12-16-2008 08:52 AM - edited 03-11-2019 07:26 AM
I try to connect on outside int with SSH, I have following message.
No translation group found for tcp src inside:172.16.1.2/2737 dst outside:172.16.0.6/22
12-16-2008 09:09 AM
Pascal
Where are you trying to connect from. If you are trying to connect to the outside interface but from a machine on the inside i don't think this will work. If you are on the inside could you not just connect to the inside interface ?
Jon
12-16-2008 09:35 AM
I have this schema
host 172.16.1.0/24 > ASA A > Router > ASA B > host 172.16.2.0/24
I want SSH connection from host 172.16.1.0/24 to outside ASA B and SSH connection from host 172.16.2.0/24 to outside ASA A, it's possible?
12-16-2008 09:42 AM
host 172.16.2.x to outside ASA A - yes
host 172.16.1.x to outside ASA B - it would make more sense to have
host 172.16.1.x to inside of ASA B.
Is there some reason you cannot do this ?
Jon
12-16-2008 10:00 AM
Actually
SSH from 172.16.1.x to inside ASA A = OK
SSH from 172.16.1.x to outside ASA B = NOK
No translation group found for tcp src inside:172.16.1.2/2737 dst outside:172.16.0.6/22
I just want that host from 172.16.1.x can connect on ASA A and B
12-16-2008 10:59 AM
You have to configure a static and access-list on ASA B if the security level of the ssh host is higher than the interface that you're coming from.
E.g. if you want to access the host which is on the inside (security level 100) and you're coming from the outside (security level 0), you need to configure a static translation and an access-list that specifies what incoming traffic is allowed.
Doesn't matter if it's in the DMZ or inside. You're going from a less secure network to a more secure network, e.g.: static and access-list.
HTH
PJ Nefkens
12-16-2008 11:15 AM
host 172.16.1.0/24 > (inside) ASA A (outside) > Router > (inside) ASA B (outside)> host 172.16.2.0/24
Cna you confirm if the above is correct in terms of where the inside and outside interfaces of each ASA are. If it is correct
"I just want that host from 172.16.1.x can connect on ASA A and B"
you can.
To ASA A from 172.16.1.x connect to inside which is what you are doing and it is okay
To ASA B connect to inside not outside and you will be fine. That is assuming the above is correct in terms of where inside/outside are.
If not let me know.
Jon
12-16-2008 10:48 PM
Hi Jon,
Not correct,see under.
host 172.16.1.0/24 > (inside) ASA A (outside) > Router > (outside) ASA B (inside)> host 172.16.2.0/24
SSH Host 172.16.1.0/24 to inside ASA A = OK
SSH 172.16.1.0/24 to outside ASA B = NOK
12-17-2008 02:26 AM
Okay, would have helped if you had told me where the interfaces were :-)
Yes you are right this should work.
So, couple of things to check
1) what IP address(es) are you allowing to ssh to ASA B and is the ASA A firewall natting the source address of 172.161.x to something else.
2) Does the ASA B have a route back to whatever the source address is ie. 172.16.1.x or whatever ASA A has natted it to
3) Same question a 2 for the router.
Jon
12-17-2008 06:39 AM
Actually host 172.16.1.x can join the host 172.16.2.x
From there are all route to join the host behind ASA A and B
ASA A
route outside 172.16.2.0 255.255.255.0 10.52.72.135
route outside 172.16.0.4 255.255.255.252 10.52.72.135
ssh 172.16.2.0 255.255.255.0 outside
ssh 172.16.1.0 255.255.255.0 inside
ASA B
route outside 172.16.1.0 255.255.255.0 172.16.0.5
route outside 10.52.72.128 255.255.255.192 172.16.0.5
ssh 172.16.2.0 255.255.255.0 inside
ssh 172.16.1.0 255.255.255.0 outside
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: