We have an internet link from ISP whic is terminated in a router(say Fa 0/0). ISP have provided me a public ip pool for our use. we have configured one of the ip from this pool in other interface of the router(say Fa 0/1) and ASA outside also in the same subnet.
ISP---(Fa 0/0) RTR (Fa 0/1)---ASA----10.50.x.x
When we ping any inside ip with source as Fa 0/0 from router i am getting a reply. But when i ping the same with source as Fa 0/1 i am getting the below log in asa firewall.
No translation group found for icmp src outside:x.x.x.x dst inside:10.50.x.x (type 8, code 0)
But ping is success when we add static NAT command for 10.50.x.x to translate as 10.50.x.x.
I dont understand why you would need to ping your local LAN private address range IP addresses from public network? You can't use the local private IP addresses to connect to Internet anyway.
Also having no configuration attached I can't really say what the situation is on the ASA.
The log message itself says theres no translation configured for the traffic. So I guess you have some rule for the ISP link network (Fa0/0 -> ISP) but not for the address pool (Fa0/1 -> ASA)? Still doesnt make sense why you would need to ping inside hosts from outside with their original IP address.
I'd imagine the syslog id of the message that you mentioned was the following:
Error Message %ASA-3-305005: No translation group found for protocol src
interface_name: source_address/source_port dst interface_name:
Explanation A packet does not match any of the outbound nat command rules. If NAT is not configured for the specified source and destination systems, the message will be generated frequently.
Recommended Action This message indicates a configuration error. If dynamic NAT is desired for the source host, ensure that the nat command matches the source IP address. If static NAT is desired for the source host, ensure that the local IP address of the static command matches. If no NAT is desired for the source host, check the ACL bound to the NAT 0 ACL.
Can you copy/paste here all your basic ASA configurations while ofcourse changing the public IP addresses/passwords etc. if needed from the output. It would be easy to see then how the translations/traffic works on your ASA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :