cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
732
Views
0
Helpful
9
Replies

No translation group found

p.maillot
Level 1
Level 1

I try to connect on outside int with SSH, I have following message.

No translation group found for tcp src inside:172.16.1.2/2737 dst outside:172.16.0.6/22

9 Replies 9

Jon Marshall
Hall of Fame
Hall of Fame

Pascal

Where are you trying to connect from. If you are trying to connect to the outside interface but from a machine on the inside i don't think this will work. If you are on the inside could you not just connect to the inside interface ?

Jon

I have this schema

host 172.16.1.0/24 > ASA A > Router > ASA B > host 172.16.2.0/24

I want SSH connection from host 172.16.1.0/24 to outside ASA B and SSH connection from host 172.16.2.0/24 to outside ASA A, it's possible?

host 172.16.2.x to outside ASA A - yes

host 172.16.1.x to outside ASA B - it would make more sense to have

host 172.16.1.x to inside of ASA B.

Is there some reason you cannot do this ?

Jon

Actually

SSH from 172.16.1.x to inside ASA A = OK

SSH from 172.16.1.x to outside ASA B = NOK

No translation group found for tcp src inside:172.16.1.2/2737 dst outside:172.16.0.6/22

I just want that host from 172.16.1.x can connect on ASA A and B

You have to configure a static and access-list on ASA B if the security level of the ssh host is higher than the interface that you're coming from.

E.g. if you want to access the host which is on the inside (security level 100) and you're coming from the outside (security level 0), you need to configure a static translation and an access-list that specifies what incoming traffic is allowed.

See: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806745b8.shtml

Doesn't matter if it's in the DMZ or inside. You're going from a less secure network to a more secure network, e.g.: static and access-list.

HTH

PJ Nefkens

host 172.16.1.0/24 > (inside) ASA A (outside) > Router > (inside) ASA B (outside)> host 172.16.2.0/24

Cna you confirm if the above is correct in terms of where the inside and outside interfaces of each ASA are. If it is correct

"I just want that host from 172.16.1.x can connect on ASA A and B"

you can.

To ASA A from 172.16.1.x connect to inside which is what you are doing and it is okay

To ASA B connect to inside not outside and you will be fine. That is assuming the above is correct in terms of where inside/outside are.

If not let me know.

Jon

Hi Jon,

Not correct,see under.

host 172.16.1.0/24 > (inside) ASA A (outside) > Router > (outside) ASA B (inside)> host 172.16.2.0/24

SSH Host 172.16.1.0/24 to inside ASA A = OK

SSH 172.16.1.0/24 to outside ASA B = NOK

Okay, would have helped if you had told me where the interfaces were :-)

Yes you are right this should work.

So, couple of things to check

1) what IP address(es) are you allowing to ssh to ASA B and is the ASA A firewall natting the source address of 172.161.x to something else.

2) Does the ASA B have a route back to whatever the source address is ie. 172.16.1.x or whatever ASA A has natted it to

3) Same question a 2 for the router.

Jon

Actually host 172.16.1.x can join the host 172.16.2.x

From there are all route to join the host behind ASA A and B

ASA A

route outside 172.16.2.0 255.255.255.0 10.52.72.135

route outside 172.16.0.4 255.255.255.252 10.52.72.135

ssh 172.16.2.0 255.255.255.0 outside

ssh 172.16.1.0 255.255.255.0 inside

ASA B

route outside 172.16.1.0 255.255.255.0 172.16.0.5

route outside 10.52.72.128 255.255.255.192 172.16.0.5

ssh 172.16.2.0 255.255.255.0 inside

ssh 172.16.1.0 255.255.255.0 outside

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: