Hi Dongdong,

Thanks for your reply..

actually i want to get outside using my outside interface...

means that the end systems has to come to fg-idsys (interface ethernet0/3) and then it has to go to outside interface to reach Internet.

interface Ethernet0/0

nameif outside

security-level 0

ip address 63.146.69.170 255.255.255.248

...thanks a lot looking forward

hi sudar

i know what you mean,but could not find any configuration that fg-idsys(private address) is related with outside(public address).

please use "show xlate" to see which address is NATed when the internal machine want to access internet.

regard

dongdong

thanks again...

i will try and let you know about it ...

Here is my nat output for that interface

But still i couldn't able to see it on the xlate output for this ip address 172.16.1.0 255.255.255.0

Fugen-FW# sh nat fg-idsys

==========================

match ip fg-idsys network161 255.255.255.0 outside any

dynamic translation to pool 1 (63.XXX.XX.XXX [Interface PAT])

translate_hits = 0, untranslate_hits = 0

match ip fg-idsys network161 255.255.255.0 fg-idsys any

dynamic translation to pool 1 (192.168.70.254 [Interface PAT])

translate_hits = 0, untranslate_hits = 0

match ip fg-idsys any outside any

no translation group, implicit deny

policy_hits = 0

Fugen-FW# sh xlate

21 in use, 205 most used

Global 63.146.XX.XXX Local 192.168.49.10

Global 63.146.XX.XXX Local 192.168.49.13

PAT Global 63.146.XX.XXX(273) Local 172.31.0.101(123)

PAT Global 63.146.XX.XXX(392) Local 172.31.0.150(123)

PAT Global 63.146.XX.XXX(32253) Local 192.168.48.139(1026)

PAT Global 63.146.XX.XXX(32208) Local 192.168.48.139(56162)

PAT Global 63.146.XX.XXX(13928) Local 192.168.48.139(4304)

PAT Global 63.146.XX.XXX(14126) Local 192.168.48.140(3211)

PAT Global 63.146.XX.XXX(14125) Local 192.168.48.140(3210)

PAT Global 63.146.XX.XXX(14124) Local 192.168.48.140(3209)

PAT Global 63.146.XX.XXX(14123) Local 192.168.48.140(3208)

PAT Global 63.146.XX.XXX(14122) Local 192.168.48.140(3207)

PAT Global 63.146.XX.XXX(14121) Local 192.168.48.140(3206)

PAT Global 63.146.XX.XXX(13994) Local 192.168.48.140(3160)

PAT Global 63.146.XX.XXX(13739) Local 192.168.48.140(2911)

PAT Global 63.146.XX.XXX(32187) Local 192.168.48.140(13258)

PAT Global 63.146.XX.XXX(13700) Local 192.168.48.140(2878)

PAT Global 63.146.XX.XXX(272) Local 192.168.48.1(137)

PAT Global 63.146.XX.XXX(14154) Local 192.168.48.147(61053)

PAT Global 63.146.XX.XXX(14153) Local 192.168.48.147(61052)

PAT Global 63.146.XX.XXX(18721) Local 192.168.48.103(10000)

what could be the reason ...is anything else iam missing in NAT config....

Hi ,

i am also getting an error in the ASDM log

No translation group found for icmp src fugen-dmz:172.16.1.253 dst outside:4.2.2.2 (type 8, code 0)

And also what is the impact on these interface in regards to the security level

hi sudar

No translation group found for icmp src fugen-dmz:172.16.1.253 dst outside:4.2.2.2 (type 8, code 0)

it seems like ASA consider 172.16.1.0 come from fugen-dmz interface, if you show nat fugen-dmz maybe will find some info.

whether 172.16.1.0 come from fg-idsys "nat (fg-idsys) 1 network161 255.255.255.0"

or come from fugen-dmz "nat (fugen-dmz) 1 172.16.0.0 255.255.0.0"

interface fugen-dmz and fg-idsys both have private address and do not related with outside.i mean, remove global (fugen-dmz) 1 interface and global (fg-idsys) 1 interface then try again

regard

dongdong

Hi,

172.16.1.0 named as network161 and it comes from fg-idsys. And this fg-idsys have more security level than the fugen-dmz.

when i decrease the security level of fg-idsys less than the fugen-dmz , the error changes to fg-idsys.

No translation group found for icmp src fg-idsys:172.16.1.253 dst outside:4.2.2.2 (type 8, code 0)

but from interface fugen-dmz the machines can go putside world. i replicated the same config to fg-idsys.

soon i will post the nat of fugen-dmz

Hi ,

Here is my nat output of fugen-dmz interface

Fugen-FW# sh nat fugen-dmz

===========================

match ip fugen-dmz 192.168.49.0 255.255.255.0 outside 192.168.50.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip fugen-dmz 172.31.0.0 255.255.255.0 outside 192.168.50.0 255.255.255.0

NAT exempt

translate_hits = 11, untranslate_hits = 1277

match ip fugen-dmz any outside 10.100.100.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip fugen-dmz 192.168.49.0 255.255.255.0 fugen-dmz 192.168.50.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip fugen-dmz 172.31.0.0 255.255.255.0 fugen-dmz 192.168.50.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip fugen-dmz any fugen-dmz 10.100.100.0 255.255.255.0

NAT exempt

translate_hits = 0, untranslate_hits = 0

match ip fugen-dmz host 192.168.49.10 outside any

static translation to 63.XXX.XX.XXX

translate_hits = 478, untranslate_hits = 4044

match ip fugen-dmz host 192.168.49.13 outside any

static translation to 63.XXX.XX.XXX

translate_hits = 724, untranslate_hits = 4894

match ip fugen-dmz host 200.198.184.106 fugen-dmz any

alias translation to 192.168.101.155

translate_hits = 0, untranslate_hits = 0

match ip fugen-dmz 192.168.49.0 255.255.255.0 outside any

dynamic translation to pool 1 (63.XXX.XX.XXX[Interface PAT])

translate_hits = 242, untranslate_hits = 4

match ip fugen-dmz 192.168.49.0 255.255.255.0 fugen-dmz any

dynamic translation to pool 1 (192.168.254.254 [Interface PAT])

translate_hits = 0, untranslate_hits = 0

match ip fugen-dmz 172.31.0.0 255.255.0.0 outside any

dynamic translation to pool 1 (63.XXX.XX.XXX[Interface PAT])

translate_hits = 2098, untranslate_hits = 92

match ip fugen-dmz 172.31.0.0 255.255.0.0 fugen-dmz any

dynamic translation to pool 1 (192.168.254.254 [Interface PAT])

translate_hits = 0, untranslate_hits = 0

match ip fugen-dmz any outside any

no translation group, implicit deny

policy_hits = 82234