NAT problem

Unanswered Question
Feb 28th, 2008

Hi All,

I have been stuck with NAT problem. It gives me a error my ASA. like this

No translation group found for icmp src fugen-dmz: dst outside: (type 8, code 0)

These hosts are coming from interface etherent0/3 (named as fg-idsys) on my ASA but here it says it comes from ethernet 0/2 (named as fugen-dmz).

when i see my security level the eth0/3 is high than the eth0/2. Probably i think it falls to low security level to reach outside.

The hosts connected to the eth0/2 are able to reach outside.

Attached my NAT configs

Let me know what is missing in NAT configurations

NAT show outputs

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Mohamed Sobair Thu, 02/28/2008 - 10:33


why the NAT of (fg-idsys) shows:

nat (fg-idsys) 1

this means it doesnt match any thing,

Could you clarify your nat config,



caliber01 Thu, 02/28/2008 - 11:15


i have now changed that to

nat (fg-idsys) 1

Mohamed Sobair Thu, 02/28/2008 - 12:22

Hi Caliber,

Great to be of help.

The Normal Security level for the LAN is 100 and this shouldnt affect any Nat operation.



caliber01 Thu, 02/28/2008 - 12:38

I agree with it . security level doesn't affects NAT.

But wondering why my error message on ASA shows like

No translation group found for icmp src fugen-dmz: dst outside:

If you look at the error it shows src fugen-dmz but actually the hosts are connected to fg-idsys

four interface in ASA


eth0/0 - outside with public ip address level 0

eth0/1 - Internal security level 100 LAN

eth0/2 - DMZ (named as fuen-dmz) security level 50

eth0/3 - Named as fg-idsys security level 70

i want some of my hosts to reach outside interface through fg-idsys interface.

ican able to ping from host to fg-idsys interface (vice versa) but they were not able to go internet.

The hosts that were connected to fugen-dmz and internal where able to go outside and able to get internet.

Mohamed Sobair Thu, 02/28/2008 - 14:39

Hi caliber,

Have you configured access-list or associated the Interface subnet to the Nat pool.

could you double check,



caliber01 Thu, 02/28/2008 - 15:03

i haven't created any ACL 's for this.

I m sure something is missing in my NAT config. I couldn't able to find it.

i have configured PAT.

Mohamed Sobair Thu, 02/28/2008 - 16:22


Pls double check the ip address at interface (fg-idsys), i think it should be changed to be within 172.16.x.x subnet.

also add the following:

nat (fg-idsys) 1 access-list fg-idsys

you have already ACL permits the Pool to any destination but not associated with it



caliber01 Thu, 02/28/2008 - 16:58


i have changed my ip address of the fg-idsys to

and also given the suggested NAT config on ASA

like this

nat (fg-idsys) 1 access-list fg-idsys

but still the error message is the same and they were not able to reach outside.


This Discussion