Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

asa 5520 configuration

No translation group found for tcp src dmz4:192.168.10.10/59858 dst inside:172.20.20.15/7002

On ASA i see the log above , how can i fix that ?

1 ACCEPTED SOLUTION

Accepted Solutions

asa 5520 configuration

Hello,

As Ajay said, please post the running configuration so we can help on this.

We will need to check all the nat statements between DMZ4 and inside, also the routes as you said the the DMZ4 user needs to access a host behind a check-point on the inside interface.

You should have a route like this:

route inside xxxxx.xxx.xx.xx ( subnet behind checkpoint) xx.xx.xx.xx (netmask) xx.xx.xx. ( checkpoint ip)

But the log is regarding a nat statement not a route, so please proceed to share the running-configuration as needed to help.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
11 REPLIES

asa 5520 configuration

It is due to no nat is not configured between 192.168.10.10 & 172.20.20.15. So simply if you say 172.20.20.15 inside which is trying to communicate with 192.x.x.x  has got PAT or some rules configured .

Putting no nat should resolve.

Thanks

Ajay

New Member

asa 5520 configuration

can you write an example please ?

asa 5520 configuration

Lets consider you have VPN POOL or L2L tunnel.

POOL- 192.x.x.x.

INSIDE- 172.x.x.x

nat (inside) 1 0.0.0.0 0.0.0.0  This will NAT all the traffic going out from Inside zone using global PAT IP right .

How about when inside talk to VPN Pool ? should not get natted with global statement.

nat (inside) 0 access-list ABC

access-list ABC permit ip 172.x.x.x. .x.x.x 192..x.x.x.x  x.x.x.x

This acess-list will match frist and NAT will be exempt.

NAT exempt works frist if you look at NAT order.

Thanks

Ajay

New Member

Re: asa 5520 configuration

i removed the ACL on dmz4

192.168.x.x is inside ip for SLB , the real ip is 212.x.x.x which need access on 172.x.x.x port 7002

now when i try :

212.x.x.x.x_SLB_RT>telnet 172.x.x.x.x 7002

i recive this log : No translation group found for tcp src dmz4:212x.x.x/12450 dst inside:172.x.x.x/7002

my cfg on asa for dmz is :

interface GigabitEthernet0/1.4

nameif dmz4
security-level 90
ip address 212.x.x.x   x.x.x.x

asa 5520 configuration

You should post the configuration.

New Member

Re: asa 5520 configuration

asa# show running-config | grep 212.x.x.x

access-list outside_access_in extended permit tcp any host 212.x.x.x eq www

access-list outside_access_in extended permit tcp any host 212.x.x.x eq https

access-list dmz4_access_in extended permit ip host 212.x.x.x any

static (dmz4,outside) 212.x.x.x 212.x.x.x netmask x.x.x.x

asa 5520 configuration

Why this statement is required

static (dmz4,outside) 212.x.x.x 212.x.x.x netmask x.x.x.x?  are those same IP address ?

error seems to be between inside and dmz4 if DMZ has got natted public ip which you are trying to acess from inside .

below post might have answer for your question .

https://supportforums.cisco.com/message/3516269#3516269

New Member

asa 5520 configuration

i think it will e route missing between dmz and inside

can you help how to add ?

what kind of route you recomande static or dynamic ?

can you write the syntacs?

asa 5520 configuration

Since both are DMZ and Inside on same box will be part of connected route. Routing not required.

New Member

asa 5520 configuration

there are not on the same box

dmz4 need to access a range behind a checkpoint

asa i conneted with a checkpoint

asa 5520 configuration

Hello,

As Ajay said, please post the running configuration so we can help on this.

We will need to check all the nat statements between DMZ4 and inside, also the routes as you said the the DMZ4 user needs to access a host behind a check-point on the inside interface.

You should have a route like this:

route inside xxxxx.xxx.xx.xx ( subnet behind checkpoint) xx.xx.xx.xx (netmask) xx.xx.xx. ( checkpoint ip)

But the log is regarding a nat statement not a route, so please proceed to share the running-configuration as needed to help.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
641
Views
0
Helpful
11
Replies
CreatePlease to create content