PING is getting drop on ASA firewall.

Unanswered Question
Jun 10th, 2008
User Badges:

Hi,

I'm getting following error message while trying to ping from management workstation to one of my CISCO PIX interface. But in between 2 devices, I have got CISCO ASA which is dropping traffic and I can see following error message in syslog.

I am pinging from 192.168.1.151 to 10.254.231.252.


%ASA-3-305005: No translation group found for icmp src management:192.168.1.151 dst Operators:10.254.231.252 (type 8, code 0)


Here is my half config:

=======================

interface GigabitEthernet0/2.60


nameif Operators


security-level 100


ip address 10.254.231.254 255.255.255.0

---------------------------------------

interface Management0/0


nameif management


security-level 90


ip address 192.168.1.1 255.255.255.0


global (management) 1 interface

nat (Operators) 1 10.254.231.0 255.255.255.0


nat (Operators) 1 192.168.0.0 255.255.255.0


I dont have any static NAT config. on the firewall for these vlans but if you want to see other rule, it is as follow:

static (Operators,PABX) 10.254.231.180 10.254.231.180 netmask 255.255.255.255


static (InterFWInterconnect,Outside) 10.254.224.0 10.254.224.0 netmask 255.255.255.0


Please let me know if you need more config or if you have got any suggestion for me.




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
massimiliano.se... Tue, 06/10/2008 - 21:18
User Badges:
  • Silver, 250 points or more

Hi,

Try with:

static(operators,management) 10.254.231.0 10.254.231.0 netmask 255.255.255.0


I hope this helps.

Best regards.

Massimiliano.

pannu3679 Tue, 06/10/2008 - 21:47
User Badges:

Thanks for quick response... I will configure this NAT statement but wanted to know that will it cause any problem with any other vlan traffic ??? I am bit causes thats the reason I am asking you...

thanks,

pannu3679 Wed, 06/11/2008 - 01:38
User Badges:

someone can help me out please ???..

Thanks heaps in advance

massimiliano.se... Wed, 06/11/2008 - 01:52
User Badges:
  • Silver, 250 points or more

Hi,

I don't know how your topology network is implemented but the instruction let your hosts in operators network projected on management network.


I hope this helps.

Best regards.

Massimiliano.

pannu3679 Wed, 06/11/2008 - 02:19
User Badges:

ok i will implement it and let you know the output...

Again thanks for your help.

Amadou TOURE Wed, 06/11/2008 - 06:09
User Badges:

Hi,


I think that the static statement (static(operators,management) 10.254.231.0 10.254.231.0 netmask 255.255.255.0

)will keep the operators network untranslated when hosts inside operators net will communicate with management net.

To allow management network to communicate with operators net add this rule also :

access-list nonat_mngt permit ip 192.168.1.0 255.255.255.0 10.254.231.0 255.255.255.0

nat(management) 0 access-list nonat_mngt

This rule allow bidirectional communication if you want a unidirectional communication, it should change.

The error log message sounds that it's a NAT issue but if the suggestions don't work, it could be better to send a sanitized configuration of you ASA and a network diagram.

pannu3679 Wed, 06/11/2008 - 17:32
User Badges:

HI,

Here I have attached NW diagram but for security reason I have removed few tags and IP addresses but you can see my management workstation and destination IP address where I am trying to ping . Please also find attached config file but as usual removed few stuff from it as well...

let me know if you need more details:




Attachment: 
marchanamendon Thu, 06/12/2008 - 01:40
User Badges:

Hi


When u are trying to access any resources from your management interface(whose security level is 90) to your operator interface(whose security level is 100) you need to have two things


1.static nat between operators and management interface.

2.access-list allowing appropriate traffic (eg.icmp,ip,tcp.select whichever you want to allow) from management network to operator network and bind it to management interface using access-group command.



Regards,

Archana.

Amadou TOURE Thu, 06/12/2008 - 06:18
User Badges:

hi,


Please try the following configuration :


1. you should have a statement authorizing icmp from management to operators in management_access_in access-list


2. you can add the following statments also :


static (management,operators) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

access-list nonat 10.254.231.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list nonat


3. in the default policy-map

add inspect icmp


Best regards

pannu3679 Thu, 06/12/2008 - 19:40
User Badges:

I will try this and let you know abt it soon... So do you also want me to write access-list on the management interface, is that right ? and i will type down your given static NAT statement.

Amadou TOURE Fri, 06/13/2008 - 05:38
User Badges:

Hi,


In fact, I read that you have a access-group applied to your management interface so in this case I would ensure that returning icmp trafic will be authorized.


Another method is to add a inspect icmp in the default policy-map


Actions

This Discussion