11-24-2009 04:03 AM - edited 03-11-2019 09:42 AM
Hi,
In an earlier thread I had opened I was advised to use the following configuration to nat traffic from my vpn clients to the inside network.
Here's the config I put in:
nat (dmz) 21 172.16.96.0 255.255.255.0
global (inside) 21 10.45.64.23
The vpn clients have the address range 172.16.96.0 255.255.255.0
Any thoughts on this?
Thanks
Dan
Solved! Go to Solution.
11-24-2009 04:14 AM
dan_track wrote:
Hi Jon,
I forgot to include the loggin entry here it is:
Nov 24 2009 11:45:09: %ASA-3-305005: No translation group found for tcp src dmz:172.16.96.39/32851 dst inside:10.44.4.91/3389
Does this help?
Thanks again
Dan
Dan
Add the "outside" keyword in your nat statement on the DMZ and see if that fixes it. If not can you post ASA config ?
Jon
11-25-2009 04:32 AM
Sorry it is taking us this long to resolve this. Here is what I'd like done.
1. use the packet-tracker command (just do question mark and finish it) and see where it says as the reason for dropping this.
2. Nov 24 2009 11:45:09: %ASA-3-305005: No translation group found for tcp src dmz:172.16.96.39/32851 dst inside:10.44.4.91/3389
No translation group message means - there is problem with the nat line
port map translation creation failed means - there is problem with the global line.
3. Now you have provided translation from high to low for the source. We need this for high to low (return traffic) as well.
4. Pls. document the source IP and destination IP for all interfaces. For example
on the outside the source IP will be 172.16.96.36 ---> 10.44.4.91
on the inside the source IP will be the translated 10.x.x.x address --->10.44.4.91
Now for the response traffic from this RDC server listening on port 3389:
Returning from the 10.44.4.91 ----> the source will be 10.44.4.91 and destination will be 10.x.x.x translated address.
Now you need to excempt this in the nat 0 acl that you have applied on the inside interface.
or
add static (inside,outside) 10.44.4.91 10.44.4.91
11-24-2009 04:09 AM
dan_track wrote:
Hi,
In an earlier thread I had opened I was advised to use the following configuration to nat traffic from my vpn clients to the inside network.
Here's the config I put in:
nat (dmz) 21 172.16.96.0 255.255.255.0
global (inside) 21 10.45.64.23
The vpn clients have the address range 172.16.96.0 255.255.255.0
Any thoughts on this?
Thanks
Dan
Dan
Are the VPN clients on the dmz interface ?
Either way, whether they are on the dmz or outside interface you need the "outside" keyword in your NAT statement ie.
nat (dmz) 172.16.96.0 255.255.255.0 outside
or
nat (outside) 172.16.96.0 255.255.255.0 outside
choose the relevant nat from above depending on which interface your VPN clients come in on.
Jon
11-24-2009 04:12 AM
Hi Jon,
I forgot to include the loggin entry here it is:
Nov 24 2009 11:45:09: %ASA-3-305005: No translation group found for tcp src dmz:172.16.96.39/32851 dst inside:10.44.4.91/3389
Does this help?
Thanks again
Dan
11-24-2009 04:14 AM
dan_track wrote:
Hi Jon,
I forgot to include the loggin entry here it is:
Nov 24 2009 11:45:09: %ASA-3-305005: No translation group found for tcp src dmz:172.16.96.39/32851 dst inside:10.44.4.91/3389
Does this help?
Thanks again
Dan
Dan
Add the "outside" keyword in your nat statement on the DMZ and see if that fixes it. If not can you post ASA config ?
Jon
11-24-2009 04:42 AM
Sadly,
That didn't work, I still get the following:
Nov 24 2009 12:26:18: %ASA-3-305005: No translation group found for tcp src dmz:172.16.96.39/34088 dst inside:10.44.4.91/3389
interface GigabitEthernet0/1
description Inside Interface
nameif inside
security-level 100
ip address 10.45.81.252 255.255.255.0 standby 10.45.81.251
interface GigabitEthernet0/2
description DMZ
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2.96
description DMZ
vlan 96
nameif dmz
security-level 60
ip address 10.45.96.1 255.255.255.0 standby 10.45.96.2
global (inside) 21 10.45.64.23
nat (inside) 0 access-list no-nat
nat (dmz) 21 172.16.96.0 255.255.255.0 outside
Any thoughts?
Thanks
Dan
11-24-2009 05:27 AM
Would you pls. list your no-nat access-list?
11-24-2009 06:01 AM
Hi,
Here's the no-nat list
access-list no-nat extended permit ip host 10.240.45.1 host 10.240.9.1
access-list no-nat extended permit ip host 10.240.45.1 host 10.240.44.1
access-list no-nat extended permit ip host 10.45.81.253 host 10.49.2.253
access-list no-nat extended permit ip host 10.45.81.253 host 10.34.2.253
access-list no-nat extended permit ip 10.0.0.0 255.0.0.0 10.45.96.0 255.255.255.0
access-list no-nat extended permit ip 10.45.64.0 255.255.255.0 10.34.2.0 255.255.255.0
Thanks
Dan
11-24-2009 08:52 AM
I don't think this would be possible unless you get rid of
global (inside) 21 10.45.64.23
nat (dmz) 21 172.16.96.0 255.255.255.0 outside
and add
access-list no-nat extended permit ip 10.45.64.0 255.255.255.0 172.16.96.0 255.255.255.0
-Vikram
11-24-2009 09:31 AM
Hi,
Thanks, but I really don't want to do that, there must be someway to nat it. Any thoughts please?
Thanks
Dan
11-24-2009 09:58 AM
could this be because the IP in the global statement is not on the same subnet as the Inside interface? Does it work if you chnage it to "global (inside) 21 interface"?
11-24-2009 10:39 AM
Hi Grant,
thanks for the info. No that didn't work either:
global (inside) 21 interface
nat (dmz) 21 172.16.96.0 255.255.255.0 outside
I still get the same translation error.
Any further thoughts?
Thanks again
Dan
11-24-2009 08:00 PM
check this link, there's an example
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/cfgnat.html#wp1042960
11-25-2009 02:09 AM
Hi,
Thanks for the info, the summary of which is the following:
When you specify a group of IP address(es) in a nat command, then you must perform NAT on that group of addresses when they access any lower or same security level interface; you must apply a global command with the same NAT ID on each interface, or use a static command. NAT is not required for that group when it accesses a higher security interface, because to perform NAT from outside to inside, you must create a separate nat command using the outside keyword. If you do apply outside NAT, then the NAT requirements preceding come into effect for that group of addresses when they access all higher security interfaces. Traffic identified by a static command is not affected.
According to my thinking isn't this what I've done? Is there another problem here or am I missing something?
Thanks
Dan
11-25-2009 04:32 AM
Sorry it is taking us this long to resolve this. Here is what I'd like done.
1. use the packet-tracker command (just do question mark and finish it) and see where it says as the reason for dropping this.
2. Nov 24 2009 11:45:09: %ASA-3-305005: No translation group found for tcp src dmz:172.16.96.39/32851 dst inside:10.44.4.91/3389
No translation group message means - there is problem with the nat line
port map translation creation failed means - there is problem with the global line.
3. Now you have provided translation from high to low for the source. We need this for high to low (return traffic) as well.
4. Pls. document the source IP and destination IP for all interfaces. For example
on the outside the source IP will be 172.16.96.36 ---> 10.44.4.91
on the inside the source IP will be the translated 10.x.x.x address --->10.44.4.91
Now for the response traffic from this RDC server listening on port 3389:
Returning from the 10.44.4.91 ----> the source will be 10.44.4.91 and destination will be 10.x.x.x translated address.
Now you need to excempt this in the nat 0 acl that you have applied on the inside interface.
or
add static (inside,outside) 10.44.4.91 10.44.4.91
11-25-2009 06:31 AM
Fantastic!
Thank you very very much. You solved my problem. The issue was definetly with the static command. As soon as I added it I got access. Can you please point me to documentation on nat/static/global that's easy to understand.
Many thanks
Dan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide