cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
554
Views
0
Helpful
4
Replies

Strange issue - "No translation group found" Error

anandramapathy
Level 3
Level 3

Hi,

I am getting the following error despite having the configs right. Can someone help ?

I have a Domain controller in DMZ trying to talk to the Inside Domain controller.

The error is -

"No translation group found" Source is from one of the Inside Domain controllers

My ACLS are also fine from DMZ to Inside & from Inside to DMZ.

My config is below

access-list NO-NAT-INSIDE extended permit ip 10.0.0.0 255.0.0.0 10.100.33.0 255.255.255.0

access-list NO-NAT-DMZ extended permit ip 10.100.33.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list VPN_ACL remark ### STATIC NAT ACL FOR C2B VPN ###

access-list VPN_ACL extended permit udp any any eq isakmp

access-list VPN_ACL extended permit esp any any

access-list VPN_ACL extended permit gre any any

access-list VPN_ACL extended permit ah any any

access-list VPN_ACL extended permit udp any any eq 4500

access-list VPN_ACL extended permit tcp any any eq pptp

access-list VPN_ACL extended permit udp any any eq 10001

access-list VPN_ACL extended permit udp any any eq 3003

access-list VPN_ACL extended permit tcp any any eq 500

access-list VPN_ACL extended permit udp any any eq 17

access-list VPN_ACL extended permit udp any any eq 1701

access-list VPN_ACL extended permit udp any any eq 45000

access-list VPN_ACL extended permit udp any any eq 10000

IP of DMZ Interface 10.100.0.1 255.255.255.0

IP of INSIDE Interface 10.200.0.1 255.255.255.0

nat-control

global (OUTSIDE) 1 100.X.X.51-100.X.X.79

global (OUTSIDE) 2 100.X.X.100

nat (DMZ) 0 access-list NO-NAT-DMZ

nat (INSIDE) 0 access-list NO-NAT-INSIDE

nat (INSIDE) 1 access-list VPN_ACL

nat (INSIDE) 2 10.0.0.0 255.0.0.0

4 Replies 4

miclulich
Level 1
Level 1

Please clarify the source and destination addresses. According to your NO-NAT-INSIDE access list the destination traffic is 10.100.33.0 255.255.255.0 yet the IP of the DMZ interface is 10.100.0.1 255.255.255.0. If the DMZ network is in the same subnet as the destination then you will need to change or add to your access list to reflect this.

In addition, NAT exemption (NAT 0 access-list) allows by-directional traffic to be NAT'd. Which means you only need a, NAT 0 access-list, command on the interface with the higher security level. You should remove the NAT 0 on the interface with the lower security level if it is not needed for anything else.

Sorry. IP of the DMZ interface is 10.100.33.1 255.255.255.0

If i remove the NAT 0 from the inside interface, wont the outgoing packets from inside to the NAT interface get NAT due to the following command ?

global (OUTSIDE) 2 100.X.X.100

nat (INSIDE) 2 10.0.0.0 255.0.0.0

I am assuming the DMZ interface has a lower security level then the inside interface.

If this is true then you should remove the NAT 0 from the DMZ interface. According to the NAT order of operations NAT exemption (NAT 0 access-list) is preferred over Dynamic NAT. This is the NAT Order of Operations...

Order of NAT Commands Used to Match Real Addresses

The security appliance matches real addresses to NAT commands in the following order:

1. NAT exemption (nat 0 access-list)?In order, until the first match. Identity NAT is not included in this category; it is included in the regular static NAT or regular NAT category. We do not recommend overlapping addresses in NAT exemption statements because unexpected results can occur.

2. Static NAT and Static PAT (regular and policy) (static)?In order, until the first match. Static identity NAT is included in this category.

3. Policy dynamic NAT (nat access-list)?In order, until the first match. Overlapping addresses are allowed.

4. Regular dynamic NAT (nat)?Best match. Regular identity NAT is included in this category. The order of the NAT commands does not matter; the NAT statement that best matches the real address is used. For example, you can create a general statement to translate all addresses (0.0.0.0) on an interface. If you want to translate a subset of your network (10.1.1.1) to a different address, then you can create a statement to translate only 10.1.1.1. When 10.1.1.1 makes a connection, the specific statement for 10.1.1.1 is used because it matches the real address best. We do not recommend using overlapping statements; they use more memory and can slow the performance of the security appliance.

If you configure multiple global statements on the same NAT ID, the global statements are used in this order:

1. No global if using nat 0 (identity NAT).

2. Dynamic NAT global.

3. PAT global.

Hope this helps!

Because NAT exemption is by-directional and the first match against any criteria it will be the first NAT chosen. In addition the global you specified is on the outside interface and will not come into play with traffic between the DMZ and INSIDE interfaces.

Review Cisco Networking for a $25 gift card