Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1177
Views
0
Helpful
10
Replies

NAT problem

caliber01
Level 1
Level 1

‎02-28-2008 10:12 AM - edited ‎03-03-2019 08:54 PM

Hi All,

I have been stuck with NAT problem. It gives me a error my ASA. like this

No translation group found for icmp src fugen-dmz:172.16.2.253 dst outside:4.2.2.2 (type 8, code 0)

These hosts are coming from interface etherent0/3 (named as fg-idsys) on my ASA but here it says it comes from ethernet 0/2 (named as fugen-dmz).

when i see my security level the eth0/3 is high than the eth0/2. Probably i think it falls to low security level to reach outside.

The hosts connected to the eth0/2 are able to reach outside.

Attached my NAT configs

Let me know what is missing in NAT configurations

NAT show outputs

Labels:
Preview file
4 KB
0 Helpful
10 Replies 10

Mohamed Sobair
Level 7
Level 7

‎02-28-2008 10:33 AM

Hi,

why the NAT of (fg-idsys) shows:

nat (fg-idsys) 1 0.0.0.0 0.0.0.0

this means it doesnt match any thing,

Could you clarify your nat config,

HTH

Mohamed

0 Helpful

caliber01
Level 1
Level 1
In response to Mohamed Sobair

‎02-28-2008 11:15 AM

Hi,

i have now changed that to

nat (fg-idsys) 1 172.16.0.0 255.255.0.0

0 Helpful

Mohamed Sobair
Level 7
Level 7

‎02-28-2008 12:22 PM

Hi Caliber,

Great to be of help.

The Normal Security level for the LAN is 100 and this shouldnt affect any Nat operation.

HTH

Mohamed

0 Helpful

caliber01
Level 1
Level 1
In response to Mohamed Sobair

‎02-28-2008 12:38 PM

I agree with it . security level doesn't affects NAT.

But wondering why my error message on ASA shows like

No translation group found for icmp src fugen-dmz:172.16.2.253 dst outside:4.2.2.2

If you look at the error it shows src fugen-dmz but actually the hosts are connected to fg-idsys

four interface in ASA

----------------------

eth0/0 - outside with public ip address ..security level 0

eth0/1 - Internal security level 100 LAN

eth0/2 - DMZ (named as fuen-dmz) security level 50

eth0/3 - Named as fg-idsys security level 70

i want some of my hosts to reach outside interface through fg-idsys interface.

ican able to ping from host to fg-idsys interface (vice versa) but they were not able to go internet.

The hosts that were connected to fugen-dmz and internal where able to go outside and able to get internet.

0 Helpful

Mohamed Sobair
Level 7
Level 7

‎02-28-2008 02:39 PM

Hi caliber,

Have you configured access-list or associated the Interface subnet to the Nat pool.

could you double check,

HTH

Mohamed

0 Helpful

caliber01
Level 1
Level 1
In response to Mohamed Sobair

‎02-28-2008 03:03 PM

i haven't created any ACL 's for this.

I m sure something is missing in my NAT config. I couldn't able to find it.

i have configured PAT.

0 Helpful

Mohamed Sobair
Level 7
Level 7

‎02-28-2008 03:21 PM

Hi,

Could you post full config,

regds,

0 Helpful

caliber01
Level 1
Level 1
In response to Mohamed Sobair

‎02-28-2008 03:40 PM

why not...here it comes

Preview file
8 KB
0 Helpful

Mohamed Sobair
Level 7
Level 7

‎02-28-2008 04:22 PM

Hi,

Pls double check the ip address at interface (fg-idsys), i think it should be changed to be within 172.16.x.x subnet.

also add the following:

nat (fg-idsys) 1 access-list fg-idsys

you have already ACL permits the Pool to any destination but not associated with it

HTH

Mohamed

0 Helpful

caliber01
Level 1
Level 1
In response to Mohamed Sobair

‎02-28-2008 04:58 PM

Hi

i have changed my ip address of the fg-idsys to 172.16.0.1

and also given the suggested NAT config on ASA

like this

nat (fg-idsys) 1 access-list fg-idsys

but still the error message is the same and they were not able to reach outside.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card