04-08-2009 01:21 PM - edited 03-04-2019 04:18 AM
I had no nat-control on ASA, what I think is the ASA will allow traffic to traverse different interfaces as long as ACL permit it. No nat needed at all. However, when I tried to ping from outside to inside, ping failed and I found these debug information on the ASA:
No translation group found for icmp src...
Anyone know why?
Thanks,
04-10-2009 04:49 AM
Hello,
And have you tried to ping from the inside to the outside ?
Because in the case of the ping fails, is logical to don't have any translation.
Other thing, if you ping from inside to outside and it passes without NAT translations, you may run in a transparent mode.
Regards,
Omar
04-10-2009 05:00 AM
Yu:
How are you?
The no-nat feature only applies to traffic that is traversing a higher level security interface to a lower one. So in other words, from inside to outside. In those instances, if no NAT statement is configured, the ASA will act as a regular router and forward packets based on the rules of the ACL only.
Just as a side note, Im not sure this applies to your situation, but if you want to remove or disable the nat-control statement in the PIX/ASA, you need to remove all NAT statements from the security appliance. In general, you need to remove the NAT before you turn off NAT control. You have to reconfigure the NAT statement in PIX/ASA to work as expected.
Does that answer your question?
Victor
07-20-2010 01:58 PM
Thanks for the quick responses; I don't want to remove all NAT, we are just setting up a site-to-site VPN, and Site2 (remote) is running the terminal ping with is being logged with the error. When we attempt to 'pathping' the site2's ip, our traffic is getting routed out the public interface (to the internet). We're not thinking that on our end, there is not a proper route statement for site2, on the other side of the new VPN. And it is attempting to NAT the Site2 traffic to our internal LAN. Not sure though, we just need connectivity from 10.3.3.0/24 to/from 172.31.1.0/24.
07-20-2010 02:02 PM
Hello,
Can you please post the relevant configuration (for VPN) here from both
sides? Also an output of "show run nat" would be great.
Regards,
NT
07-21-2010 06:03 AM
https://supportforums.cisco.com/message/3141073#3141073
Thanks again Nagaraja.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide