Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

No Translation Group Found

I am getting the following error from my ASA logs:

No translation group found for udp src inside:10.10.10.4/27351 dst outside:10.10.50.42/1129

outside 10.10.50.42 is the address given by my VPN pool. So I have a user on VPN trying to get his mail from the inside.

Strange thing is the VPN users have access to the inside network and all seems to be working fine.

The error suggests that a packet does not have a matching outbound NAT command rule.

Here are my NAT rules:

access-list nonat-in extended permit ip LAN 255.255.255.0 VPN 255.255.255.0

nat (outside) 1 0.0.0.0 0.0.0.0

nat (outside) 1 VPN 255.255.255.0 outside

nat (inside) 0 access-list nonat-in

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 0 access-list nonat-dmz

nat (dmz) 1 0.0.0.0 0.0.0.0

What NAT would be missing?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: No Translation Group Found

Do you have one going the other for nonat-in?

access-list nonat-in extended permit ip VPN 255.255.255.0 LAN 255.255.255.0

15 REPLIES

Re: No Translation Group Found

Do you have one going the other for nonat-in?

access-list nonat-in extended permit ip VPN 255.255.255.0 LAN 255.255.255.0

Community Member

Re: No Translation Group Found

Yes. Here is what I have in my config:

access-list nonat-in extended permit ip LAN 255.255.255.0 VPN 255.255.255.0

Community Member

Re: No Translation Group Found

opps, you mean the other way!!

access-list nonat-in extended permit ip VPN 255.255.255.0 VLAN 255.255.255.0 ??

Community Member

Re: No Translation Group Found

Here is the entire ACL

access-list inside_access_in extended permit icmp any interface outside

access-list inside_access_in extended permit ip any any

access-list dmz_access_in extended permit ip any any

access-list STI-VPN_splitTunnelAcl standard permit LAN 255.255.255.0

access-list STI-VPN_splitTunnelAcl standard permit DMZ 255.255.255.0

access-list inside_nat0_outbound extended permit ip any LAN 255.255.255.0

access-list nonat-dmz extended permit ip DMZ 255.255.255.0 VPN 255.255.255.0

access-list nonat-dmz extended permit ip DMZ 255.255.255.0 iPhone-VPN 255.255.255.0

access-list nonat-in extended permit ip LAN 255.255.255.0 VPN 255.255.255.0

access-list nonat-in extended permit ip any iPhone-VPN 255.255.255.0

access-list outside-acl extended permit tcp any host Mail object-group DM_INLINE_TCP_2

access-list outside-acl extended permit tcp any host WEB object-group Web-Ports

access-list outside-acl extended permit tcp any host SharePoint object-group Web-Ports

access-list outside-acl remark Symantec Endpoint Access and Barracuda Quarantine access

access-list outside-acl extended permit tcp any host 66.159.217.2 object-group DM_INLINE_TCP_3

access-list iPhone_splitTunnelAcl standard permit LAN 255.255.255.0

access-list iPhone_splitTunnelAcl standard permit DMZ 255.255.255.0

ip local pool VPN 10.10.50.20-10.10.50.60 mask 255.255.255.0

ip local pool iPhone-VPN 10.10.60.10-10.10.60.30 mask 255.255.255.0

global (outside) 1 interface

global (inside) 1 interface

global (dmz) 1 interface

nat (outside) 1 0.0.0.0 0.0.0.0

nat (outside) 1 VPN 255.255.255.0 outside

nat (outside) 1 iPhone-VPN 255.255.255.0 outside

nat (inside) 0 access-list nonat-in

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 0 access-list nonat-dmz

nat (dmz) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp Mail https MAIL-Private https netmask 255.255.255.255

static (dmz,outside) tcp WEB https WEB-Private https netmask 255.255.255.255

static (dmz,outside) tcp WEB www WEB-Private www netmask 255.255.255.255

static (dmz,outside) tcp SharePoint www SharePoint-Private www netmask 255.255.255.255

static (dmz,outside) tcp SharePoint https SharePoint-Private https netmask 255.255.255.255

static (inside,outside) tcp Mail smtp Barracuda smtp netmask 255.255.255.255

static (inside,outside) tcp Mail 993 MAIL-Private 993 netmask 255.255.255.255

static (inside,outside) tcp interface 8443 10.10.10.12 8443 netmask 255.255.255.255

static (inside,outside) tcp interface 8080 Barracuda 8080 netmask 255.255.255.255

static (inside,dmz) LAN LAN netmask 255.255.255.0

access-group outside-acl in interface outside

access-group inside_access_in in interface inside

access-group dmz_access_in in interface dmz

Re: No Translation Group Found

You still need to prevent NAT from VPN to INSIDE,

access-list nonat-dmz extended permit ip VPN 255.255.255.0 LAN 255.255.255.0

Community Member

Re: No Translation Group Found

Thanks! I think I got it. I added the following:

access-list nonat-dmz extended permit ip VPN 255.255.255.0 DMZ 255.255.255.0

access-list nonat-in extended permit ip VPN 255.255.255.0 LAN 255.255.255.0

Have not seen the error in the log since I made the change.

*****Spoke to soon****

Just got another one same thing:

"No translation group found for udp src inside:MAIL-Private/28316 dst outside:10.10.50.43/1428"

Clear xlate??

Thanks again!!

Re: No Translation Group Found

Can you throw together a diagram quick? I had a very similar problem and it had to do with redirects and routing (once I fixed the NAT).

Re: No Translation Group Found

Also, was the message above seen when the VPN client initiated the traffic by checking email?

Community Member

Re: No Translation Group Found

Yes, it was. Here is a drawing.

Thanks!

Re: No Translation Group Found

From a device on the inside can you ping a VPN host and check the log and post if there is something?

Green

Re: No Translation Group Found

You definitely don't need a nonat acl with the vpn as the source, your existing nonat is fine.

What is the purpose of the "outside" keyword here?

nat (outside) 1 VPN 255.255.255.0 outside

If this is to hairpin traffic back out to the internet you do not need it and I would remove it.

Community Member

Re: No Translation Group Found

Yes, that was the purpose, but realized I had already configured my Split_tunnel.

Thanks! That config is going away.

Community Member

Re: No Translation Group Found

Ok, I cannot ping and VPN client address from the inside. I receive the same error

"No translation group found"

Community Member

Re: No Translation Group Found

Any chance your security levels are non-standard? Is nat-control turned on? A show nameif and the corresponding route statements for the LAN and VPN may help.

2945
Views
5
Helpful
15
Replies
CreatePlease to create content