Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
603
Views
0
Helpful
2
Replies

Problem configuring a simple NAT exemption

gamorr50265_AHM
Level 1
Level 1

‎03-18-2013 11:30 AM - edited ‎03-11-2019 06:15 PM

I am receiving the following error in my ASA syslog

%ASA-7-609001: Built local-host DMZHandoff:x.x.x.1

%ASA-3-305005: No translation group found for tcp src DMZHandoff:x.x.x.1/21920 dst Core_Handoff:y.y.y.2/443

%ASA-6-106015: Deny TCP (no connection) from x.x.x.1/21920 to y.y.y.2/443 flags RST ACK  on interface DMZHandoff

so I created a simple NAT exemption configuration that I thought would resolve the error.  The complete configuration is:

access-list DMZHandoff-NAT-Exempt permit ip host x.x.x.1 any

nat (DMZHandoff) 0 access-list DMZHandoff-NAT-Exempt

I am still getting the same error. This seems pretty straightforward to me.  Can someone point out what I'm doing wrong?

Thanks!  Glenn

Labels:
0 Helpful
2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

‎03-18-2013 11:37 AM

Hi,

As you say, one would expect that if you have specifically configured a rule for this traffic that you wouldnt see this Syslog message anymore.

Can you check that the "packet-tracer" says for the traffic in question?

packet-tracer input DMZHandoff tcp 443

Just to see what the ASA really says.

Are you absolutely sure that you didnt make any typo in the source IP address. (As we cant really see the exact configuration)

- Jouni

0 Helpful

gamorr50265_AHM
Level 1
Level 1
In response to Jouni Forss

‎03-18-2013 11:48 AM

Jouni; Thanks, I should have tried packet tracer first before posting!  It shows the packet is being dropped due to rpf-check error.  I'll track that down and repost if it doesn't fix the problem.

Glenn

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card