PING is getting drop on ASA firewall.

Unanswered Question
Jun 10th, 2008
User Badges:


I'm getting following error message while trying to ping from management workstation to one of my CISCO PIX interface. But in between 2 devices, I have got CISCO ASA which is dropping traffic and I can see following error message in syslog.

I am pinging from to

%ASA-3-305005: No translation group found for icmp src management: dst Operators: (type 8, code 0)

Here is my half config:


interface GigabitEthernet0/2.60

nameif Operators

security-level 100

ip address


interface Management0/0

nameif management

security-level 90

ip address

global (management) 1 interface

nat (Operators) 1

nat (Operators) 1

I dont have any static NAT config. on the firewall for these vlans but if you want to see other rule, it is as follow:

static (Operators,PABX) netmask

static (InterFWInterconnect,Outside) netmask

Please let me know if you need more config or if you have got any suggestion for me.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading. Tue, 06/10/2008 - 21:18
User Badges:
  • Silver, 250 points or more


Try with:

static(operators,management) netmask

I hope this helps.

Best regards.


pannu3679 Tue, 06/10/2008 - 21:47
User Badges:

Thanks for quick response... I will configure this NAT statement but wanted to know that will it cause any problem with any other vlan traffic ??? I am bit causes thats the reason I am asking you...


pannu3679 Wed, 06/11/2008 - 01:38
User Badges:

someone can help me out please ???..

Thanks heaps in advance Wed, 06/11/2008 - 01:52
User Badges:
  • Silver, 250 points or more


I don't know how your topology network is implemented but the instruction let your hosts in operators network projected on management network.

I hope this helps.

Best regards.


pannu3679 Wed, 06/11/2008 - 02:19
User Badges:

ok i will implement it and let you know the output...

Again thanks for your help.

Amadou TOURE Wed, 06/11/2008 - 06:09
User Badges:


I think that the static statement (static(operators,management) netmask

)will keep the operators network untranslated when hosts inside operators net will communicate with management net.

To allow management network to communicate with operators net add this rule also :

access-list nonat_mngt permit ip

nat(management) 0 access-list nonat_mngt

This rule allow bidirectional communication if you want a unidirectional communication, it should change.

The error log message sounds that it's a NAT issue but if the suggestions don't work, it could be better to send a sanitized configuration of you ASA and a network diagram.

pannu3679 Wed, 06/11/2008 - 17:32
User Badges:


Here I have attached NW diagram but for security reason I have removed few tags and IP addresses but you can see my management workstation and destination IP address where I am trying to ping . Please also find attached config file but as usual removed few stuff from it as well...

let me know if you need more details:

marchanamendon Thu, 06/12/2008 - 01:40
User Badges:


When u are trying to access any resources from your management interface(whose security level is 90) to your operator interface(whose security level is 100) you need to have two things

1.static nat between operators and management interface.

2.access-list allowing appropriate traffic (eg.icmp,ip, whichever you want to allow) from management network to operator network and bind it to management interface using access-group command.



Amadou TOURE Thu, 06/12/2008 - 06:18
User Badges:


Please try the following configuration :

1. you should have a statement authorizing icmp from management to operators in management_access_in access-list

2. you can add the following statments also :

static (management,operators) netmask

access-list nonat

nat (inside) 0 access-list nonat

3. in the default policy-map

add inspect icmp

Best regards

pannu3679 Thu, 06/12/2008 - 19:40
User Badges:

I will try this and let you know abt it soon... So do you also want me to write access-list on the management interface, is that right ? and i will type down your given static NAT statement.

Amadou TOURE Fri, 06/13/2008 - 05:38
User Badges:


In fact, I read that you have a access-group applied to your management interface so in this case I would ensure that returning icmp trafic will be authorized.

Another method is to add a inspect icmp in the default policy-map


This Discussion