12-23-2011 03:16 AM - edited 03-11-2019 03:06 PM
No translation group found for tcp src dmz4:192.168.10.10/59858 dst inside:172.20.20.15/7002
On ASA i see the log above , how can i fix that ?
Solved! Go to Solution.
12-23-2011 09:14 PM
Hello,
As Ajay said, please post the running configuration so we can help on this.
We will need to check all the nat statements between DMZ4 and inside, also the routes as you said the the DMZ4 user needs to access a host behind a check-point on the inside interface.
You should have a route like this:
route inside xxxxx.xxx.xx.xx ( subnet behind checkpoint) xx.xx.xx.xx (netmask) xx.xx.xx. ( checkpoint ip)
But the log is regarding a nat statement not a route, so please proceed to share the running-configuration as needed to help.
Regards,
Julio
12-23-2011 03:48 AM
It is due to no nat is not configured between 192.168.10.10 & 172.20.20.15. So simply if you say 172.20.20.15 inside which is trying to communicate with 192.x.x.x has got PAT or some rules configured .
Putting no nat should resolve.
Thanks
Ajay
12-23-2011 04:27 AM
can you write an example please ?
12-23-2011 04:34 AM
Lets consider you have VPN POOL or L2L tunnel.
POOL- 192.x.x.x.
INSIDE- 172.x.x.x
nat (inside) 1 0.0.0.0 0.0.0.0 This will NAT all the traffic going out from Inside zone using global PAT IP right .
How about when inside talk to VPN Pool ? should not get natted with global statement.
nat (inside) 0 access-list ABC
access-list ABC permit ip 172.x.x.x. .x.x.x 192..x.x.x.x x.x.x.x
This acess-list will match frist and NAT will be exempt.
NAT exempt works frist if you look at NAT order.
Thanks
Ajay
12-23-2011 05:01 AM
i removed the ACL on dmz4
192.168.x.x is inside ip for SLB , the real ip is 212.x.x.x which need access on 172.x.x.x port 7002
now when i try :
212.x.x.x.x_SLB_RT>telnet 172.x.x.x.x 7002
i recive this log : No translation group found for tcp src dmz4:212x.x.x/12450 dst inside:172.x.x.x/7002
my cfg on asa for dmz is :
interface GigabitEthernet0/1.4
nameif dmz4
security-level 90
ip address 212.x.x.x x.x.x.x
12-23-2011 05:04 AM
You should post the configuration.
12-23-2011 05:11 AM
asa# show running-config | grep 212.x.x.x
access-list outside_access_in extended permit tcp any host 212.x.x.x eq www
access-list outside_access_in extended permit tcp any host 212.x.x.x eq https
access-list dmz4_access_in extended permit ip host 212.x.x.x any
static (dmz4,outside) 212.x.x.x 212.x.x.x netmask x.x.x.x
12-23-2011 05:37 AM
Why this statement is required
static (dmz4,outside) 212.x.x.x 212.x.x.x netmask x.x.x.x? are those same IP address ?
error seems to be between inside and dmz4 if DMZ has got natted public ip which you are trying to acess from inside .
below post might have answer for your question .
12-23-2011 08:15 AM
i think it will e route missing between dmz and inside
can you help how to add ?
what kind of route you recomande static or dynamic ?
can you write the syntacs?
12-23-2011 08:17 AM
Since both are DMZ and Inside on same box will be part of connected route. Routing not required.
12-23-2011 08:44 AM
there are not on the same box
dmz4 need to access a range behind a checkpoint
asa i conneted with a checkpoint
12-23-2011 09:14 PM
Hello,
As Ajay said, please post the running configuration so we can help on this.
We will need to check all the nat statements between DMZ4 and inside, also the routes as you said the the DMZ4 user needs to access a host behind a check-point on the inside interface.
You should have a route like this:
route inside xxxxx.xxx.xx.xx ( subnet behind checkpoint) xx.xx.xx.xx (netmask) xx.xx.xx. ( checkpoint ip)
But the log is regarding a nat statement not a route, so please proceed to share the running-configuration as needed to help.
Regards,
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide