No translation group found for tcp src

Answered Question

If this isn't posted in the right discussion group please let me know and I'll move it.

My wireless (outside) is using a Proxy Server called Proxy1 (inside).  My initial connection to this Proxy server is on Port 8080.  Below is a copy of my logs when I try to connect to it from my wireless gateway (10.1.###.###).

I need help understanding what ASA entry I am missing.  I also need to connect to other ports, I included the log for 2 port 8080 .

From what I am seeing in the logs it looks like the ASA is snot DENYING the connection.

Thanks

--Joe

For Port 8080:

03-05-2010        13:42:21            Local4.Info         159.105.###.###            %ASA-6-302013:

Built outbound TCP connection 580927 for govnet:159.105.###.###/8080 (159.105.###.###/8080) to wireless:10.1.###.###/36326 (159.105.###.###/12156)

03-05-2010        13:42:21            Local4.Info         159.105.###.###            %ASA-6-305011:

Built dynamic TCP translation from wireless:10.1.###.###/36326 to govnet:159.105.###.###/12156

03-05-2010        13:42:21            Local4.Debug    159.105.###.###            %ASA-7-609001:

Built local-host wireless:10.1.###.###

03-05-2010        13:42:21            Local4.Error       170.222.###.###  %ASA-3-305005:

No translation group found for tcp src govnet:159.105.###.###/12156 dst inside:Proxy1/8080

I have this problem too.
0 votes
Correct Answer by yamramos.tueme about 6 years 8 months ago

If it gives you an error about the command, it is perhaps because we are missing the "netmask" parameter.  The right sintax of the static translation is

static(incoming_interface,outgoing_interface) fake_ip real_ip netmask mask

In your case:

static(inside,outside) 159.105.###.20 159.105.###.20 netmask 255.255.255.255

That will be for a single host, but you can adjust it to match what you need.

Hope that helps so you can finally get rid of that message!

Cheers!

- Yamil

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
yamramos.tueme Wed, 03/10/2010 - 12:38

Hi Joe!

When using an ASA, when you pass from an interface to another you need to have a NAT rule, either a static or a nat-global.

For example, if you want a static rule for all your network you can do the following:

static (govnet,inside) 159.105.0.0 159.105.0.0 netmask 255.255.0.0

This is a NAT rule for traffic flowing form govnet to inside interface.  Both networks are the same to avoid any real translation and move traffic with its original ip address.

Cheers!

Yamil,

Thank you for your reply.

I don't think we want global nat for this.  Let me explain a little bit more.

Wireless(outside) to proxy server 10.1.0.9(outside) goes through the tunnel using 159.105.###.### with a destination of inside 159.105.###.20 (Proxy1)(inside).  All we would want is to allow that one specific IP (10.1.0.9) to access Proxy1 and pass information.

What really confuses me is that everything above the error is on the 159.105.###.### network but it looks like the error is being generated by the 170 outside network?

Thanks Again

--Joe

yamramos.tueme Thu, 03/11/2010 - 12:46

Joe,

I just want to make sure I have the right picture...

You just want to allow traffico from a host outside (10.1.0.9) to a host on the inside (159.105.###.20)

Is that correct or am I missing something?

- Yamil

yamramos.tueme Thu, 03/11/2010 - 14:07

Joe,

If you want to pass traffic from an outside to an inside interface in an ASA, you need to make sure that you have two things:

1.- An access-group that allows traffic to come in.

2.- A NAT rule that matches the traffic.

So in this case if we have the source on the outside interface with an ip address:

10.1.0.9

and a destination on the inside with the ip address:

159.105.###.20

First we configure the rule to allow traffic to come in:

access-list out permit ip host 10.1.0.9 host 159.105.###.20

then we ensure that we have a NAT rule for this traffic.  If you don't want to change neither the source or destination when traffic flows through the FW, you just use an static command using the same ip addresss.  For example:

static(inside,outside) 159.105.###.20 159.105.###.20

If you don't want to use any NAT rule, you will have to disable nat-control.  To disable it, issue the following command in global config mode

no nat-control

Hope that helps!

- Yamil

Yamil,

I really appreciate the time you are taking to help me, but I need to understand what is going on here.

Looking at the Series of ASA messages below, I have a couple of questions.

03-05-2010        13:42:21            Local4.Info         159.105.221.114            %ASA-6-302013:

Built outbound TCP connection 580927 for govnet:159.105.97.20/8080 (159.105.97.20/8080) to wireless:10.1.0.9/36326 (159.105.221.114/12156)

03-05-2010        13:42:21            Local4.Info         159.105.221.114            %ASA-6-305011:

Built dynamic TCP translation from wireless:10.1.0.9/36326 to govnet:159.105.221.114/12156

03-05-2010        13:42:21            Local4.Debug    159.105.221.114            %ASA-7-609001:

Built local-host wireless:10.1.0.9

03-05-2010        13:42:21            Local4.Error       170.222.200.97  %ASA-3-305005:

No translation group found for tcp src govnet:159.105.221.114/12156 dst inside:Proxy1/8080

What does the message "No translation group found for tcp src govnet:159.105.221.114/12156 dst inside:Proxy1/8080" actually mean?  The 170 number is our inside 170 subnet IP named "170inside".

I think the series is saying that my request from 10.1.0.9 to Proxy1 was received by the ASA but it could not do something.  Since I cannot get a Deny in the ASA logs I think it might be accepting the request but doesn't know how to get back to me with the response.

I really am trying to understand exactly what is going on here.  When setting up the same routine from a different location I received DENY messages in the ASA logs and once the ACL changes were made everything worked.  I never saw this "No translation group" message before.

Thanks

--Joe

yamramos.tueme Fri, 03/12/2010 - 08:15

Hi Joe!

What the error message "No translation group found for tcp src govnet:159.105.221.114/12156 dst inside:Proxy1/8080" means is that you do not have a NAT rule for traffic coming from 159.105.221.114 going to Proxy1 host, and you need to have one.

Here is the official Cisco documentation for that error, perhaps it can make things clearer.

305005

Error Message    %PIX|ASA-3-305005: No translation group found for protocol src 
interface_name: source_address/source_port dst interface_name: dest_address/dest_port

Explanation   A packet does not match any of the outbound nat command rules. If NAT is not  configured for the specified source and destination systems, the message will be generated  frequently.

Recommended Action   This message indicates a configuration error. If dynamic NAT is desired for the  source host, ensure that the nat command matches the source IP address. If static NAT is desired for  the source host, ensure that the local IP address of the static command matches. If no NAT is desired  for the source host, check the ACL bound to the NAT 0 ACL.

What is exactly going on is that ASA ACL allows traffic to come in, but when the packet is processed the ASA does not find a NAT that matches that specific traffic, therefore traffic gets dropped and you get that error message.

Perhaps you are now asking why you don't get that error message on other firewalls?  The answer is simple, either you have an existing NAT rule or "nat-control" is disabled.

So to allow traffic to pass through the ASA Firewall you can either add a NAT rule for example: static (iniside,outside) ; or you can disable nat-control.  I prefer creating NAT rules than disabling nat-control...

Hope that answers your questions!

Cheers!

- Yamil

Yamil,

We have a second wireless location that is working properly.  I looked in our ASA's Nat entries and pulled out an entry for the working wireless that may be what I need to resolve the

"No translation group found for tcp src govnet:159.105.221.114/12689 dst inside:Proxy1/3128" problem

Background:

The working Wireless network is 192.168.103.0

The problem Wireless network is 10.1.0.0

Proxy1 is on the 159 network.

The ASA Nat entry I see for the working network...

  match ip inside 159.105.###.0 255.255.255.0 govnet 192.168.103.0 255.255.255.0

This format is different from what you showed me earlier so I am not sure what this NAT command does.  If I made an entry in the ASA as below:

  match ip inside 159.105.###.0 255.255.255.0 govnet 10.1.0.0 255.255.255.0

Would that solve the problem?

Thanks

--Joe

yamramos.tueme Tue, 03/16/2010 - 10:51

Joe,

To be honest, I don't know any "match" command to do NAT translations.  I looked for that command but I found nothing that would match it used in the global config mode; I've always used nat or statitc statements.  So I am not sure if you add that command will solve your problem, but you can give it a try or try the static commands.

Cheers!

- Yamil

Yamil,

I tried entering the command static(inside,outside) 159.105.###.20 159.105.###.20 and it keeps telling me the format is incorrect.

I did enter this command and it helped a little:  route govnet 192.168.103.0 255.255.255.0 159.105.221.201 1

I got permission from my security guy to make the changes you suggested.  Can you give me the commands I need to enter to make the error message finally go away.

No translation group found for tcp src govnet:159.105.221.114/12156 dst inside:Proxy1/8080

I am Frustrated

Thanks

--Joe

Correct Answer
yamramos.tueme Fri, 03/19/2010 - 12:06

If it gives you an error about the command, it is perhaps because we are missing the "netmask" parameter.  The right sintax of the static translation is

static(incoming_interface,outgoing_interface) fake_ip real_ip netmask mask

In your case:

static(inside,outside) 159.105.###.20 159.105.###.20 netmask 255.255.255.255

That will be for a single host, but you can adjust it to match what you need.

Hope that helps so you can finally get rid of that message!

Cheers!

- Yamil

Actions

This Discussion