In an earlier thread I had opened I was advised to use the following configuration to nat traffic from my vpn clients to the inside network.
Here's the config I put in:
nat (dmz) 21 172.16.96.0 255.255.255.0
global (inside) 21 10.45.64.23
The vpn clients have the address range 172.16.96.0 255.255.255.0
Any thoughts on this?
Sorry it is taking us this long to resolve this. Here is what I'd like done.
1. use the packet-tracker command (just do question mark and finish it) and see where it says as the reason for dropping this.
2. Nov 24 2009 11:45:09: %ASA-3-305005: No translation group found for tcp src dmz:172.16.96.39/32851 dst inside:10.44.4.91/3389
No translation group message means - there is problem with the nat line
port map translation creation failed means - there is problem with the global line.
3. Now you have provided translation from high to low for the source. We need this for high to low (return traffic) as well.
4. Pls. document the source IP and destination IP for all interfaces. For example
on the outside the source IP will be 172.16.96.36 ---> 10.44.4.91
on the inside the source IP will be the translated 10.x.x.x address --->10.44.4.91
Now for the response traffic from this RDC server listening on port 3389:
Returning from the 10.44.4.91 ----> the source will be 10.44.4.91 and destination will be 10.x.x.x translated address.
Now you need to excempt this in the nat 0 acl that you have applied on the inside interface.
add static (inside,outside) 10.44.4.91 10.44.4.91
I forgot to include the loggin entry here it is:
Nov 24 2009 11:45:09: %ASA-3-305005: No translation group found for tcp src dmz:172.16.96.39/32851 dst inside:10.44.4.91/3389
Does this help?
Add the "outside" keyword in your nat statement on the DMZ and see if that fixes it. If not can you post ASA config ?