10-13-2009 10:56 AM - edited 03-11-2019 09:25 AM
I am getting the following error from my ASA logs:
No translation group found for udp src inside:10.10.10.4/27351 dst outside:10.10.50.42/1129
outside 10.10.50.42 is the address given by my VPN pool. So I have a user on VPN trying to get his mail from the inside.
Strange thing is the VPN users have access to the inside network and all seems to be working fine.
The error suggests that a packet does not have a matching outbound NAT command rule.
Here are my NAT rules:
access-list nonat-in extended permit ip LAN 255.255.255.0 VPN 255.255.255.0
nat (outside) 1 0.0.0.0 0.0.0.0
nat (outside) 1 VPN 255.255.255.0 outside
nat (inside) 0 access-list nonat-in
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list nonat-dmz
nat (dmz) 1 0.0.0.0 0.0.0.0
What NAT would be missing?
Solved! Go to Solution.
10-13-2009 11:44 AM
Do you have one going the other for nonat-in?
access-list nonat-in extended permit ip VPN 255.255.255.0 LAN 255.255.255.0
10-13-2009 11:44 AM
Do you have one going the other for nonat-in?
access-list nonat-in extended permit ip VPN 255.255.255.0 LAN 255.255.255.0
10-13-2009 11:47 AM
Yes. Here is what I have in my config:
access-list nonat-in extended permit ip LAN 255.255.255.0 VPN 255.255.255.0
10-13-2009 11:48 AM
opps, you mean the other way!!
access-list nonat-in extended permit ip VPN 255.255.255.0 VLAN 255.255.255.0 ??
10-13-2009 11:51 AM
Here is the entire ACL
access-list inside_access_in extended permit icmp any interface outside
access-list inside_access_in extended permit ip any any
access-list dmz_access_in extended permit ip any any
access-list STI-VPN_splitTunnelAcl standard permit LAN 255.255.255.0
access-list STI-VPN_splitTunnelAcl standard permit DMZ 255.255.255.0
access-list inside_nat0_outbound extended permit ip any LAN 255.255.255.0
access-list nonat-dmz extended permit ip DMZ 255.255.255.0 VPN 255.255.255.0
access-list nonat-dmz extended permit ip DMZ 255.255.255.0 iPhone-VPN 255.255.255.0
access-list nonat-in extended permit ip LAN 255.255.255.0 VPN 255.255.255.0
access-list nonat-in extended permit ip any iPhone-VPN 255.255.255.0
access-list outside-acl extended permit tcp any host Mail object-group DM_INLINE_TCP_2
access-list outside-acl extended permit tcp any host WEB object-group Web-Ports
access-list outside-acl extended permit tcp any host SharePoint object-group Web-Ports
access-list outside-acl remark Symantec Endpoint Access and Barracuda Quarantine access
access-list outside-acl extended permit tcp any host 66.159.217.2 object-group DM_INLINE_TCP_3
access-list iPhone_splitTunnelAcl standard permit LAN 255.255.255.0
access-list iPhone_splitTunnelAcl standard permit DMZ 255.255.255.0
ip local pool VPN 10.10.50.20-10.10.50.60 mask 255.255.255.0
ip local pool iPhone-VPN 10.10.60.10-10.10.60.30 mask 255.255.255.0
global (outside) 1 interface
global (inside) 1 interface
global (dmz) 1 interface
nat (outside) 1 0.0.0.0 0.0.0.0
nat (outside) 1 VPN 255.255.255.0 outside
nat (outside) 1 iPhone-VPN 255.255.255.0 outside
nat (inside) 0 access-list nonat-in
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list nonat-dmz
nat (dmz) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp Mail https MAIL-Private https netmask 255.255.255.255
static (dmz,outside) tcp WEB https WEB-Private https netmask 255.255.255.255
static (dmz,outside) tcp WEB www WEB-Private www netmask 255.255.255.255
static (dmz,outside) tcp SharePoint www SharePoint-Private www netmask 255.255.255.255
static (dmz,outside) tcp SharePoint https SharePoint-Private https netmask 255.255.255.255
static (inside,outside) tcp Mail smtp Barracuda smtp netmask 255.255.255.255
static (inside,outside) tcp Mail 993 MAIL-Private 993 netmask 255.255.255.255
static (inside,outside) tcp interface 8443 10.10.10.12 8443 netmask 255.255.255.255
static (inside,outside) tcp interface 8080 Barracuda 8080 netmask 255.255.255.255
static (inside,dmz) LAN LAN netmask 255.255.255.0
access-group outside-acl in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
10-13-2009 12:30 PM
You still need to prevent NAT from VPN to INSIDE,
access-list nonat-dmz extended permit ip VPN 255.255.255.0 LAN 255.255.255.0
10-13-2009 12:36 PM
Thanks! I think I got it. I added the following:
access-list nonat-dmz extended permit ip VPN 255.255.255.0 DMZ 255.255.255.0
access-list nonat-in extended permit ip VPN 255.255.255.0 LAN 255.255.255.0
Have not seen the error in the log since I made the change.
*****Spoke to soon****
Just got another one same thing:
"No translation group found for udp src inside:MAIL-Private/28316 dst outside:10.10.50.43/1428"
Clear xlate??
Thanks again!!
10-13-2009 12:56 PM
Can you throw together a diagram quick? I had a very similar problem and it had to do with redirects and routing (once I fixed the NAT).
10-13-2009 01:01 PM
Also, was the message above seen when the VPN client initiated the traffic by checking email?
10-13-2009 01:21 PM
10-14-2009 05:42 AM
From a device on the inside can you ping a VPN host and check the log and post if there is something?
10-14-2009 06:45 AM
You definitely don't need a nonat acl with the vpn as the source, your existing nonat is fine.
What is the purpose of the "outside" keyword here?
nat (outside) 1 VPN 255.255.255.0 outside
If this is to hairpin traffic back out to the internet you do not need it and I would remove it.
10-14-2009 10:44 AM
Yes, that was the purpose, but realized I had already configured my Split_tunnel.
Thanks! That config is going away.
10-14-2009 10:43 AM
Ok, I cannot ping and VPN client address from the inside. I receive the same error
"No translation group found"
10-14-2009 09:17 AM
Any chance your security levels are non-standard? Is nat-control turned on? A show nameif and the corresponding route statements for the LAN and VPN may help.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: