03-05-2010 12:29 PM - edited 03-04-2019 07:43 AM
If this isn't posted in the right discussion group please let me know and I'll move it.
My wireless (outside) is using a Proxy Server called Proxy1 (inside). My initial connection to this Proxy server is on Port 8080. Below is a copy of my logs when I try to connect to it from my wireless gateway (10.1.###.###).
I need help understanding what ASA entry I am missing. I also need to connect to other ports, I included the log for 2 port 8080 .
From what I am seeing in the logs it looks like the ASA is snot DENYING the connection.
Thanks
--Joe
For Port 8080:
03-05-2010 13:42:21 Local4.Info 159.105.###.### %ASA-6-302013:
Built outbound TCP connection 580927 for govnet:159.105.###.###/8080 (159.105.###.###/8080) to wireless:10.1.###.###/36326 (159.105.###.###/12156)
03-05-2010 13:42:21 Local4.Info 159.105.###.### %ASA-6-305011:
Built dynamic TCP translation from wireless:10.1.###.###/36326 to govnet:159.105.###.###/12156
03-05-2010 13:42:21 Local4.Debug 159.105.###.### %ASA-7-609001:
Built local-host wireless:10.1.###.###
03-05-2010 13:42:21 Local4.Error 170.222.###.### %ASA-3-305005:
No translation group found for tcp src govnet:159.105.###.###/12156 dst inside:Proxy1/8080
Solved! Go to Solution.
03-19-2010 12:06 PM
If it gives you an error about the command, it is perhaps because we are missing the "netmask" parameter. The right sintax of the static translation is
static(incoming_interface,outgoing_interface) fake_ip real_ip netmask mask
In your case:
static(inside,outside) 159.105.###.20 159.105.###.20 netmask 255.255.255.255
That will be for a single host, but you can adjust it to match what you need.
Hope that helps so you can finally get rid of that message!
Cheers!
- Yamil
03-10-2010 12:38 PM
Hi Joe!
When using an ASA, when you pass from an interface to another you need to have a NAT rule, either a static or a nat-global.
For example, if you want a static rule for all your network you can do the following:
static (govnet,inside) 159.105.0.0 159.105.0.0 netmask 255.255.0.0
This is a NAT rule for traffic flowing form govnet to inside interface. Both networks are the same to avoid any real translation and move traffic with its original ip address.
Cheers!
03-11-2010 10:28 AM
Yamil,
Thank you for your reply.
I don't think we want global nat for this. Let me explain a little bit more.
Wireless(outside) to proxy server 10.1.0.9(outside) goes through the tunnel using 159.105.###.### with a destination of inside 159.105.###.20 (Proxy1)(inside). All we would want is to allow that one specific IP (10.1.0.9) to access Proxy1 and pass information.
What really confuses me is that everything above the error is on the 159.105.###.### network but it looks like the error is being generated by the 170 outside network?
Thanks Again
--Joe
03-11-2010 12:46 PM
Joe,
I just want to make sure I have the right picture...
You just want to allow traffico from a host outside (10.1.0.9) to a host on the inside (159.105.###.20)
Is that correct or am I missing something?
- Yamil
03-11-2010 12:50 PM
Yamil,
Yes, that is exactly right
--Joe
03-11-2010 02:07 PM
Joe,
If you want to pass traffic from an outside to an inside interface in an ASA, you need to make sure that you have two things:
1.- An access-group that allows traffic to come in.
2.- A NAT rule that matches the traffic.
So in this case if we have the source on the outside interface with an ip address:
10.1.0.9
and a destination on the inside with the ip address:
159.105.###.20
First we configure the rule to allow traffic to come in:
access-list out permit ip host 10.1.0.9 host 159.105.###.20
then we ensure that we have a NAT rule for this traffic. If you don't want to change neither the source or destination when traffic flows through the FW, you just use an static command using the same ip addresss. For example:
static(inside,outside) 159.105.###.20 159.105.###.20
If you don't want to use any NAT rule, you will have to disable nat-control. To disable it, issue the following command in global config mode
no nat-control
Hope that helps!
- Yamil
03-12-2010 07:54 AM
Yamil,
I really appreciate the time you are taking to help me, but I need to understand what is going on here.
Looking at the Series of ASA messages below, I have a couple of questions.
03-05-2010 13:42:21 Local4.Info 159.105.221.114 %ASA-6-302013:
Built outbound TCP connection 580927 for govnet:159.105.97.20/8080 (159.105.97.20/8080) to wireless:10.1.0.9/36326 (159.105.221.114/12156)
03-05-2010 13:42:21 Local4.Info 159.105.221.114 %ASA-6-305011:
Built dynamic TCP translation from wireless:10.1.0.9/36326 to govnet:159.105.221.114/12156
03-05-2010 13:42:21 Local4.Debug 159.105.221.114 %ASA-7-609001:
Built local-host wireless:10.1.0.9
03-05-2010 13:42:21 Local4.Error 170.222.200.97 %ASA-3-305005:
No translation group found for tcp src govnet:159.105.221.114/12156 dst inside:Proxy1/8080
What does the message "No translation group found for tcp src govnet:159.105.221.114/12156 dst inside:Proxy1/8080" actually mean? The 170 number is our inside 170 subnet IP named "170inside".
I think the series is saying that my request from 10.1.0.9 to Proxy1 was received by the ASA but it could not do something. Since I cannot get a Deny in the ASA logs I think it might be accepting the request but doesn't know how to get back to me with the response.
I really am trying to understand exactly what is going on here. When setting up the same routine from a different location I received DENY messages in the ASA logs and once the ACL changes were made everything worked. I never saw this "No translation group" message before.
Thanks
--Joe
03-12-2010 08:15 AM
Hi Joe!
What the error message "No translation group found for tcp src govnet:159.105.221.114/12156 dst inside:Proxy1/8080" means is that you do not have a NAT rule for traffic coming from 159.105.221.114 going to Proxy1 host, and you need to have one.
Here is the official Cisco documentation for that error, perhaps it can make things clearer.
Error Message %PIX|ASA-3-305005: No translation group found for protocol src
interface_name: source_address/source_port dst interface_name: dest_address/dest_port
Explanation A packet does not match any of the outbound nat command rules. If NAT is not configured for the specified source and destination systems, the message will be generated frequently.
Recommended Action This message indicates a configuration error. If dynamic NAT is desired for the source host, ensure that the nat command matches the source IP address. If static NAT is desired for the source host, ensure that the local IP address of the static command matches. If no NAT is desired for the source host, check the ACL bound to the NAT 0 ACL.
What is exactly going on is that ASA ACL allows traffic to come in, but when the packet is processed the ASA does not find a NAT that matches that specific traffic, therefore traffic gets dropped and you get that error message.
Perhaps you are now asking why you don't get that error message on other firewalls? The answer is simple, either you have an existing NAT rule or "nat-control" is disabled.
So to allow traffic to pass through the ASA Firewall you can either add a NAT rule for example: static (iniside,outside) ; or you can disable nat-control. I prefer creating NAT rules than disabling nat-control...
Hope that answers your questions!
Cheers!
- Yamil
03-16-2010 07:30 AM
Yamil,
We have a second wireless location that is working properly. I looked in our ASA's Nat entries and pulled out an entry for the working wireless that may be what I need to resolve the
"No translation group found for tcp src govnet:159.105.221.114/12689 dst inside:Proxy1/3128" problem
Background:
The working Wireless network is 192.168.103.0
The problem Wireless network is 10.1.0.0
Proxy1 is on the 159 network.
The ASA Nat entry I see for the working network...
match ip inside 159.105.###.0 255.255.255.0 govnet 192.168.103.0 255.255.255.0
This format is different from what you showed me earlier so I am not sure what this NAT command does. If I made an entry in the ASA as below:
match ip inside 159.105.###.0 255.255.255.0 govnet 10.1.0.0 255.255.255.0
Would that solve the problem?
Thanks
--Joe
03-16-2010 10:51 AM
Joe,
To be honest, I don't know any "match" command to do NAT translations. I looked for that command but I found nothing that would match it used in the global config mode; I've always used nat or statitc statements. So I am not sure if you add that command will solve your problem, but you can give it a try or try the static commands.
Cheers!
- Yamil
03-18-2010 01:39 PM
Yamil,
I tried entering the command static(inside,outside) 159.105.###.20 159.105.###.20 and it keeps telling me the format is incorrect.
I did enter this command and it helped a little: route govnet 192.168.103.0 255.255.255.0 159.105.221.201 1
I got permission from my security guy to make the changes you suggested. Can you give me the commands I need to enter to make the error message finally go away.
No translation group found for tcp src govnet:159.105.221.114/12156 dst inside:Proxy1/8080
I am Frustrated
Thanks
--Joe
03-19-2010 12:06 PM
If it gives you an error about the command, it is perhaps because we are missing the "netmask" parameter. The right sintax of the static translation is
static(incoming_interface,outgoing_interface) fake_ip real_ip netmask mask
In your case:
static(inside,outside) 159.105.###.20 159.105.###.20 netmask 255.255.255.255
That will be for a single host, but you can adjust it to match what you need.
Hope that helps so you can finally get rid of that message!
Cheers!
- Yamil
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide