Nat on ASA not working

Answered Question
Nov 24th, 2009

Hi,

In an earlier thread I had opened I was advised to use the following configuration to nat traffic from my vpn clients to the inside network.

Here's the config I put in:

nat (dmz) 21 172.16.96.0 255.255.255.0

global (inside) 21 10.45.64.23

The vpn clients have the address range 172.16.96.0 255.255.255.0

Any thoughts on this?

Thanks

Dan

I have this problem too.
0 votes
Correct Answer by Kureli Sankar about 7 years 2 weeks ago

Sorry it is taking us this long to resolve this. Here is what I'd like done.

1. use the packet-tracker command (just do question mark and finish it) and see where it says as the reason for  dropping this.

2. Nov 24 2009 11:45:09: %ASA-3-305005: No translation group found for tcp src dmz:172.16.96.39/32851 dst inside:10.44.4.91/3389

No translation group message means - there is problem with the nat line

port map translation creation failed means - there is problem with the global line.

3. Now you have provided translation from high to low for the source. We need this for high to low (return traffic) as well.

4. Pls. document the source IP and destination IP for all interfaces. For example

on the outside the source IP will be 172.16.96.36 ---> 10.44.4.91

on the inside the source IP will be the translated 10.x.x.x address --->10.44.4.91

Now for the response traffic from this RDC server listening on port 3389:

Returning from the 10.44.4.91 ----> the source will be 10.44.4.91 and destination will be 10.x.x.x translated address.

Now you need to excempt this in the nat 0 acl that you have applied on the inside interface.

or

add static (inside,outside) 10.44.4.91 10.44.4.91

Correct Answer by Jon Marshall about 7 years 2 weeks ago

dan_track wrote:

Hi Jon,

I forgot to include the loggin entry here it is:

Nov 24 2009 11:45:09: %ASA-3-305005: No translation group found for tcp src dmz:172.16.96.39/32851 dst inside:10.44.4.91/3389

Does this help?

Thanks again

Dan

Dan

Add the "outside" keyword in your nat statement on the DMZ and see if that fixes it. If not can you post ASA config ?

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Jon Marshall Tue, 11/24/2009 - 04:09

dan_track wrote:

Hi,

In an earlier thread I had opened I was advised to use the following configuration to nat traffic from my vpn clients to the inside network.

Here's the config I put in:

nat (dmz) 21 172.16.96.0 255.255.255.0

global (inside) 21 10.45.64.23

The vpn clients have the address range 172.16.96.0 255.255.255.0

Any thoughts on this?

Thanks

Dan

Dan

Are the VPN clients on the dmz interface ?

Either way, whether they are on the dmz or outside interface you need the "outside" keyword in your NAT statement ie.

nat (dmz) 172.16.96.0 255.255.255.0 outside

or

nat (outside) 172.16.96.0 255.255.255.0 outside

choose the relevant nat from above depending on which interface your VPN clients come in on.

Jon

dan_track Tue, 11/24/2009 - 04:12

Hi Jon,

I forgot to include the loggin entry here it is:

Nov 24 2009 11:45:09: %ASA-3-305005: No translation group found for tcp src dmz:172.16.96.39/32851 dst inside:10.44.4.91/3389

Does this help?

Thanks again

Dan

Correct Answer
Jon Marshall Tue, 11/24/2009 - 04:14

dan_track wrote:

Hi Jon,

I forgot to include the loggin entry here it is:

Nov 24 2009 11:45:09: %ASA-3-305005: No translation group found for tcp src dmz:172.16.96.39/32851 dst inside:10.44.4.91/3389

Does this help?

Thanks again

Dan

Dan

Add the "outside" keyword in your nat statement on the DMZ and see if that fixes it. If not can you post ASA config ?

Jon

dan_track Tue, 11/24/2009 - 04:42

Sadly,

That didn't work, I still get the following:

Nov 24 2009 12:26:18: %ASA-3-305005: No translation group found for tcp src dmz:172.16.96.39/34088 dst inside:10.44.4.91/3389

interface GigabitEthernet0/1
description Inside Interface
nameif inside
security-level 100
ip address 10.45.81.252 255.255.255.0 standby 10.45.81.251

interface GigabitEthernet0/2
description DMZ
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2.96
description DMZ
vlan 96
nameif dmz
security-level 60
ip address 10.45.96.1 255.255.255.0 standby 10.45.96.2

global (inside) 21 10.45.64.23

nat (inside) 0 access-list no-nat

nat (dmz) 21 172.16.96.0 255.255.255.0 outside

Any thoughts?

Thanks

Dan

dan_track Tue, 11/24/2009 - 06:01

Hi,

Here's the no-nat list

access-list no-nat extended permit ip host 10.240.45.1 host 10.240.9.1
access-list no-nat extended permit ip host 10.240.45.1 host 10.240.44.1
access-list no-nat extended permit ip host 10.45.81.253 host 10.49.2.253
access-list no-nat extended permit ip host 10.45.81.253 host 10.34.2.253
access-list no-nat extended permit ip 10.0.0.0 255.0.0.0 10.45.96.0 255.255.255.0
access-list no-nat extended permit ip 10.45.64.0 255.255.255.0 10.34.2.0 255.255.255.0

Thanks

Dan

Vikram_Anumukonda_2 Tue, 11/24/2009 - 08:52

I don't think this would be possible unless you get rid of

global (inside) 21 10.45.64.23
nat (dmz) 21 172.16.96.0 255.255.255.0 outside

and add

access-list no-nat extended permit ip 10.45.64.0 255.255.255.0 172.16.96.0 255.255.255.0

-Vikram

dan_track Tue, 11/24/2009 - 09:31

Hi,

Thanks, but I really don't want to do that, there must be someway to nat it. Any thoughts please?

Thanks

Dan

grant.maynard Tue, 11/24/2009 - 09:58

could this be because the IP in the global statement is not on the same subnet as the Inside interface? Does it work if you chnage it to "global (inside) 21 interface"?

dan_track Tue, 11/24/2009 - 10:39

Hi Grant,

thanks for the info. No that didn't work either:

global (inside) 21 interface

nat (dmz) 21 172.16.96.0 255.255.255.0 outside

I still get the same translation error.

Any further thoughts?

Thanks again

Dan

dan_track Wed, 11/25/2009 - 02:09

Hi,

Thanks for the info, the summary of which is the following:

When you specify a group of IP address(es) in a nat command, then you must perform NAT on that group of addresses when they access any lower or same security level interface; you must apply a global command with the same NAT ID on each interface, or use a static command. NAT is not required for that group when it accesses a higher security interface, because to perform NAT from outside to inside, you must create a separate nat command using the outside keyword. If you do apply outside NAT, then the NAT requirements preceding come into effect for that group of addresses when they access all higher security interfaces. Traffic identified by a static command is not affected.

According to my thinking isn't this what I've done? Is there another problem here or am I missing something?

Thanks

Dan

Correct Answer
Kureli Sankar Wed, 11/25/2009 - 04:32

Sorry it is taking us this long to resolve this. Here is what I'd like done.

1. use the packet-tracker command (just do question mark and finish it) and see where it says as the reason for  dropping this.

2. Nov 24 2009 11:45:09: %ASA-3-305005: No translation group found for tcp src dmz:172.16.96.39/32851 dst inside:10.44.4.91/3389

No translation group message means - there is problem with the nat line

port map translation creation failed means - there is problem with the global line.

3. Now you have provided translation from high to low for the source. We need this for high to low (return traffic) as well.

4. Pls. document the source IP and destination IP for all interfaces. For example

on the outside the source IP will be 172.16.96.36 ---> 10.44.4.91

on the inside the source IP will be the translated 10.x.x.x address --->10.44.4.91

Now for the response traffic from this RDC server listening on port 3389:

Returning from the 10.44.4.91 ----> the source will be 10.44.4.91 and destination will be 10.x.x.x translated address.

Now you need to excempt this in the nat 0 acl that you have applied on the inside interface.

or

add static (inside,outside) 10.44.4.91 10.44.4.91

dan_track Wed, 11/25/2009 - 06:31

Fantastic!

Thank you very very much. You solved my problem. The issue was definetly with the static command. As soon as I added it I got access. Can you please point me to documentation on nat/static/global that's easy to understand.

Many thanks

Dan

Kureli Sankar Wed, 11/25/2009 - 08:30

Glad to hear that.  Our config guide may be overwhelming if you don't do this on a daily basis. We say we eat, sleep and drink this stuff and still we get stuck on many occasions.

If you can get these 3 rules down you can become a master.

RTP

1. Route

2. Translation

3. Permission

Write down what the source ip and destination IP will be, with respect to each interface and see if RTP is there for the flow, for both request and response.  That is all. This is exactly what I did this morning before I posted my suggestion. There was translation missing for the response from the RDC server to get back to the client. Once you added that it resolved the issue.

This is a CCO doc may not be as intense as the config guide. Pls. refer this one:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml

Actions

This Discussion