cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4549
Views
5
Helpful
15
Replies

No Translation Group Found

john.irizarry
Level 1
Level 1

I am getting the following error from my ASA logs:

No translation group found for udp src inside:10.10.10.4/27351 dst outside:10.10.50.42/1129

outside 10.10.50.42 is the address given by my VPN pool. So I have a user on VPN trying to get his mail from the inside.

Strange thing is the VPN users have access to the inside network and all seems to be working fine.

The error suggests that a packet does not have a matching outbound NAT command rule.

Here are my NAT rules:

access-list nonat-in extended permit ip LAN 255.255.255.0 VPN 255.255.255.0

nat (outside) 1 0.0.0.0 0.0.0.0

nat (outside) 1 VPN 255.255.255.0 outside

nat (inside) 0 access-list nonat-in

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 0 access-list nonat-dmz

nat (dmz) 1 0.0.0.0 0.0.0.0

What NAT would be missing?

1 Accepted Solution

Accepted Solutions

Collin Clark
VIP Alumni
VIP Alumni

Do you have one going the other for nonat-in?

access-list nonat-in extended permit ip VPN 255.255.255.0 LAN 255.255.255.0

View solution in original post

15 Replies 15

Collin Clark
VIP Alumni
VIP Alumni

Do you have one going the other for nonat-in?

access-list nonat-in extended permit ip VPN 255.255.255.0 LAN 255.255.255.0

Yes. Here is what I have in my config:

access-list nonat-in extended permit ip LAN 255.255.255.0 VPN 255.255.255.0

opps, you mean the other way!!

access-list nonat-in extended permit ip VPN 255.255.255.0 VLAN 255.255.255.0 ??

Here is the entire ACL

access-list inside_access_in extended permit icmp any interface outside

access-list inside_access_in extended permit ip any any

access-list dmz_access_in extended permit ip any any

access-list STI-VPN_splitTunnelAcl standard permit LAN 255.255.255.0

access-list STI-VPN_splitTunnelAcl standard permit DMZ 255.255.255.0

access-list inside_nat0_outbound extended permit ip any LAN 255.255.255.0

access-list nonat-dmz extended permit ip DMZ 255.255.255.0 VPN 255.255.255.0

access-list nonat-dmz extended permit ip DMZ 255.255.255.0 iPhone-VPN 255.255.255.0

access-list nonat-in extended permit ip LAN 255.255.255.0 VPN 255.255.255.0

access-list nonat-in extended permit ip any iPhone-VPN 255.255.255.0

access-list outside-acl extended permit tcp any host Mail object-group DM_INLINE_TCP_2

access-list outside-acl extended permit tcp any host WEB object-group Web-Ports

access-list outside-acl extended permit tcp any host SharePoint object-group Web-Ports

access-list outside-acl remark Symantec Endpoint Access and Barracuda Quarantine access

access-list outside-acl extended permit tcp any host 66.159.217.2 object-group DM_INLINE_TCP_3

access-list iPhone_splitTunnelAcl standard permit LAN 255.255.255.0

access-list iPhone_splitTunnelAcl standard permit DMZ 255.255.255.0

ip local pool VPN 10.10.50.20-10.10.50.60 mask 255.255.255.0

ip local pool iPhone-VPN 10.10.60.10-10.10.60.30 mask 255.255.255.0

global (outside) 1 interface

global (inside) 1 interface

global (dmz) 1 interface

nat (outside) 1 0.0.0.0 0.0.0.0

nat (outside) 1 VPN 255.255.255.0 outside

nat (outside) 1 iPhone-VPN 255.255.255.0 outside

nat (inside) 0 access-list nonat-in

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 0 access-list nonat-dmz

nat (dmz) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp Mail https MAIL-Private https netmask 255.255.255.255

static (dmz,outside) tcp WEB https WEB-Private https netmask 255.255.255.255

static (dmz,outside) tcp WEB www WEB-Private www netmask 255.255.255.255

static (dmz,outside) tcp SharePoint www SharePoint-Private www netmask 255.255.255.255

static (dmz,outside) tcp SharePoint https SharePoint-Private https netmask 255.255.255.255

static (inside,outside) tcp Mail smtp Barracuda smtp netmask 255.255.255.255

static (inside,outside) tcp Mail 993 MAIL-Private 993 netmask 255.255.255.255

static (inside,outside) tcp interface 8443 10.10.10.12 8443 netmask 255.255.255.255

static (inside,outside) tcp interface 8080 Barracuda 8080 netmask 255.255.255.255

static (inside,dmz) LAN LAN netmask 255.255.255.0

access-group outside-acl in interface outside

access-group inside_access_in in interface inside

access-group dmz_access_in in interface dmz

You still need to prevent NAT from VPN to INSIDE,

access-list nonat-dmz extended permit ip VPN 255.255.255.0 LAN 255.255.255.0

Thanks! I think I got it. I added the following:

access-list nonat-dmz extended permit ip VPN 255.255.255.0 DMZ 255.255.255.0

access-list nonat-in extended permit ip VPN 255.255.255.0 LAN 255.255.255.0

Have not seen the error in the log since I made the change.

*****Spoke to soon****

Just got another one same thing:

"No translation group found for udp src inside:MAIL-Private/28316 dst outside:10.10.50.43/1428"

Clear xlate??

Thanks again!!

Can you throw together a diagram quick? I had a very similar problem and it had to do with redirects and routing (once I fixed the NAT).

Also, was the message above seen when the VPN client initiated the traffic by checking email?

Yes, it was. Here is a drawing.

Thanks!

From a device on the inside can you ping a VPN host and check the log and post if there is something?

You definitely don't need a nonat acl with the vpn as the source, your existing nonat is fine.

What is the purpose of the "outside" keyword here?

nat (outside) 1 VPN 255.255.255.0 outside

If this is to hairpin traffic back out to the internet you do not need it and I would remove it.

Yes, that was the purpose, but realized I had already configured my Split_tunnel.

Thanks! That config is going away.

Ok, I cannot ping and VPN client address from the inside. I receive the same error

"No translation group found"

jeromecandiff
Level 1
Level 1

Any chance your security levels are non-standard? Is nat-control turned on? A show nameif and the corresponding route statements for the LAN and VPN may help.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: