cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
880
Views
5
Helpful
6
Replies

ASA 5520 IOS 7.1(2)

netadminnbf
Level 1
Level 1

Dear All,

Q1. I have ASA 5520 with IOS 7.1(2), Is this a stable IOS, i am facing some drametic behavour of my firewall.

Q2. I am getting 1000 of logs for below mentined what it means.

3|Jul 22 2007 18:03:41|305005: No translation group found for udp src inside:172.16.7.33/1036 dst outside:202.x.x.33/53

7.33 is my DNS internal IP.

Q3. what is the meaning of below mentioned this command

nat (inside) 0 access-list inside_nat0_outbound

Thanks & Regrds:

Shelesh

6 Replies 6

ggilbert
Cisco Employee
Cisco Employee

Shelesh,

I will try to answer some of your questions.

Q1. I would suggest 7.2.2 would be a good stable IOS. But 7.2.2(19) Interm build is a pretty stable one.

Q2. Seems like the 7.33 is trying to reach 202 address but there is no translation found for the traffic to pass through the interface.

Check the translation information.

Where is the 7.33 IP? Is it internal network or DMZ. Seems like its going to the internet, so, check if the source interface of that IP has a nat statement to the global interface.

Eg:

nat (inside) 1 172.16.0.0 255.255.0.0

global (outside) 1 interface

something like this...

Q3. That statement is tied to an access-list

nat (inside) 0 statement states that any traffic that is matching that access-list should be exempt from the NAT process.

So, it will not be NAT ted.

Let me know if these answers help you.

Thanks

Gilbert

Dear Gulbert,

Thanks for rapid reply,

Q.1It means IOS 7.1 is not stable one. and i have to load ios 7.2 , am i right?

Q.2 i don't want any traffic start frpm 7.33 to any public ip.

i have putted command:

ip ACL inside deny ip host 172.16.7.33 any

after this command still i am getting the log, due to so many log firewall behave drametically. once we use this command firewalll should block the oubound connection but it is not doing.please find my nat statemenet

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 172.16.0.3 255.255.255.255

nat (inside) 1 172.16.0.19 255.255.255.255

nat (inside) 1 172.16.7.32 255.255.255.255

as you suggest global(outside) 1 in (it is all ready there)

and

nat (inside) 1 172.16.0.0 255.255.0.0 (what this coomand will do , i thing it will nat all 172.16 subnet right, that we don't want we want only stop the loggs. and in mu comapany we have seprate network for internet access. only certan host we have permitted for talking to public up.

my requrmnet to stop all the log for ip 7.33,

As the logs are to do with your 7.33 server attempting to access a root DNS server, how should it get its DNS?

Thanks Gargevarr,

I got yours point, i check my DNS server in DNS server property , they had define root server. i need to remove root server from my internal DNS server. becouse i Intranet is not directly connected with internet. we have seprate network for internet.

Thanks for yours reponce.

I have one more qustion.

Q.1 regarding IOS, as i mentioned i have 7.1 , what you suggest can i change the IOS?

Thanks & Regrds:

SHelesh

Shelesh,

7.2.2 would be the next version to go to.

Gilbert

Hi,

I have upgraded v.722 but now i am facing another problem

I am 3 PC in my INSIDE network

172.16.7.25

172.16.7.30

172.16.7.26

from Remote VPN i am able to ping 172.16.7.25 but i am not able to ping 7.30. and 7.26

i have route for 172.16.0.0 to point core switch. but still not i am able to able to get 7.30 and 7.26

when i will add route for 172.16.7.30 and 7.26 then i am able to ping.

can you help me why it is like that.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: