no nat-control on ASA

Unanswered Question
Apr 8th, 2009

I had no nat-control on ASA, what I think is the ASA will allow traffic to traverse different interfaces as long as ACL permit it. No nat needed at all. However, when I tried to ping from outside to inside, ping failed and I found these debug information on the ASA:

No translation group found for icmp src...

Anyone know why?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
omar.elmohri Fri, 04/10/2009 - 04:49


And have you tried to ping from the inside to the outside ?

Because in the case of the ping fails, is logical to don't have any translation.

Other thing, if you ping from inside to outside and it passes without NAT translations, you may run in a transparent mode.



lamav Fri, 04/10/2009 - 05:00


How are you?

The no-nat feature only applies to traffic that is traversing a higher level security interface to a lower one. So in other words, from inside to outside. In those instances, if no NAT statement is configured, the ASA will act as a regular router and forward packets based on the rules of the ACL only.

Just as a side note, Im not sure this applies to your situation, but if you want to remove or disable the nat-control statement in the PIX/ASA, you need to remove all NAT statements from the security appliance. In general, you need to remove the NAT before you turn off NAT control. You have to reconfigure the NAT statement in PIX/ASA to work as expected.

Does that answer your question?


bradkenn75 Tue, 07/20/2010 - 13:58

Thanks for the quick responses; I don't want to remove all NAT, we are just setting up a site-to-site VPN, and Site2 (remote) is running the terminal ping with is being logged with the error.  When we attempt to 'pathping' the site2's ip, our traffic is getting routed out the public interface (to the internet).  We're not thinking that on our end, there is not a proper route statement for site2, on the other side of the new VPN.  And it is attempting to NAT the Site2 traffic to our internal LAN.  Not sure though, we just need connectivity from to/from

Nagaraja Thanthry Tue, 07/20/2010 - 14:02


Can you please post the relevant configuration (for VPN) here from both

sides? Also an output of "show run nat" would be great.




This Discussion