cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1234
Views
0
Helpful
11
Replies

PING is getting drop on ASA firewall.

pannu3679
Level 1
Level 1

Hi,

I'm getting following error message while trying to ping from management workstation to one of my CISCO PIX interface. But in between 2 devices, I have got CISCO ASA which is dropping traffic and I can see following error message in syslog.

I am pinging from 192.168.1.151 to 10.254.231.252.

%ASA-3-305005: No translation group found for icmp src management:192.168.1.151 dst Operators:10.254.231.252 (type 8, code 0)

Here is my half config:

=======================

interface GigabitEthernet0/2.60

nameif Operators

security-level 100

ip address 10.254.231.254 255.255.255.0

---------------------------------------

interface Management0/0

nameif management

security-level 90

ip address 192.168.1.1 255.255.255.0

global (management) 1 interface

nat (Operators) 1 10.254.231.0 255.255.255.0

nat (Operators) 1 192.168.0.0 255.255.255.0

I dont have any static NAT config. on the firewall for these vlans but if you want to see other rule, it is as follow:

static (Operators,PABX) 10.254.231.180 10.254.231.180 netmask 255.255.255.255

static (InterFWInterconnect,Outside) 10.254.224.0 10.254.224.0 netmask 255.255.255.0

Please let me know if you need more config or if you have got any suggestion for me.

11 Replies 11

Hi,

Try with:

static(operators,management) 10.254.231.0 10.254.231.0 netmask 255.255.255.0

I hope this helps.

Best regards.

Massimiliano.

Thanks for quick response... I will configure this NAT statement but wanted to know that will it cause any problem with any other vlan traffic ??? I am bit causes thats the reason I am asking you...

thanks,

someone can help me out please ???..

Thanks heaps in advance

Hi,

I don't know how your topology network is implemented but the instruction let your hosts in operators network projected on management network.

I hope this helps.

Best regards.

Massimiliano.

ok i will implement it and let you know the output...

Again thanks for your help.

Hi,

I think that the static statement (static(operators,management) 10.254.231.0 10.254.231.0 netmask 255.255.255.0

)will keep the operators network untranslated when hosts inside operators net will communicate with management net.

To allow management network to communicate with operators net add this rule also :

access-list nonat_mngt permit ip 192.168.1.0 255.255.255.0 10.254.231.0 255.255.255.0

nat(management) 0 access-list nonat_mngt

This rule allow bidirectional communication if you want a unidirectional communication, it should change.

The error log message sounds that it's a NAT issue but if the suggestions don't work, it could be better to send a sanitized configuration of you ASA and a network diagram.

HI,

Here I have attached NW diagram but for security reason I have removed few tags and IP addresses but you can see my management workstation and destination IP address where I am trying to ping . Please also find attached config file but as usual removed few stuff from it as well...

let me know if you need more details:

marchanamendon
Level 1
Level 1

Hi

When u are trying to access any resources from your management interface(whose security level is 90) to your operator interface(whose security level is 100) you need to have two things

1.static nat between operators and management interface.

2.access-list allowing appropriate traffic (eg.icmp,ip,tcp.select whichever you want to allow) from management network to operator network and bind it to management interface using access-group command.

Regards,

Archana.

hi,

Please try the following configuration :

1. you should have a statement authorizing icmp from management to operators in management_access_in access-list

2. you can add the following statments also :

static (management,operators) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

access-list nonat 10.254.231.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list nonat

3. in the default policy-map

add inspect icmp

Best regards

I will try this and let you know abt it soon... So do you also want me to write access-list on the management interface, is that right ? and i will type down your given static NAT statement.

Hi,

In fact, I read that you have a access-group applied to your management interface so in this case I would ensure that returning icmp trafic will be authorized.

Another method is to add a inspect icmp in the default policy-map

Review Cisco Networking for a $25 gift card