ASA 5520 IOS 7.1(2)

Unanswered Question
Jul 22nd, 2007
User Badges:

Dear All,


Q1. I have ASA 5520 with IOS 7.1(2), Is this a stable IOS, i am facing some drametic behavour of my firewall.


Q2. I am getting 1000 of logs for below mentined what it means.


3|Jul 22 2007 18:03:41|305005: No translation group found for udp src inside:172.16.7.33/1036 dst outside:202.x.x.33/53


7.33 is my DNS internal IP.


Q3. what is the meaning of below mentioned this command


nat (inside) 0 access-list inside_nat0_outbound



Thanks & Regrds:

Shelesh


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
ggilbert Sun, 07/22/2007 - 07:44
User Badges:
  • Cisco Employee,

Shelesh,


I will try to answer some of your questions.


Q1. I would suggest 7.2.2 would be a good stable IOS. But 7.2.2(19) Interm build is a pretty stable one.


Q2. Seems like the 7.33 is trying to reach 202 address but there is no translation found for the traffic to pass through the interface.


Check the translation information.


Where is the 7.33 IP? Is it internal network or DMZ. Seems like its going to the internet, so, check if the source interface of that IP has a nat statement to the global interface.


Eg:

nat (inside) 1 172.16.0.0 255.255.0.0

global (outside) 1 interface


something like this...


Q3. That statement is tied to an access-list

nat (inside) 0 statement states that any traffic that is matching that access-list should be exempt from the NAT process.


So, it will not be NAT ted.


Let me know if these answers help you.


Thanks

Gilbert

netadminnbf Sun, 07/22/2007 - 20:31
User Badges:

Dear Gulbert,


Thanks for rapid reply,


Q.1It means IOS 7.1 is not stable one. and i have to load ios 7.2 , am i right?


Q.2 i don't want any traffic start frpm 7.33 to any public ip.


i have putted command:


ip ACL inside deny ip host 172.16.7.33 any


after this command still i am getting the log, due to so many log firewall behave drametically. once we use this command firewalll should block the oubound connection but it is not doing.please find my nat statemenet


global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 172.16.0.3 255.255.255.255

nat (inside) 1 172.16.0.19 255.255.255.255

nat (inside) 1 172.16.7.32 255.255.255.255



as you suggest global(outside) 1 in (it is all ready there)


and


nat (inside) 1 172.16.0.0 255.255.0.0 (what this coomand will do , i thing it will nat all 172.16 subnet right, that we don't want we want only stop the loggs. and in mu comapany we have seprate network for internet access. only certan host we have permitted for talking to public up.


my requrmnet to stop all the log for ip 7.33,








gargravarr Mon, 07/23/2007 - 05:45
User Badges:

As the logs are to do with your 7.33 server attempting to access a root DNS server, how should it get its DNS?



netadminnbf Mon, 07/23/2007 - 19:59
User Badges:

Thanks Gargevarr,


I got yours point, i check my DNS server in DNS server property , they had define root server. i need to remove root server from my internal DNS server. becouse i Intranet is not directly connected with internet. we have seprate network for internet.

Thanks for yours reponce.


I have one more qustion.


Q.1 regarding IOS, as i mentioned i have 7.1 , what you suggest can i change the IOS?


Thanks & Regrds:

SHelesh



ggilbert Thu, 07/26/2007 - 07:41
User Badges:
  • Cisco Employee,

Shelesh,


7.2.2 would be the next version to go to.


Gilbert

netadminnbf Sun, 08/05/2007 - 23:08
User Badges:

Hi,


I have upgraded v.722 but now i am facing another problem


I am 3 PC in my INSIDE network


172.16.7.25

172.16.7.30

172.16.7.26


from Remote VPN i am able to ping 172.16.7.25 but i am not able to ping 7.30. and 7.26


i have route for 172.16.0.0 to point core switch. but still not i am able to able to get 7.30 and 7.26


when i will add route for 172.16.7.30 and 7.26 then i am able to ping.


can you help me why it is like that.

Actions

This Discussion