Translation group asa 5505

Unanswered Question
Aug 5th, 2008
User Badges:

Hi all,

When I try to access my dns on the 192.168.1.0/24 network from my ftp server on the 192.168.200.0/24 network, I get No translation group found for udp src dmz:192.168.200.2/23423 dst inside:192.168.1.4/53


I guess I need some additional NAT inplace?


My config:


interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address * 255.255.255.248

!

interface Vlan3

nameif dmz

security-level 50

ip address 192.168.200.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

switchport access vlan 3

!

interface Ethernet0/6

!

interface Ethernet0/7

!

access-list http_access_in extended permit tcp any any eq www

access-list dmz_access_in extended permit icmp 192.168.200.0 255.255.255.0 192.168.1.0 255.255.255.0 inactive

access-list dmz_access_in remark Specify what kind of trafic should be allowed to travle to the inside network

access-list dmz_access_in extended permit tcp host 192.168.200.2 192.168.1.0 255.255.255.0 eq www inactive

access-list dmz_access_in extended permit ip 192.168.200.0 255.255.255.0 any

access-list dmz_access_in remark For name resolution to inside name server 192.168.1.4

access-list dmz_access_in extended permit object-group TCPUDP 192.168.200.0 255.255.255.0 host 192.168.1.4 eq domain

access-list l2l_list extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list ftp_access_in extended permit tcp any any eq ftp

access-list 8080_access_in remark Specify what kind of trafic should be allowed in. Don't forget the NAT

access-list 8080_access_in extended permit tcp any any eq www

access-list 8080_access_in remark This rule permits anyone to ping the outside interface 79.136.112.50

access-list 8080_access_in extended permit icmp any any

access-list 8080_access_in extended permit tcp any any eq ssh

access-list 8080_access_in remark This rule permits anyone to access out ftp server

access-list 8080_access_in extended permit tcp any any eq ftp

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list inside_access_in extended permit udp 192.168.200.0 255.255.255.0 any eq domain

access-list inside_access_in remark This rule allows traffic to flow from bahnhof to vasagatan

access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 1 0.0.0.0 0.0.0.0

static (dmz,outside) tcp interface ftp 192.168.200.2 ftp netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group 8080_access_in in interface outside

access-group dmz_access_in in interface dmz

route outside 0.0.0.0 0.0.0.0 79.136.112.49 1


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
dhananjoy chowdhury Tue, 08/05/2008 - 01:08
User Badges:
  • Silver, 250 points or more

Use this command "no nat-control".


To pass traffic from a lower security interface (DMZ) to a higher one (Inside), use ACL to permit the traffic.

dhananjoy chowdhury Tue, 08/05/2008 - 02:59
User Badges:
  • Silver, 250 points or more

Just type in no nat-control in config mode.


myPIX(config)# no nat-control

acomiskey Tue, 08/05/2008 - 04:36
User Badges:
  • Green, 3000 points or more

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

Actions

This Discussion