cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10136
Views
5
Helpful
15
Replies

Nat on ASA not working

dan_track
Level 1
Level 1

Hi,

In an earlier thread I had opened I was advised to use the following configuration to nat traffic from my vpn clients to the inside network.

Here's the config I put in:

nat (dmz) 21 172.16.96.0 255.255.255.0

global (inside) 21 10.45.64.23

The vpn clients have the address range 172.16.96.0 255.255.255.0

Any thoughts on this?

Thanks

Dan

2 Accepted Solutions

Accepted Solutions

dan_track wrote:

Hi Jon,

I forgot to include the loggin entry here it is:

Nov 24 2009 11:45:09: %ASA-3-305005: No translation group found for tcp src dmz:172.16.96.39/32851 dst inside:10.44.4.91/3389

Does this help?

Thanks again

Dan

Dan

Add the "outside" keyword in your nat statement on the DMZ and see if that fixes it. If not can you post ASA config ?

Jon

View solution in original post

Sorry it is taking us this long to resolve this. Here is what I'd like done.

1. use the packet-tracker command (just do question mark and finish it) and see where it says as the reason for  dropping this.

2. Nov 24 2009 11:45:09: %ASA-3-305005: No translation group found for tcp src dmz:172.16.96.39/32851 dst inside:10.44.4.91/3389

No translation group message means - there is problem with the nat line

port map translation creation failed means - there is problem with the global line.

3. Now you have provided translation from high to low for the source. We need this for high to low (return traffic) as well.

4. Pls. document the source IP and destination IP for all interfaces. For example

on the outside the source IP will be 172.16.96.36 ---> 10.44.4.91

on the inside the source IP will be the translated 10.x.x.x address --->10.44.4.91

Now for the response traffic from this RDC server listening on port 3389:

Returning from the 10.44.4.91 ----> the source will be 10.44.4.91 and destination will be 10.x.x.x translated address.

Now you need to excempt this in the nat 0 acl that you have applied on the inside interface.

or

add static (inside,outside) 10.44.4.91 10.44.4.91

View solution in original post

15 Replies 15

Jon Marshall
Hall of Fame
Hall of Fame

dan_track wrote:

Hi,

In an earlier thread I had opened I was advised to use the following configuration to nat traffic from my vpn clients to the inside network.

Here's the config I put in:

nat (dmz) 21 172.16.96.0 255.255.255.0

global (inside) 21 10.45.64.23

The vpn clients have the address range 172.16.96.0 255.255.255.0

Any thoughts on this?

Thanks

Dan

Dan

Are the VPN clients on the dmz interface ?

Either way, whether they are on the dmz or outside interface you need the "outside" keyword in your NAT statement ie.

nat (dmz) 172.16.96.0 255.255.255.0 outside

or

nat (outside) 172.16.96.0 255.255.255.0 outside

choose the relevant nat from above depending on which interface your VPN clients come in on.

Jon

Hi Jon,

I forgot to include the loggin entry here it is:

Nov 24 2009 11:45:09: %ASA-3-305005: No translation group found for tcp src dmz:172.16.96.39/32851 dst inside:10.44.4.91/3389

Does this help?

Thanks again

Dan

dan_track wrote:

Hi Jon,

I forgot to include the loggin entry here it is:

Nov 24 2009 11:45:09: %ASA-3-305005: No translation group found for tcp src dmz:172.16.96.39/32851 dst inside:10.44.4.91/3389

Does this help?

Thanks again

Dan

Dan

Add the "outside" keyword in your nat statement on the DMZ and see if that fixes it. If not can you post ASA config ?

Jon

Sadly,

That didn't work, I still get the following:

Nov 24 2009 12:26:18: %ASA-3-305005: No translation group found for tcp src dmz:172.16.96.39/34088 dst inside:10.44.4.91/3389

interface GigabitEthernet0/1
description Inside Interface
nameif inside
security-level 100
ip address 10.45.81.252 255.255.255.0 standby 10.45.81.251

interface GigabitEthernet0/2
description DMZ
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2.96
description DMZ
vlan 96
nameif dmz
security-level 60
ip address 10.45.96.1 255.255.255.0 standby 10.45.96.2

global (inside) 21 10.45.64.23

nat (inside) 0 access-list no-nat

nat (dmz) 21 172.16.96.0 255.255.255.0 outside

Any thoughts?

Thanks

Dan

Would you pls. list your no-nat access-list?

Hi,

Here's the no-nat list

access-list no-nat extended permit ip host 10.240.45.1 host 10.240.9.1
access-list no-nat extended permit ip host 10.240.45.1 host 10.240.44.1
access-list no-nat extended permit ip host 10.45.81.253 host 10.49.2.253
access-list no-nat extended permit ip host 10.45.81.253 host 10.34.2.253
access-list no-nat extended permit ip 10.0.0.0 255.0.0.0 10.45.96.0 255.255.255.0
access-list no-nat extended permit ip 10.45.64.0 255.255.255.0 10.34.2.0 255.255.255.0

Thanks

Dan

I don't think this would be possible unless you get rid of

global (inside) 21 10.45.64.23
nat (dmz) 21 172.16.96.0 255.255.255.0 outside

and add

access-list no-nat extended permit ip 10.45.64.0 255.255.255.0 172.16.96.0 255.255.255.0

-Vikram

Hi,

Thanks, but I really don't want to do that, there must be someway to nat it. Any thoughts please?

Thanks

Dan

could this be because the IP in the global statement is not on the same subnet as the Inside interface? Does it work if you chnage it to "global (inside) 21 interface"?

Hi Grant,

thanks for the info. No that didn't work either:

global (inside) 21 interface

nat (dmz) 21 172.16.96.0 255.255.255.0 outside

I still get the same translation error.

Any further thoughts?

Thanks again

Dan

Hi,

Thanks for the info, the summary of which is the following:

When you specify a group of IP address(es) in a nat command, then you must perform NAT on that group of addresses when they access any lower or same security level interface; you must apply a global command with the same NAT ID on each interface, or use a static command. NAT is not required for that group when it accesses a higher security interface, because to perform NAT from outside to inside, you must create a separate nat command using the outside keyword. If you do apply outside NAT, then the NAT requirements preceding come into effect for that group of addresses when they access all higher security interfaces. Traffic identified by a static command is not affected.

According to my thinking isn't this what I've done? Is there another problem here or am I missing something?

Thanks

Dan

Sorry it is taking us this long to resolve this. Here is what I'd like done.

1. use the packet-tracker command (just do question mark and finish it) and see where it says as the reason for  dropping this.

2. Nov 24 2009 11:45:09: %ASA-3-305005: No translation group found for tcp src dmz:172.16.96.39/32851 dst inside:10.44.4.91/3389

No translation group message means - there is problem with the nat line

port map translation creation failed means - there is problem with the global line.

3. Now you have provided translation from high to low for the source. We need this for high to low (return traffic) as well.

4. Pls. document the source IP and destination IP for all interfaces. For example

on the outside the source IP will be 172.16.96.36 ---> 10.44.4.91

on the inside the source IP will be the translated 10.x.x.x address --->10.44.4.91

Now for the response traffic from this RDC server listening on port 3389:

Returning from the 10.44.4.91 ----> the source will be 10.44.4.91 and destination will be 10.x.x.x translated address.

Now you need to excempt this in the nat 0 acl that you have applied on the inside interface.

or

add static (inside,outside) 10.44.4.91 10.44.4.91

Fantastic!

Thank you very very much. You solved my problem. The issue was definetly with the static command. As soon as I added it I got access. Can you please point me to documentation on nat/static/global that's easy to understand.

Many thanks

Dan

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: