NAT Exempt not working

Answered Question
Jan 26th, 2010

folks

i have an asa 5540 & i'm trying to allow an outside IP through the asa & into another firewall's dmz on the inside interface

the external IP is 145.a.b.c/32 & the internal dmz address is 194.a.b.c

i have a nat exempt rule allowing 145.a.b.c/32 to talk to 194.a.b.c using inbound traffic but i get a no tranlsation group found

the firewall's external interface is directly connected to 145145.a.b.c and it has a route via its inside interface to 194.a.b.c

i can see the access rule incrementing and i can see a packet capture showing the source address trying to get to the destination address on the outside interface where the traffic arrives

there is nothing from the packet capture showing traffic leaving the external interface

anyone any ideas?

thanks to anyone taking the time to respond or post a reply

gratefully appreciated

I have this problem too.
0 votes
Correct Answer by Kureli Sankar about 6 years 11 months ago

nat exemption with an acl  is bidirectional by default - provided you apply that on the higher security interface.

You did what I had suggested which to apply nat 0 on the inside or dmz interface with an acl.

Earlier you had provided exemption for the host 145.a.b.c that lived on the outside. That is incorrect.

nat (Outside) 0 access-list Outside_nat0_outbound_1 outside

access-list Outside_nat0_outbound_1 extended permit ip host 145.a.b.c host 194.a.b.c

This firewall probably logged no translation group messages.

-KS

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Kureli Sankar Tue, 01/26/2010 - 05:59

What do the logs show when it breaks? Could you pls. post the output of

sh run nat

with the access-list if nat 0 is tied to an acl?

You can also do packet-tracker. You can use "?" and fill out the command very easily and see where it is getting dropped.

-KS

Kureli Sankar Tue, 01/26/2010 - 09:40

Topology:

Internet---ASA5540--FW--dmz(194.a.b.c)

the external IP is 145.a.b.c/32 & the internal dmz address is 194.a.b.c

Is this topology correct? What FW is the one on the inside? another ASA?

On the 5540 you are translating the 194.a.b.c to 145.a.b.c and on the one on the inside you are just doing identity translation or nat exempton?

Which firewall is logging no translation group?

You should do nat exemption or identity static on the inside firewall.

example:

nat (dmz) 0 access-list dmz-server

access-list dmz-server permit ip host 194.a.b.c any

or

static (dmz,outside) 194.a.b.c 192.a.b.c

-KS

rbermel83 Tue, 01/26/2010 - 09:48

What are you trying to accomplish? If you are just trying to allow use of a service like http then using a static nat like

static (dmz,outside) 194.a.b.c 192.a.b.c would be fine with an access list allowing the neccessary service.

access-list outside_access_in permit tcp any host 145.a.b.c 255.255.255.255 eq http

If you are trying to allow already trusted traffic access to a system then using the nat exemption would be neccessary.

mulhollandm Tue, 01/26/2010 - 11:55

rbermel83

i'm trying to allow traffic from an external host, 145.a.b.c, to an internal host, 194.a.b.c but i need to allow the traffic from the external host through without any translation

the access rule is allowing traffic from the outside to the inside for tcp DNS

thanks

mulhollandm Tue, 01/26/2010 - 12:00

kusankar

many thanks for your reply

your topology is correct but i want to allow 145.a.b.c. through the firewall, from the outside to the inside, without translation

i have no other nat rules from outside to inside

i have an access rule allowing traffic from the outside, 145.a.b.c, to the inside, 194.a.b.c, and i'm seeing hits on it but my syslog shows 'no translation group.......'

thanks for taking the time to look at this

i'm wondering if a nat exemption is the right action since i don't have any other nat in the relevant direction outside to inside - maybe i just use a static nat to nat the source to itself but i only want it to apply to traffic to the destination i've specified

mulhollandm Tue, 01/26/2010 - 13:36

kusankar/rbermel83

folks

i've just got this working by inverting the exempt statement

i changed the direction of the config in the gui & it works grand

i'm still a bit confused as it undermines my belief that i understood how to configure nat on an asa!

thanks to both of you for contributing

Kureli Sankar Tue, 01/26/2010 - 13:50

I need to clearly understand what nat exemption that you reversed and on which firewall so, I can explain why you needed to do that.

Clearly copy and paste the lines and indicate which firewall you added it to.

-KS

mulhollandm Tue, 01/26/2010 - 14:26

kusankar

old config

nat (Inside) 1 0.0.0.0 0.0.0.0
nat (Outside) 0 access-list Outside_nat0_outbound_1 outside

access-list Outside_nat0_outbound_1 extended permit ip host 145.a.b.c host 194.a.b.c

new config


nat (Inside) 0 access-list Inside_nat0_outbound_1
nat (Inside) 1 0.0.0.0 0.0.0.0

access-list Inside_nat0_outbound_1 line 1 extended permit ip host 194.a.b.c host 145.a.b.c

i only needed to re-configure my external ASA as the traffic wasn't even getting to the internal firewall

i'd be keen to hear your views and if you need i can draft up a quick topology diagram

Correct Answer
Kureli Sankar Tue, 01/26/2010 - 14:59

nat exemption with an acl  is bidirectional by default - provided you apply that on the higher security interface.

You did what I had suggested which to apply nat 0 on the inside or dmz interface with an acl.

Earlier you had provided exemption for the host 145.a.b.c that lived on the outside. That is incorrect.

nat (Outside) 0 access-list Outside_nat0_outbound_1 outside

access-list Outside_nat0_outbound_1 extended permit ip host 145.a.b.c host 194.a.b.c

This firewall probably logged no translation group messages.

-KS

Actions

This Discussion