cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1644
Views
0
Helpful
3
Replies

Outbound NAT problem on ASA5520

fsebera
Level 4
Level 4

I have an ASA 5520 firewall running in single context router mode.

I.E. Single routed firewall.

Interface TAPPY, IP 192.168.1.1/24

Interface INSIDE, IP 10.0.0.1/24

Host 192.168.1.6/24 (on TAPPY interface) needs to communicate with host 10.0.0.2/24 (on INSIDE interface)

Host 10.0.0.2 must receive packets that appear they came from the firewalls address.

When I set up a static NAT, I continue to receive this error message:

No translation group found for tcp src TAPPY:192.168.1.6/2345 dst INSIDE:10.0.0.2/4444

Cisco’s explanation is:

A packet does not match any of the outbound NAT command rules.

My cli NAT command is:

STATIC (INSIDE,TAPPY) 192.168.1.6 host 10.0.0.2 netmask 255.255.255.255

I know I have something configured incorrectly but cannot figure it out.

ANY help would be greatly appreciated

Tks

Frank

1 Accepted Solution

Accepted Solutions

Very glad to hear.  Rate the post that helps.

Kudos to you. The problem description (except the missing security level) was very clear.

Inside, even though on a higher security interface cannot initiate because now TAPPY host is behind a PAT (port address translation).

You can however be able to initiate connections to other hosts in TAPPY from the inside.

-KS

View solution in original post

3 Replies 3

Kureli Sankar
Cisco Employee
Cisco Employee

You need to have

nat (TAPPY) 50 192.168.1.6 255.255.255.255 outside

global (INISIDE) 50 interface

The above will translate the TAPPY IP address and make it look like it was coming from the inside interface IP.

STATIC (INSIDE,TAPPY) host 10.0.0.2 host 10.0.0.2 netmask 255.255.255.255

This will provide identity translation for the inside hosts when they go to the TAPPY to look like themselves.

With the above lines you can only initiate traffic from the TAPPY to the INSIDE.

P.S. I am assuming TAPPY has a lower security level than the INSIDE.

-KS

Hi Kusankar,

THANK YOU!!!!!!

This solved my issue completely - . . . and my non-technical folks are VERY happy!!!!

And yes your assumption of TAPPY having a lower security level than INSIDE was correct.

Communication can only be initiated from a host on TAPPY.

What if I needed a host on INSIDE to initiate communication to a host on TAPPY?

Since INSIDE has a higher security level than TAPPY, seems there should not be a problem - RIGHT?

Now that I (we) have this working, I have time to read more of the ASA configuration guide for future issues.

It's folks like you that make this Group Discussion work.

Thanks again!!

Frank

Very glad to hear.  Rate the post that helps.

Kudos to you. The problem description (except the missing security level) was very clear.

Inside, even though on a higher security interface cannot initiate because now TAPPY host is behind a PAT (port address translation).

You can however be able to initiate connections to other hosts in TAPPY from the inside.

-KS

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: