08-23-2007 11:28 PM - edited 03-11-2019 04:02 AM
Hi,
I am getting the following error despite having the configs right. Can someone help ?
I have a Domain controller in DMZ trying to talk to the Inside Domain controller.
The error is -
"No translation group found" Source is from one of the Inside Domain controllers
My ACLS are also fine from DMZ to Inside & from Inside to DMZ.
My config is below
access-list NO-NAT-INSIDE extended permit ip 10.0.0.0 255.0.0.0 10.100.33.0 255.255.255.0
access-list NO-NAT-DMZ extended permit ip 10.100.33.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list VPN_ACL remark ### STATIC NAT ACL FOR C2B VPN ###
access-list VPN_ACL extended permit udp any any eq isakmp
access-list VPN_ACL extended permit esp any any
access-list VPN_ACL extended permit gre any any
access-list VPN_ACL extended permit ah any any
access-list VPN_ACL extended permit udp any any eq 4500
access-list VPN_ACL extended permit tcp any any eq pptp
access-list VPN_ACL extended permit udp any any eq 10001
access-list VPN_ACL extended permit udp any any eq 3003
access-list VPN_ACL extended permit tcp any any eq 500
access-list VPN_ACL extended permit udp any any eq 17
access-list VPN_ACL extended permit udp any any eq 1701
access-list VPN_ACL extended permit udp any any eq 45000
access-list VPN_ACL extended permit udp any any eq 10000
IP of DMZ Interface 10.100.0.1 255.255.255.0
IP of INSIDE Interface 10.200.0.1 255.255.255.0
nat-control
global (OUTSIDE) 1 100.X.X.51-100.X.X.79
global (OUTSIDE) 2 100.X.X.100
nat (DMZ) 0 access-list NO-NAT-DMZ
nat (INSIDE) 0 access-list NO-NAT-INSIDE
nat (INSIDE) 1 access-list VPN_ACL
nat (INSIDE) 2 10.0.0.0 255.0.0.0
08-24-2007 02:14 AM
Please clarify the source and destination addresses. According to your NO-NAT-INSIDE access list the destination traffic is 10.100.33.0 255.255.255.0 yet the IP of the DMZ interface is 10.100.0.1 255.255.255.0. If the DMZ network is in the same subnet as the destination then you will need to change or add to your access list to reflect this.
In addition, NAT exemption (NAT 0 access-list) allows by-directional traffic to be NAT'd. Which means you only need a, NAT 0 access-list, command on the interface with the higher security level. You should remove the NAT 0 on the interface with the lower security level if it is not needed for anything else.
08-24-2007 05:35 AM
Sorry. IP of the DMZ interface is 10.100.33.1 255.255.255.0
If i remove the NAT 0 from the inside interface, wont the outgoing packets from inside to the NAT interface get NAT due to the following command ?
global (OUTSIDE) 2 100.X.X.100
nat (INSIDE) 2 10.0.0.0 255.0.0.0
08-24-2007 03:50 PM
I am assuming the DMZ interface has a lower security level then the inside interface.
If this is true then you should remove the NAT 0 from the DMZ interface. According to the NAT order of operations NAT exemption (NAT 0 access-list) is preferred over Dynamic NAT. This is the NAT Order of Operations...
Order of NAT Commands Used to Match Real Addresses
The security appliance matches real addresses to NAT commands in the following order:
1. NAT exemption (nat 0 access-list)?In order, until the first match. Identity NAT is not included in this category; it is included in the regular static NAT or regular NAT category. We do not recommend overlapping addresses in NAT exemption statements because unexpected results can occur.
2. Static NAT and Static PAT (regular and policy) (static)?In order, until the first match. Static identity NAT is included in this category.
3. Policy dynamic NAT (nat access-list)?In order, until the first match. Overlapping addresses are allowed.
4. Regular dynamic NAT (nat)?Best match. Regular identity NAT is included in this category. The order of the NAT commands does not matter; the NAT statement that best matches the real address is used. For example, you can create a general statement to translate all addresses (0.0.0.0) on an interface. If you want to translate a subset of your network (10.1.1.1) to a different address, then you can create a statement to translate only 10.1.1.1. When 10.1.1.1 makes a connection, the specific statement for 10.1.1.1 is used because it matches the real address best. We do not recommend using overlapping statements; they use more memory and can slow the performance of the security appliance.
If you configure multiple global statements on the same NAT ID, the global statements are used in this order:
1. No global if using nat 0 (identity NAT).
2. Dynamic NAT global.
3. PAT global.
Hope this helps!
08-24-2007 10:34 PM
Because NAT exemption is by-directional and the first match against any criteria it will be the first NAT chosen. In addition the global you specified is on the outside interface and will not come into play with traffic between the DMZ and INSIDE interfaces.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide