08-02-2010 10:54 AM
Hi guys,
I'm sure this is a relatively simple problem but my remote VPN clients aren't able to do anything network wise once they have connected to the VPN. The ASA keeps coming up with "no translation group found" in the log. Please see the config and let me know what you think.
Kind regards
Paul.
Result of the command: "show running"
: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name office.propertyfinder.com
enable password ######## encrypted
names
dns-guard
!
interface GigabitEthernet0/0
description Office Network Interface
nameif Office-LAN
security-level 100
ip address 10.121.10.4 255.255.255.0
ospf cost 10
!
interface GigabitEthernet0/1
description 4Mbps BTNet Internet Connection
nameif Internet-Primary
security-level 0
ip address 213.121.253.33 255.255.255.248
ospf cost 10
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
description Office Wireless Interface
nameif Office-Wireless
security-level 10
ip address 172.16.0.1 255.255.255.0
ospf cost 10
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa722-k8.bin
ftp mode passive
dns domain-lookup Office-LAN
dns server-group DefaultDNS
name-server 10.121.10.20
name-server 10.121.10.21
domain-name office.propertyfinder.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network Zoopla-Office-LAN
description Zoopla Office Local Area Network
network-object 10.121.10.0 255.255.255.0
object-group network LB-CP-Host
description Luke Burgess control panel host
network-object host 87.117.227.228
object-group network UKPS-Remote-Hosts
description UK Property Shop Servers
network-object host 209.85.11.2
network-object host 209.85.11.6
object-group network Zoopla-Client-VPN
description Zoopla external client VPN
network-object 10.121.32.0 255.255.254.0
object-group network Zoopla-Phone-System
description Office VoIP phone system
network-object 10.121.11.0 255.255.255.0
object-group service alt_smtp tcp
description Alternative SMTP port for Gmail
port-object range 587 587
object-group service gtalk tcp
description Google Talk
port-object range 5222 5222
object-group service msn tcp
description MSN Messenger
port-object range 1863 1863
object-group service rdp tcp
description Remote Desktop Protocol
port-object range 3389 3389
object-group service rtmp tcp
description Real Time Messaging Protocol
port-object range 1935 1935
object-group service ukps-cp tcp
description UK Property Shop control panel
port-object range 19638 19638
object-group service jabber tcp
description Jabber Instant Messenger
port-object range 5222 5222
object-group service web-standard tcp
description General Internet access
group-object alt_smtp
group-object gtalk
group-object msn
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
port-object eq imap4
port-object eq pop3
port-object eq smtp
group-object jabber
object-group network Sage-ACCPAC-Online
description Sage ACCPAC Online hosts
network-object 64.88.171.0 255.255.255.192
object-group service citrix-accpac tcp
description ACCPAC via Citrix ports
port-object range citrix-ica citrix-ica
port-object range 8081 8081
object-group service ec2-apache-13000 tcp
description EC2 Apache port 13000
port-object range 13000 13000
object-group service steam tcp-udp
description Steam ports
port-object range 27000 27015
port-object range 27014 27050
port-object range 27015 27030
port-object range 4380 4380
object-group service svn_13333 tcp
description EC2 SVN port
port-object range 13333 13333
object-group service file-printer-sharing tcp
description Windows file and printer sharing (samba)
port-object range 445 445
access-list Office-LAN_nat0_outbound extended permit ip object-group Zoopla-Office-LAN object-group Zoopla-Client-VPN
access-list Office-Wireless_access_in remark Allow general Internet traffic
access-list Office-Wireless_access_in extended permit tcp any any object-group web-standard
access-list Office-Wireless_access_in remark Allow SSH access to EC2
access-list Office-Wireless_access_in extended permit tcp object-group Zoopla-Office-LAN object-group Amazon-EC2-Networks eq ssh
access-list Office-LAN_access_in remark Allow general Internet traffic
access-list Office-LAN_access_in extended permit tcp object-group Zoopla-Office-LAN any object-group web-standard
access-list Office-LAN_access_in remark Allow all ICMP traffic
access-list Office-LAN_access_in extended permit icmp object-group Zoopla-Office-LAN any
access-list Office-LAN_access_in remark Allow all traffic to the internal phone network
access-list Office-LAN_access_in extended permit ip object-group Zoopla-Office-LAN object-group Zoopla-Phone-System
access-list Office-LAN_access_in remark Allow access to DNS
access-list Office-LAN_access_in extended permit tcp object-group Zoopla-Office-LAN any eq domain
access-list Office-LAN_access_in remark Allow access to DNS
access-list Office-LAN_access_in extended permit udp object-group Zoopla-Office-LAN any eq domain
access-list Office-LAN_access_in remark Allow SSH access to EC2
access-list Office-LAN_access_in extended permit tcp object-group Zoopla-Office-LAN object-group Amazon-EC2-Networks eq ssh
access-list Office-LAN_access_in remark Allow NTP access to anywhere
access-list Office-LAN_access_in extended permit udp object-group Zoopla-Office-LAN any eq ntp
access-list Office-LAN_access_in remark Allow remote desktop access to VPN clients
access-list Office-LAN_access_in extended permit tcp object-group Zoopla-Office-LAN object-group Zoopla-Client-VPN object-group rdp
access-list Office-LAN_access_in remark Allow SSH access to UKPS hosts
access-list Office-LAN_access_in extended permit tcp object-group Zoopla-Office-LAN object-group UKPS-Remote-Hosts eq ssh
access-list Office-LAN_access_in remark Allow access to server1.lukeburgess.com:19638
access-list Office-LAN_access_in extended permit tcp object-group Zoopla-Office-LAN object-group LB-CP-Host object-group ukps-cp
access-list Office-LAN_access_in remark Allow ACCPAC access via Citrix from sageaccpaconline.com
access-list Office-LAN_access_in extended permit tcp object-group Zoopla-Office-LAN object-group Sage-ACCPAC-Online object-group citrix-accpac
access-list Office-LAN_access_in remark Allow access to apache at EC2 via port 13000
access-list Office-LAN_access_in extended permit tcp object-group Zoopla-Office-LAN object-group Amazon-EC2-Networks object-group ec2-apache-13000
access-list Office-LAN_access_in remark Allow access to Steam ports
access-list Office-LAN_access_in extended permit tcp object-group Zoopla-Office-LAN any object-group steam
access-list Office-LAN_access_in remark Allow access to SVN at Amazon EC2
access-list Office-LAN_access_in extended permit tcp object-group Zoopla-Office-LAN object-group Amazon-EC2-Networks object-group svn_13333
access-list Office-LAN_access_in remark Allow remote desktop access to Amazon EC2
access-list Office-LAN_access_in extended permit tcp object-group Zoopla-Office-LAN object-group Amazon-EC2-Networks object-group rdp
access-list Office-LAN_access_in remark Allow file and printer sharing over the client VPN
access-list Office-LAN_access_in extended permit tcp object-group Zoopla-Office-LAN object-group Zoopla-Client-VPN object-group file-printer-sharing
access-list Internet-Primary_access_in remark Allow traceroutes to use this hop
access-list Internet-Primary_access_in extended permit icmp any interface Internet-Primary
access-list Internet-Primary_access_in remark Allow ICMP outbound for VPN
access-list Internet-Primary_access_in extended permit icmp object-group Zoopla-Client-VPN any
access-list Internet-Primary_access_in remark Allow VPN to access the Zoopla office
access-list Internet-Primary_access_in extended permit ip object-group Zoopla-Client-VPN object-group Zoopla-Office-LAN
access-list Internet-Primary_access_in remark Allow standard ports via the VPN
access-list Internet-Primary_access_in extended permit tcp object-group Zoopla-Client-VPN any object-group web-standard
access-list Office-LAN_nat_outbound extended permit ip object-group Zoopla-Office-LAN any
access-list Internet-Primary_nat_outbound extended permit ip object-group Zoopla-Client-VPN any
pager lines 24
logging enable
logging asdm informational
mtu Office-LAN 1500
mtu Internet-Primary 1500
mtu Office-Wireless 1500
mtu management 1500
ip local pool UK_VPN 10.121.32.1-10.121.33.254 mask 255.255.254.0
no failover
monitor-interface Office-LAN
monitor-interface Internet-Primary
monitor-interface Office-Wireless
monitor-interface management
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Office-LAN
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (Internet-Primary) 1 interface
nat (Office-LAN) 0 access-list Office-LAN_nat0_outbound
nat (Office-LAN) 1 access-list Office-LAN_nat_outbound
nat (Internet-Primary) 1 access-list Internet-Primary_nat_outbound
access-group Office-LAN_access_in in interface Office-LAN
access-group Internet-Primary_access_in in interface Internet-Primary
access-group Office-Wireless_access_in in interface Office-Wireless
route Internet-Primary 0.0.0.0 0.0.0.0 213.121.253.121 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
ldap attribute-map ActiveDirectoryMapTable
map-name SAMAccountName cVPN3000-LDAP-Login
aaa-server UK_VPN protocol ldap
aaa-server UK_VPN (Office-LAN) host 10.121.10.20
timeout 5
ldap-base-dn OU=PF Group,DC=office,DC=propertyfinder,DC=com
ldap-scope subtree
ldap-naming-attribute SAMAccountName
ldap-login-password *
ldap-login-dn CN=ZOOPLA ASA-LDAP,CN=Users,DC=office,DC=propertyfinder,DC=com
server-type microsoft
group-policy UK_VPN internal
group-policy UK_VPN attributes
wins-server value 10.121.10.20 10.121.10.21
dns-server value 10.121.10.20 10.121.10.21
vpn-tunnel-protocol IPSec
default-domain value office.propertyfinder.com
username admin password r4mF13pt8YhXajwf encrypted privilege 15
aaa authentication ssh console LOCAL
http server enable
http 10.121.10.0 255.255.255.0 Office-LAN
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map Internet-Primary_dyn_map 40 set pfs
crypto dynamic-map Internet-Primary_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map Internet-Primary_map 65535 ipsec-isakmp dynamic Internet-Primary_dyn_map
crypto map Internet-Primary_map interface Internet-Primary
crypto isakmp enable Internet-Primary
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group UK_VPN type ipsec-ra
tunnel-group UK_VPN general-attributes
address-pool UK_VPN
authentication-server-group UK_VPN
default-group-policy UK_VPN
tunnel-group UK_VPN ipsec-attributes
pre-shared-key *
telnet 10.121.10.0 255.255.255.255 Office-LAN
telnet timeout 5
ssh 10.121.10.0 255.255.255.0 Office-LAN
ssh timeout 60
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
ntp server 10.121.10.12 source Office-LAN prefer
tftp-server Office-LAN 10.121.10.250 /ASA
prompt hostname context
Cryptochecksum:557aa22fa7ae860242e1831a31477a18
: end
08-02-2010 02:00 PM
Hello,
You have the following defined:
ip local pool UK_VPN 10.121.32.1-10.121.33.254 mask 255.255.254.0
and these nat rules :
nat (Office-LAN) 0 access-list Office-LAN_nat0_outbound
nat (Office-LAN) 1 access-list Office-LAN_nat_outbound
access-list Office-LAN_nat_outbound extended permit ip object-group Zoopla-Office-LAN any
access-list Internet-Primary_nat_outbound extended permit ip object-group Zoopla-Client-VPN any
I'm not sure what you're trying to do with the NAT (as I don't know your topology), but you really need to add a line like this to your nat 0 ACL for your office lan (because right now the ACL your nat0 references doesn't exist)
access-list Office-LAN_nat0_outbound extended permit ip any object-group Zoopla-Client-VPN
Which will say *not* to nat traffic on the Office-LAN interface when going from any source to that destination.
08-03-2010 03:10 AM
Thanks for the reply Jason.
I tried the line you suggested but unfortunately it didn't work. Let me give you a run down of what I'm trying to do.
It's a pretty simple remote client VPN into the office.
Office Data Network: 10.121.10.0/24
Office Phone Network: 10.121.11.0/24
Remote VPN Network: 10.121.32.0/23
Everything on the ASA is set up as I want it at the moment. The only thing I can't get to work is having systems connected to the VPN (10.121.32.0/23) talk to the Internet or to the office data network (10.121.10.0/24). I know it's a NAT problem but I'm not too clued up on NAT really. Plus I'm working through the ASDM mostly as it's been a very long time since I did any Cisco CLI.
Any help would be much appreciated mate.
Paul.
08-03-2010 07:57 PM
Hello Paul,
Lets start with adding this line:
access-list Office-LAN_nat0_outbound extended permit ip any object-group Zoopla-Client-VPN
This will ensure that internet traffic goes to VPN clients un-natted. If you are using ASDM, you can use the command line interface on the ASDM (tools --> Command line) and enter the above command.
Once this is done, you can use the packet tracer to verify that the packet will go through:
packet-tracer input inside icmp 10.121.10.2 8 0 10.121.32.3 detailed
This will tell you if the packet will go through or not (you can issue this command also in ASDM command line interface or you can use the packet tracer utility in ASDM).
That should give you a good idea on if the communication will go through or not.
Hope this helps.
Regards,
NT
08-04-2010 02:28 AM
Hi Nagariaja,
Thanks for the reply. That didn't seem to make any difference my friend. The packet trace is successful before and after I enter the access list rule you suggest. I've just noticed something about the "No translation group" message. The source IP of these messages are our primary and secondary DNS servers in the office. Is this significant? Here is an example of one the messages:
Severity | Date | Time | Syslog ID | Source IP | Destination IP | Description |
---|---|---|---|---|---|---|
3 | Aug 04 2010 | 07:46:31 | 305005 | 10.121.10.20 | No translation group found for udp src Internet-Primary:10.121.32.1/137 dst Office-LAN:10.121.10.20/137 | |
10.121.10.20 is our primary Windows domain controller and DNS server. It is used for authenticating the VPN users via LDAP. The authentication proceedure seems to work Ok, but when trying to communicate between the VPN and the Office or VPN and the Internet I just get all these No translation group messages.
Any ideas?
08-04-2010 06:26 AM
Hello,
The log message indicates that the firewall blocked the VPN client from accessing the domain controller. Let us try the following:
access-list pnat permit ip 10.121.10.0 255.255.255.0 10.121.32.0 255.255.255.0
static (Office-LAN,Internet-Primary) 10.121.10.0 access-list pnat
This will allow bi-directional connection from VPN subnet to your office LAN.
Hope this helps.
Regards,
NT
12-22-2011 01:16 PM
Hi guys,
I have the same problem. "No translation group found for udp src outside:192.168.14.100/137 dst client:srv002/137"
I have tried added both your command, access-list and static but it didn't solve my problem.
Please help me I have made so many changes in ASDM so I'm lost every time I try to look at the configuration from command line, I have attached my configuration.
Regards Mikael
12-22-2011 11:53 PM
Looks like you have already created no nat for client zone . Since srv002 falls in client.
Ading this should resolve error which you are seeing.
nat (client) 0 access-list client_nat0_outbound
Thanks
AJay
12-23-2011 02:56 PM
Thanks for your reply Ajay but I get an error when trying to add nat.
firewall01(config)# nat (client) 0 access-list client_nat0_outbound
ERROR: access-list has protocol or port
Regards Mikael
12-23-2011 03:01 PM
access-list client_nat0_outbound extended permit object-group DM_INLINE_PROTOCOL_1 vpn-network 255.255.255.0 object-group DM_INLINE_NETWORK_2 log disable
access-list client_nat0_outbound extended permit ip any vpn-network 255.255.255.0
access-list client_nat0_outbound extended permit object-group DM_INLINE_PROTOCOL_3 object-group DM_INLINE_NETWORK_4 vpn-network 255.255.255.0
ummm that correct you should always use IP as used wth 2nd statement. Remove object-group DM_INLINE_PROTOCOL_3 and use IP.
Thanks
Ajay
12-23-2011 03:44 PM
My config looks like this right now:
access-list client_nat0_outbound extended permit object-group DM_INLINE_PROTOCOL_1 vpn-network 255.255.255.0 object-group DM_INLINE_NETWORK_2 log disable
access-list client_nat0_outbound extended permit ip 192.168.13.0 255.255.255.0 vpn-network 255.255.255.0
I still get the following error and I still not able to run "nat (client) 0 access-list client_nat0_outbound":
No translation group found for udp src outside:192.168.14.100/137 dst client:srv002/137
/Mikael
12-23-2011 10:16 PM
As i said NAT ACL should not contain any port /protocol.
access-list client_nat0_outbound extended permit ip 192.168.13.0 255.255.255.0 vpn-network 255.255.255.0
This statement looks good you need to change rest of the statement as well.
Then only you will be able to apply this oninterface.
12-24-2011 02:50 PM
This is driving me to insanity... I have now clean up a lot of junk automatic created by ASDM and I have finely get ride of the error message. However I'm still not able to access the client network when I'm connected via VPN and this time I can't find any error in the debug log.
See my attached configuration and please give me some advice.
Regards Mikael
12-24-2011 07:08 PM
I see couple of things need to be fixed- If you are accessing other network dmz/inside.Then you have no add other statements in no nat acl.
access-list client_nat0_outbound extended permit ip 192.168.13.0 255.255.255.0 192.168.14.0 255.255.255.0
To fix these zones as well.
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
nat (wlan) 1 0.0.0.0 0.0.0.0
nat (server) 1 0.0.0.0 0.0.0.0
say inside--
access-list client_nat0_outbound extended permit ip
&
nat (inside) 0 access-list client_nat0_outboundnside
same way for others.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide