Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Cisco Employee

ASA 8.0(4) - NAT Issues - Returning Traffic Not Working

Hello,

I have the following problem doing natting in between my inside and dmz_sp interface here is the diagram:

untitled(2).JPG

·         I need to, whenever these three hosts on the dmz_sp access the inside network, it should be translated to the Inside interface IP address.

·         Static configuration is not an option, once that they don't have Inside addresses for this;

·         NAT0 is not an option, because internal network overlaps

Based on these needs, I deployed the following configuration:

nat (dmz_sp) 2 10.241.48.136 255.255.255.255 outside

nat (dmz_sp) 2 10.241.48.151 255.255.255.255 outside

nat (dmz_sp) 2 10.241.48.171 255.255.255.255 outside


global (inside) 2 interface

Here's the actual relevant configuration he already had there before I applied the config above:

no nat-control


nat (inside) 0 access-list acl_nonat

nat (dmz) 1 access-list ACL_SCAN_MAIL

nat (inside) 1 172.16.0.0 255.240.0.0


global (dmz) 1 interface

global (dmz_sp) 1 10.120.0.254

global (dmz_net) 1 10.120.3.254

Now, I have the following problem after I added my dmz_sp nat configurartion:

Whenever the hosts in the network on 172.16x.x are trying to access these three servers on dmz_sp, the FW is not even capable to build the connection, showing me the following error message:

Nov 08 2010 16:46:27 FW-1 : %ASA-6-305011: Built dynamic TCP translation from inside:172.21.120.190/1223 to dmz_sp:10.120.0.254/11609

Nov 08 2010 16:46:27 FW-1 : %ASA-3-305005: No translation group found for tcp src inside:172.21.120.190/1223 dst dmz_sp:10.241.48.136/1433

The weird thing is that it shows up in the xlate table but the connection is dropped anyway.

The problem doesn't happen when the Inside network is trying to access any different host in the same network on dmz_SP.

Is this an expected behavior? What should be done in order to work around this issue?

If any configuration is needed, please let me know. But as I said before, we can assume that routing and permissions are ok.

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ASA 8.0(4) - NAT Issues - Returning Traffic Not Working

If the DMZ_SP host is going to look like the inside interface IP address (hiding behind a pat pool) then, why is the inside host 172.21.120.190 trying to access it using its real IP address 10.241.48.136?

With what you have configured only the DMZ_SP hosts can initiate traffic and the inside hosts can only respond to them. Traffic cannot be initiated from the inside hosts to the dmz hosts.

Nov  08 2010 16:46:27 FW-1 : %ASA-3-305005: No translation group found for  tcp src inside:172.21.120.190/1223 dst dmz_sp:10.241.48.136/1433

It appear that you do not have a choice but to use static (inside,dmz_sp) instead of nat/global outside for the dmz hosts.

Remember you cannot reach the hosts hiding behind a pat pool.  This will be like google trying to reach all your inside hosts hiding behind a pat pool. Just not possible unless you configure static NAT or PAT.

-KS

2 REPLIES
Cisco Employee

Re: ASA 8.0(4) - NAT Issues - Returning Traffic Not Working

If the DMZ_SP host is going to look like the inside interface IP address (hiding behind a pat pool) then, why is the inside host 172.21.120.190 trying to access it using its real IP address 10.241.48.136?

With what you have configured only the DMZ_SP hosts can initiate traffic and the inside hosts can only respond to them. Traffic cannot be initiated from the inside hosts to the dmz hosts.

Nov  08 2010 16:46:27 FW-1 : %ASA-3-305005: No translation group found for  tcp src inside:172.21.120.190/1223 dst dmz_sp:10.241.48.136/1433

It appear that you do not have a choice but to use static (inside,dmz_sp) instead of nat/global outside for the dmz hosts.

Remember you cannot reach the hosts hiding behind a pat pool.  This will be like google trying to reach all your inside hosts hiding behind a pat pool. Just not possible unless you configure static NAT or PAT.

-KS

Cisco Employee

Re: ASA 8.0(4) - NAT Issues - Returning Traffic Not Working

Thanks for your swift answer. It was very useful. I'll talk to my customer in order to re-arrange it. The returning traffic was something he didn't comment before.

Anyway, thanks for this!

1737
Views
0
Helpful
2
Replies
CreatePlease to create content