Syslog ID 305005 No Translation Group Found for

Answered Question
Dec 12th, 2011
User Badges:

Hello all. I have seen a few of these 305005 threads and they're usually related to NAT and resolved quickly. I have poked around a little, but can't seem to get it right. I'm using the Real-Time Log Viewer in my ASA 5510 and see lots of these 305005 errors between VPN clients and a server. Packet Tracer says it's being stopped at the PAT_POOL dynamic traslation to pool 1. I'm not solidly sure of what to change.


Thanks in advance!


Result of the command: "show run"


: Saved
:
ASA Version 8.2(1)
!
hostname HOSTNAME
domain-name DOMAIN.NAME
enable password ************ encrypted
passwd ************* encrypted

!

dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.10.1.1 255.255.0.0
!
interface Ethernet0/1.160
vlan 160
nameif Guest
security-level 90
ip address 10.160.150.1 255.255.255.0
!
interface Ethernet0/2
nameif DMZ
security-level 4
ip address 192.168.253.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
retries 3
name-server SERVER1
name-server SERVER7
domain-name DOMAIN.NAME
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service SERVER6-TCP-3500
service-object tcp eq 3500
object-group network DM_INLINE_NETWORK_1
network-object host SERVER1
network-object host SERVER7
object-group network DM_INLINE_NETWORK_2
network-object host SERVER1
network-object host SERVER7
access-list vpn3000_splitTunnelAcl standard permit 192.168.253.0 255.255.255.0
access-list vpn3000_splitTunnelAcl standard permit 10.10.0.0 255.255.0.0
access-list capin extended permit ip host SERVER3 any
access-list capin extended permit ip any host SERVER3
access-list PAT_POOL extended permit ip 192.168.250.0 255.255.255.0 10.10.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.250.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.253.0 255.255.255.0 192.168.250.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any host SERVER1 eq smtp
access-list inside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_2 eq www
access-list inside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq https
access-list inside_access_out extended permit ip 192.168.253.0 255.255.255.0 10.10.0.0 255.255.0.0
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit esp any any
access-list outside_access_in extended permit udp any any eq isakmp
access-list outside_access_in extended permit tcp any host 1.1.1.1 eq https
access-list outside_access_in extended permit tcp any host 1.1.1.1 eq www
pager lines 24
logging enable
logging console debugging
logging monitor debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu Guest 1500
ip local pool ippool 192.168.250.1-192.168.250.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
global (inside) 1 interface
nat (outside) 1 access-list PAT_POOL outside
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
nat (DMZ) 101 192.168.253.0 255.255.255.0
nat (DMZ) 101 0.0.0.0 0.0.0.0
nat (Guest) 101 10.160.150.0 255.255.255.0
static (DMZ,outside) tcp interface 8443 SERVER3 https netmask 255.255.255.255
static (inside,outside) tcp interface smtp SERVER1 smtp netmask 255.255.255.255
static (inside,outside) tcp interface www SERVER7 www netmask 255.255.255.255
static (inside,outside) tcp interface https SERVER7 https netmask 255.255.255.255
static (inside,outside) tcp 2.2.2.2 https SERVER1 https netmask 255.255.255.255
static (inside,outside) tcp 2.2.2.2 www SERVER1 www netmask 255.255.255.255
static (DMZ,inside) 192.168.253.0 192.168.253.0 netmask 255.255.255.0
static (DMZ,outside) 3.3.3.3 SERVER6 netmask 255.255.255.255
static (inside,DMZ) 10.10.0.0 10.10.0.0 netmask 255.255.0.0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_inside in interface DMZ

!
: end

Correct Answer by Jorge Salas about 5 years 8 months ago

Extra information:

******************


The conflict between forward and reverse flows for the traffic was rectified.

PAT implementation is not necesary anymore for the customer deployment.


Problem information:


Phase: 9

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

nat (outside) 1 access-list PAT_POOL outside

nat-control

  match ip outside 192.168.250.0 255.255.255.0 inside 10.10.0.0 255.255.0.0

    dynamic translation to pool 1 (10.10.1.1 [Interface PAT])

    translate_hits = 914415, untranslate_hits = 5635

Additional Information:

Forward Flow based lookup yields rule:

out id=0xab959930, priority=2, domain=nat-reverse, deny=false

        hits=338576, user_data=0xab9596c0, cs_id=0x0, flags=0x0, protocol=0

        src ip=10.10.0.0, mask=255.255.0.0, port=0

        dst ip=192.168.250.0, mask=255.255.255.0, port=0, dscp=0x0



%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src inside:x dst outside:x denied due to NAT reverse path failure


NAT rpf check should always block traffic if different NAT rules are matched for forward and reverse flows. This may happen when there are conflicting Twice NAT rules configured for different directions.


If a NAT rule is configured, this table shows the reverse of what is listed in the translate table (show asp table classify domain nat), NAT (rpf-check): Consider that the source and destination IP of the real (non-translated) packets were flipped, and record what NAT rule that packet would hit (in this reverse direction).

Correct Answer by ajay chauhan about 5 years 8 months ago

Just wondering why this was used .


global (inside) 1 interface

nat (outside) 1 access-list PAT_POOL outside


Ajay

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
ajay chauhan Tue, 12/13/2011 - 02:30
User Badges:
  • Silver, 250 points or more

can you please also port log msgs ?

sideshowtodd Tue, 12/13/2011 - 09:32
User Badges:

This log is just 14 seconds long:


SeverityDateTimeSyslog IDSource IPSource PortDestination IPDestination PortDescription
3Dec 12 201115:45:04305005192.168.250.106137No translation group found for udp src inside:SERVER1/137 dst outside:192.168.250.106/137
3Dec 12 201115:45:00305005192.168.250.98No translation group found for icmp src inside:10.10.70.249 dst outside:192.168.250.98 (type 8, code 0)
3Dec 12 201115:45:00305005192.168.250.106No translation group found for icmp src inside:SERVER1dst outside:192.168.250.106 (type 8, code 0)
3Dec 12 201115:44:56305005192.168.250.1056004No translation group found for udp src inside:SERVER1/59052 dst outside:192.168.250.105/6004
3Dec 12 201115:44:56305005192.168.250.106No translation group found for icmp src inside:SERVER1dst outside:192.168.250.106 (type 8, code 0)
3Dec 12 201115:44:56305005192.168.250.1046004No translation group found for udp src inside:SERVER1/59037 dst outside:192.168.250.104/6004
3Dec 12 201115:44:56305005192.168.250.105137No translation group found for udp src inside:SERVER1/137 dst outside:192.168.250.105/137
3Dec 12 201115:44:51305005192.168.250.105137No translation group found for udp src inside:SERVER1/137 dst outside:192.168.250.105/137
3Dec 12 201115:44:51305005192.168.250.786004No translation group found for udp src inside:SERVER1/59029 dst outside:192.168.250.78/6004
3Dec 12 201115:44:51305005192.168.250.105137No translation group found for udp src inside:SERVER1/137 dst outside:192.168.250.105/137
3Dec 12 201115:44:51305005192.168.250.866004No translation group found for udp src inside:SERVER1/58708 dst outside:192.168.250.86/6004
3Dec 12 201115:44:47305005192.168.250.1016004No translation group found for udp src inside:SERVER1/58690 dst outside:192.168.250.101/6004
3Dec 12 201115:44:47305005192.168.250.866004No translation group found for udp src inside:SERVER1/58687 dst outside:192.168.250.86/6004
3Dec 12 201115:44:47305005192.168.250.796004No translation group found for udp src inside:SERVER1/58671 dst outside:192.168.250.79/6004
ajay chauhan Wed, 12/14/2011 - 05:49
User Badges:
  • Silver, 250 points or more

Please add-


access-list outside_nat0_outbound extended permit ip 192.168.250.0 255.255.255.0 192.168.250.0 255.255.255.0
nat(outside) 0 access-list outside_nat0_outbound


let me know after adding this if you still see any logs.


Thanks

Ajay

sideshowtodd Wed, 12/14/2011 - 10:41
User Badges:

Ajay, thank you for the suggestion. I put that in the configuration but the error is still showing in the logs and the exchange server is unable to contact the 6004 port on the VPN clients.

I'm still a little confused with the issue becauase we applied that on the outside NAT'ing the client to itself, but the translation log says the source is (inside) interface with an (outside) destination [server to client].

I escalated this to cisco TAC and will post their solution after they contact me.

Thanks again for your help.

Correct Answer
ajay chauhan Wed, 12/14/2011 - 11:08
User Badges:
  • Silver, 250 points or more

Just wondering why this was used .


global (inside) 1 interface

nat (outside) 1 access-list PAT_POOL outside


Ajay

sideshowtodd Wed, 12/14/2011 - 11:15
User Badges:

Actually, Cisco TAC put that in last year when I first set the ASA up. It confused me when he put it in, but he's TAC not me, so I went with it.

Funny thing is that the new SR created for this thread, that's the first thing the engineer asked too.

ajay chauhan Wed, 12/14/2011 - 12:25
User Badges:
  • Silver, 250 points or more

yeah thats the frist i would remove to make it little simple . For sure that logs has to do with NAT not able to find nat rule for communication.


Thanks

Ajay

sideshowtodd Wed, 12/14/2011 - 14:03
User Badges:

Removing NAT and allowing the vpn client pool to talk directly to the servers fixed the problem. Kudos to you for finding that! Your help is greatly appreciated.

The engineer explained some scenarios where this PAT config would be used and it reminded me, vaguely, of why it was there a year ago when we had two firewalls and the default route for the network went out the other device. When we changed out devices I forgot why we put that PAT there and just assumed we needed it. We needed it at the time, but that was awhile ago. It makes total sense now that I think about it. Now all the traffic goes out this device and the server can't talk to a specific service port on each vpn client through the PAT, that's why the random sequencing worked for all the other traffic.


Anyway, thanks again !

Correct Answer
Jorge Salas Thu, 12/15/2011 - 08:17
User Badges:
  • Cisco Employee,

Extra information:

******************


The conflict between forward and reverse flows for the traffic was rectified.

PAT implementation is not necesary anymore for the customer deployment.


Problem information:


Phase: 9

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

nat (outside) 1 access-list PAT_POOL outside

nat-control

  match ip outside 192.168.250.0 255.255.255.0 inside 10.10.0.0 255.255.0.0

    dynamic translation to pool 1 (10.10.1.1 [Interface PAT])

    translate_hits = 914415, untranslate_hits = 5635

Additional Information:

Forward Flow based lookup yields rule:

out id=0xab959930, priority=2, domain=nat-reverse, deny=false

        hits=338576, user_data=0xab9596c0, cs_id=0x0, flags=0x0, protocol=0

        src ip=10.10.0.0, mask=255.255.0.0, port=0

        dst ip=192.168.250.0, mask=255.255.255.0, port=0, dscp=0x0



%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src inside:x dst outside:x denied due to NAT reverse path failure


NAT rpf check should always block traffic if different NAT rules are matched for forward and reverse flows. This may happen when there are conflicting Twice NAT rules configured for different directions.


If a NAT rule is configured, this table shows the reverse of what is listed in the translate table (show asp table classify domain nat), NAT (rpf-check): Consider that the source and destination IP of the real (non-translated) packets were flipped, and record what NAT rule that packet would hit (in this reverse direction).

Actions

This Discussion