Solved: asa 5520 configuration

Bledar Meta · ‎12-23-2011

No translation group found for tcp src dmz4:192.168.10.10/59858 dst inside:172.20.20.15/7002

On ASA i see the log above , how can i fix that ?

Julio Carvajal · ‎12-23-2011

Hello,

As Ajay said, please post the running configuration so we can help on this.

We will need to check all the nat statements between DMZ4 and inside, also the routes as you said the the DMZ4 user needs to access a host behind a check-point on the inside interface.

You should have a route like this:

route inside xxxxx.xxx.xx.xx ( subnet behind checkpoint) xx.xx.xx.xx (netmask) xx.xx.xx. ( checkpoint ip)

But the log is regarding a nat statement not a route, so please proceed to share the running-configuration as needed to help.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

ajay chauhan · ‎12-23-2011

It is due to no nat is not configured between 192.168.10.10 & 172.20.20.15. So simply if you say 172.20.20.15 inside which is trying to communicate with 192.x.x.x has got PAT or some rules configured .

Putting no nat should resolve.

Thanks

Ajay

Bledar Meta · ‎12-23-2011

can you write an example please ?

ajay chauhan · ‎12-23-2011

Lets consider you have VPN POOL or L2L tunnel.

POOL- 192.x.x.x.

INSIDE- 172.x.x.x

nat (inside) 1 0.0.0.0 0.0.0.0 This will NAT all the traffic going out from Inside zone using global PAT IP right .

How about when inside talk to VPN Pool ? should not get natted with global statement.

nat (inside) 0 access-list ABC

access-list ABC permit ip 172.x.x.x. .x.x.x 192..x.x.x.x x.x.x.x

This acess-list will match frist and NAT will be exempt.

NAT exempt works frist if you look at NAT order.

Thanks

Ajay

Bledar Meta · ‎12-23-2011

i removed the ACL on dmz4

192.168.x.x is inside ip for SLB , the real ip is 212.x.x.x which need access on 172.x.x.x port 7002

now when i try :

212.x.x.x.x_SLB_RT>telnet 172.x.x.x.x 7002

i recive this log : No translation group found for tcp src dmz4:212x.x.x/12450 dst inside:172.x.x.x/7002

my cfg on asa for dmz is :

interface GigabitEthernet0/1.4

nameif dmz4
security-level 90
ip address 212.x.x.x x.x.x.x

ajay chauhan · ‎12-23-2011

You should post the configuration.

Bledar Meta · ‎12-23-2011

asa# show running-config | grep 212.x.x.x

access-list outside_access_in extended permit tcp any host 212.x.x.x eq www

access-list outside_access_in extended permit tcp any host 212.x.x.x eq https

access-list dmz4_access_in extended permit ip host 212.x.x.x any

static (dmz4,outside) 212.x.x.x 212.x.x.x netmask x.x.x.x

ajay chauhan · ‎12-23-2011

Why this statement is required

static (dmz4,outside) 212.x.x.x 212.x.x.x netmask x.x.x.x? are those same IP address ?

error seems to be between inside and dmz4 if DMZ has got natted public ip which you are trying to acess from inside .

below post might have answer for your question .

https://supportforums.cisco.com/message/3516269#3516269

Bledar Meta · ‎12-23-2011

i think it will e route missing between dmz and inside

can you help how to add ?

what kind of route you recomande static or dynamic ?

can you write the syntacs?

ajay chauhan · ‎12-23-2011

Since both are DMZ and Inside on same box will be part of connected route. Routing not required.

Bledar Meta · ‎12-23-2011

there are not on the same box

dmz4 need to access a range behind a checkpoint

asa i conneted with a checkpoint

Julio Carvajal · ‎12-23-2011