NAT problem

caliber01 · ‎02-28-2008

Hi All,

I have been stuck with NAT problem. It gives me a error my ASA. like this

No translation group found for icmp src fugen-dmz:172.16.2.253 dst outside:4.2.2.2 (type 8, code 0)

These hosts are coming from interface etherent0/3 (named as fg-idsys) on my ASA but here it says it comes from ethernet 0/2 (named as fugen-dmz).

when i see my security level the eth0/3 is high than the eth0/2. Probably i think it falls to low security level to reach outside.

The hosts connected to the eth0/2 are able to reach outside.

Attached my NAT configs

Let me know what is missing in NAT configurations

NAT show outputs

Mohamed Sobair · ‎02-28-2008

Hi,

why the NAT of (fg-idsys) shows:

nat (fg-idsys) 1 0.0.0.0 0.0.0.0

this means it doesnt match any thing,

Could you clarify your nat config,

HTH

Mohamed

caliber01 · ‎02-28-2008

Hi,

i have now changed that to

nat (fg-idsys) 1 172.16.0.0 255.255.0.0

Mohamed Sobair · ‎02-28-2008

Hi Caliber,

Great to be of help.

The Normal Security level for the LAN is 100 and this shouldnt affect any Nat operation.

HTH

Mohamed

caliber01 · ‎02-28-2008

I agree with it . security level doesn't affects NAT.

But wondering why my error message on ASA shows like

No translation group found for icmp src fugen-dmz:172.16.2.253 dst outside:4.2.2.2

If you look at the error it shows src fugen-dmz but actually the hosts are connected to fg-idsys

four interface in ASA

----------------------

eth0/0 - outside with public ip address ..security level 0

eth0/1 - Internal security level 100 LAN

eth0/2 - DMZ (named as fuen-dmz) security level 50

eth0/3 - Named as fg-idsys security level 70

i want some of my hosts to reach outside interface through fg-idsys interface.

ican able to ping from host to fg-idsys interface (vice versa) but they were not able to go internet.

The hosts that were connected to fugen-dmz and internal where able to go outside and able to get internet.

Mohamed Sobair · ‎02-28-2008

Hi caliber,

Have you configured access-list or associated the Interface subnet to the Nat pool.

could you double check,

HTH

Mohamed

caliber01 · ‎02-28-2008

i haven't created any ACL 's for this.

I m sure something is missing in my NAT config. I couldn't able to find it.

i have configured PAT.

Mohamed Sobair · ‎02-28-2008

Hi,

Could you post full config,

regds,

caliber01 · ‎02-28-2008

why not...here it comes

Mohamed Sobair · ‎02-28-2008

Hi,

Pls double check the ip address at interface (fg-idsys), i think it should be changed to be within 172.16.x.x subnet.

also add the following:

nat (fg-idsys) 1 access-list fg-idsys

you have already ACL permits the Pool to any destination but not associated with it

HTH

Mohamed

caliber01 · ‎02-28-2008

Hi

i have changed my ip address of the fg-idsys to 172.16.0.1

and also given the suggested NAT config on ASA

like this

nat (fg-idsys) 1 access-list fg-idsys

but still the error message is the same and they were not able to reach outside.