Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1235
Views
0
Helpful
11
Replies

PING is getting drop on ASA firewall.

pannu3679
Level 1
Level 1

‎06-10-2008 07:31 PM - edited ‎03-11-2019 05:57 AM

Hi,

I'm getting following error message while trying to ping from management workstation to one of my CISCO PIX interface. But in between 2 devices, I have got CISCO ASA which is dropping traffic and I can see following error message in syslog.

I am pinging from 192.168.1.151 to 10.254.231.252.

%ASA-3-305005: No translation group found for icmp src management:192.168.1.151 dst Operators:10.254.231.252 (type 8, code 0)

Here is my half config:

=======================

interface GigabitEthernet0/2.60

nameif Operators

security-level 100

ip address 10.254.231.254 255.255.255.0

---------------------------------------

interface Management0/0

nameif management

security-level 90

ip address 192.168.1.1 255.255.255.0

global (management) 1 interface

nat (Operators) 1 10.254.231.0 255.255.255.0

nat (Operators) 1 192.168.0.0 255.255.255.0

I dont have any static NAT config. on the firewall for these vlans but if you want to see other rule, it is as follow:

static (Operators,PABX) 10.254.231.180 10.254.231.180 netmask 255.255.255.255

static (InterFWInterconnect,Outside) 10.254.224.0 10.254.224.0 netmask 255.255.255.0

Please let me know if you need more config or if you have got any suggestion for me.

Labels:
0 Helpful
11 Replies 11

massimiliano.serafino
Level 4
Level 4

‎06-10-2008 09:18 PM

Hi,

Try with:

static(operators,management) 10.254.231.0 10.254.231.0 netmask 255.255.255.0

I hope this helps.

Best regards.

Massimiliano.

0 Helpful

pannu3679
Level 1
Level 1
In response to massimiliano.serafino

‎06-10-2008 09:47 PM

Thanks for quick response... I will configure this NAT statement but wanted to know that will it cause any problem with any other vlan traffic ??? I am bit causes thats the reason I am asking you...

thanks,

0 Helpful

pannu3679
Level 1
Level 1
In response to pannu3679

‎06-11-2008 01:38 AM

someone can help me out please ???..

Thanks heaps in advance

0 Helpful

massimiliano.serafino
Level 4
Level 4
In response to pannu3679

‎06-11-2008 01:52 AM

Hi,

I don't know how your topology network is implemented but the instruction let your hosts in operators network projected on management network.

I hope this helps.

Best regards.

Massimiliano.

0 Helpful

pannu3679
Level 1
Level 1
In response to massimiliano.serafino

‎06-11-2008 02:19 AM

ok i will implement it and let you know the output...

Again thanks for your help.

0 Helpful

Amadou TOURE
Level 1
Level 1
In response to pannu3679

‎06-11-2008 06:09 AM

Hi,

I think that the static statement (static(operators,management) 10.254.231.0 10.254.231.0 netmask 255.255.255.0

)will keep the operators network untranslated when hosts inside operators net will communicate with management net.

To allow management network to communicate with operators net add this rule also :

access-list nonat_mngt permit ip 192.168.1.0 255.255.255.0 10.254.231.0 255.255.255.0

nat(management) 0 access-list nonat_mngt

This rule allow bidirectional communication if you want a unidirectional communication, it should change.

The error log message sounds that it's a NAT issue but if the suggestions don't work, it could be better to send a sanitized configuration of you ASA and a network diagram.

0 Helpful

pannu3679
Level 1
Level 1
In response to Amadou TOURE

‎06-11-2008 05:32 PM

HI,

Here I have attached NW diagram but for security reason I have removed few tags and IP addresses but you can see my management workstation and destination IP address where I am trying to ping . Please also find attached config file but as usual removed few stuff from it as well...

let me know if you need more details:

Preview file
8 KB
0 Helpful

marchanamendon
Level 1
Level 1

‎06-12-2008 01:40 AM

Hi

When u are trying to access any resources from your management interface(whose security level is 90) to your operator interface(whose security level is 100) you need to have two things

1.static nat between operators and management interface.

2.access-list allowing appropriate traffic (eg.icmp,ip,tcp.select whichever you want to allow) from management network to operator network and bind it to management interface using access-group command.

Regards,

Archana.

0 Helpful

Amadou TOURE
Level 1
Level 1
In response to marchanamendon

‎06-12-2008 06:18 AM

hi,

Please try the following configuration :

1. you should have a statement authorizing icmp from management to operators in management_access_in access-list

2. you can add the following statments also :

static (management,operators) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

access-list nonat 10.254.231.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list nonat

3. in the default policy-map

add inspect icmp

Best regards

0 Helpful

pannu3679
Level 1
Level 1
In response to Amadou TOURE

‎06-12-2008 07:40 PM

I will try this and let you know abt it soon... So do you also want me to write access-list on the management interface, is that right ? and i will type down your given static NAT statement.

0 Helpful

Amadou TOURE
Level 1
Level 1
In response to pannu3679

‎06-13-2008 05:38 AM

Hi,

In fact, I read that you have a access-group applied to your management interface so in this case I would ensure that returning icmp trafic will be authorized.

Another method is to add a inspect icmp in the default policy-map

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card