01-26-2010 05:53 AM - edited 03-11-2019 10:01 AM
folks
i have an asa 5540 & i'm trying to allow an outside IP through the asa & into another firewall's dmz on the inside interface
the external IP is 145.a.b.c/32 & the internal dmz address is 194.a.b.c
i have a nat exempt rule allowing 145.a.b.c/32 to talk to 194.a.b.c using inbound traffic but i get a no tranlsation group found
the firewall's external interface is directly connected to 145145.a.b.c and it has a route via its inside interface to 194.a.b.c
i can see the access rule incrementing and i can see a packet capture showing the source address trying to get to the destination address on the outside interface where the traffic arrives
there is nothing from the packet capture showing traffic leaving the external interface
anyone any ideas?
thanks to anyone taking the time to respond or post a reply
gratefully appreciated
Solved! Go to Solution.
01-26-2010 02:59 PM
nat exemption with an acl is bidirectional by default - provided you apply that on the higher security interface.
You did what I had suggested which to apply nat 0 on the inside or dmz interface with an acl.
Earlier you had provided exemption for the host 145.a.b.c that lived on the outside. That is incorrect.
nat (Outside) 0 access-list Outside_nat0_outbound_1 outside
access-list Outside_nat0_outbound_1 extended permit ip host 145.a.b.c host 194.a.b.c
This firewall probably logged no translation group messages.
-KS
01-26-2010 05:59 AM
What do the logs show when it breaks? Could you pls. post the output of
sh run nat
with the access-list if nat 0 is tied to an acl?
You can also do packet-tracker. You can use "?" and fill out the command very easily and see where it is getting dropped.
-KS
01-26-2010 07:59 AM
Can you post your commands to configure the NAT exempt?
01-26-2010 09:40 AM
Topology:
Internet---ASA5540--FW--dmz(194.a.b.c)
the external IP is 145.a.b.c/32 & the internal dmz address is 194.a.b.c
Is this topology correct? What FW is the one on the inside? another ASA?
On the 5540 you are translating the 194.a.b.c to 145.a.b.c and on the one on the inside you are just doing identity translation or nat exempton?
Which firewall is logging no translation group?
You should do nat exemption or identity static on the inside firewall.
example:
nat (dmz) 0 access-list dmz-server
access-list dmz-server permit ip host 194.a.b.c any
or
static (dmz,outside) 194.a.b.c 192.a.b.c
-KS
01-26-2010 09:48 AM
What are you trying to accomplish? If you are just trying to allow use of a service like http then using a static nat like
static (dmz,outside) 194.a.b.c 192.a.b.c would be fine with an access list allowing the neccessary service.
access-list outside_access_in permit tcp any host 145.a.b.c 255.255.255.255 eq http
If you are trying to allow already trusted traffic access to a system then using the nat exemption would be neccessary.
01-26-2010 11:55 AM
rbermel83
i'm trying to allow traffic from an external host, 145.a.b.c, to an internal host, 194.a.b.c but i need to allow the traffic from the external host through without any translation
the access rule is allowing traffic from the outside to the inside for tcp DNS
thanks
01-26-2010 12:00 PM
kusankar
many thanks for your reply
your topology is correct but i want to allow 145.a.b.c. through the firewall, from the outside to the inside, without translation
i have no other nat rules from outside to inside
i have an access rule allowing traffic from the outside, 145.a.b.c, to the inside, 194.a.b.c, and i'm seeing hits on it but my syslog shows 'no translation group.......'
thanks for taking the time to look at this
i'm wondering if a nat exemption is the right action since i don't have any other nat in the relevant direction outside to inside - maybe i just use a static nat to nat the source to itself but i only want it to apply to traffic to the destination i've specified
01-26-2010 01:36 PM
kusankar/rbermel83
folks
i've just got this working by inverting the exempt statement
i changed the direction of the config in the gui & it works grand
i'm still a bit confused as it undermines my belief that i understood how to configure nat on an asa!
thanks to both of you for contributing
01-26-2010 01:50 PM
I need to clearly understand what nat exemption that you reversed and on which firewall so, I can explain why you needed to do that.
Clearly copy and paste the lines and indicate which firewall you added it to.
-KS
01-26-2010 02:26 PM
kusankar
old config
nat (Inside) 1 0.0.0.0 0.0.0.0
nat (Outside) 0 access-list Outside_nat0_outbound_1 outside
access-list Outside_nat0_outbound_1 extended permit ip host 145.a.b.c host 194.a.b.c
new config
nat (Inside) 0 access-list Inside_nat0_outbound_1
nat (Inside) 1 0.0.0.0 0.0.0.0
access-list Inside_nat0_outbound_1 line 1 extended permit ip host 194.a.b.c host 145.a.b.c
i only needed to re-configure my external ASA as the traffic wasn't even getting to the internal firewall
i'd be keen to hear your views and if you need i can draft up a quick topology diagram
01-26-2010 02:59 PM
nat exemption with an acl is bidirectional by default - provided you apply that on the higher security interface.
You did what I had suggested which to apply nat 0 on the inside or dmz interface with an acl.
Earlier you had provided exemption for the host 145.a.b.c that lived on the outside. That is incorrect.
nat (Outside) 0 access-list Outside_nat0_outbound_1 outside
access-list Outside_nat0_outbound_1 extended permit ip host 145.a.b.c host 194.a.b.c
This firewall probably logged no translation group messages.
-KS
01-26-2010 03:15 PM
kusankar
many thanks my friend
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: