections to other hosts in TAPPY from the inside.
-KS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide