Problem configuring a simple NAT exemption

gamorr50265_AHM · ‎03-18-2013

I am receiving the following error in my ASA syslog

%ASA-7-609001: Built local-host DMZHandoff:x.x.x.1

%ASA-3-305005: No translation group found for tcp src DMZHandoff:x.x.x.1/21920 dst Core_Handoff:y.y.y.2/443

%ASA-6-106015: Deny TCP (no connection) from x.x.x.1/21920 to y.y.y.2/443 flags RST ACK on interface DMZHandoff

so I created a simple NAT exemption configuration that I thought would resolve the error. The complete configuration is:

access-list DMZHandoff-NAT-Exempt permit ip host x.x.x.1 any

nat (DMZHandoff) 0 access-list DMZHandoff-NAT-Exempt

I am still getting the same error. This seems pretty straightforward to me. Can someone point out what I'm doing wrong?

Thanks! Glenn

Jouni Forss · ‎03-18-2013

Hi,

As you say, one would expect that if you have specifically configured a rule for this traffic that you wouldnt see this Syslog message anymore.

Can you check that the "packet-tracer" says for the traffic in question?

packet-tracer input DMZHandoff tcp 443

Just to see what the ASA really says.

Are you absolutely sure that you didnt make any typo in the source IP address. (As we cant really see the exact configuration)

- Jouni

gamorr50265_AHM · ‎03-18-2013

Jouni; Thanks, I should have tried packet tracer first before posting! It shows the packet is being dropped due to rpf-check error. I'll track that down and repost if it doesn't fix the problem.

Glenn