Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
tb
New Member

Issue with famous "no translation group found" error

Hello, I'm getting the famous "No translation group found for tcp src" error and can't see the reason.

My config is a little strange. The outside interface is not used (reserved for future integration), the inside interface points to the user network 172.31.48.0/22 and the IF_SECURE_MGMT interface connects to 192.168.102.0/23 network.

What I want to achieve is NATting the traffic to all destinations coming from the IF_SECURE_MGMT interface except for destinations in the user network 172.31.48.0/22.

When trying to access a server in 192.168.102.0/23 network eg by RDP from a host in the user network 172.31.48.0/22 the "no translation group found" error pops up.

This is a part of the ASA 5510 config, it's still running version 8.2:

interface Ethernet0/0

shutdown

nameif outside

security-level 0

no ip address

ospf cost 10

!

interface Ethernet0/1

speed 1000

duplex full

nameif inside

security-level 100

ip address 172.31.48.4 255.255.252.0

ospf cost 10

!

interface Ethernet0/1.102

vlan 102

nameif IF_SECURE_MGMT

security-level 90

ip address 192.168.103.254 255.255.254.0

ospf cost 10

access-list ACL_INSIDE_ACCESS_IN extended permit tcp object-group OG_NETWORK_MANAGEMENT_HOSTS LOCAL_LAN_MANAGEMENT 255.255.254.0 object-group OG_SERVICE_NETWORK_MANAGEMENT_TCP

access-list ACL_INSIDE_ACCESS_IN extended permit udp object-group OG_NETWORK_MANAGEMENT_HOSTS LOCAL_LAN_MANAGEMENT 255.255.254.0 object-group OG_SERVICE_NETWORK_MANAGEMENT_UDP

access-list ACL_NONAT_IF_SECURE_MGMT extended permit ip LOCAL_LAN_MANAGEMENT 255.255.254.0 LOCAL_LAN_DGB_BVV 255.255.252.0

nat (IF_SECURE_MGMT) 0 access-list ACL_NONAT_IF_SECURE_MGMT

nat (IF_SECURE_MGMT) 11 LOCAL_LAN_MANAGEMENT 255.255.254.0 outside

global (inside) 11 interface

Any help appreciated. Thanks.

Everyone's tags (1)
1 REPLY
Cisco Employee

Issue with famous "no translation group found" error

Hi Thomas,

Rememeber that the Nat 0 must be placed in the higher security level interface.

HTH

Luis Silva

"If you need PDI (Planning, Design, Implement) assistance feel free to reach us"

http://www.cisco.com/web/partners/tools/pdihd.html

Luis Silva "If you need PDI (Planning, Design, Implement) assistance feel free to reach us" http://www.cisco.com/web/partners/tools/pdihd.html
136
Views
0
Helpful
1
Replies
CreatePlease to create content