Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Bronze

Outbound NAT problem on ASA5520

I have an ASA 5520 firewall running in single context router mode.

I.E. Single routed firewall.

Interface TAPPY, IP 192.168.1.1/24

Interface INSIDE, IP 10.0.0.1/24

Host 192.168.1.6/24 (on TAPPY interface) needs to communicate with host 10.0.0.2/24 (on INSIDE interface)

Host 10.0.0.2 must receive packets that appear they came from the firewalls address.

When I set up a static NAT, I continue to receive this error message:

No translation group found for tcp src TAPPY:192.168.1.6/2345 dst INSIDE:10.0.0.2/4444

Cisco’s explanation is:

A packet does not match any of the outbound NAT command rules.

My cli NAT command is:

STATIC (INSIDE,TAPPY) 192.168.1.6 host 10.0.0.2 netmask 255.255.255.255

I know I have something configured incorrectly but cannot figure it out.

ANY help would be greatly appreciated

Tks

Frank

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Outbound NAT problem on ASA5520

Very glad to hear.  Rate the post that helps.

Kudos to you. The problem description (except the missing security level) was very clear.

Inside, even though on a higher security interface cannot initiate because now TAPPY host is behind a PAT (port address translation).

You can however be able to initiate connections to other hosts in TAPPY from the inside.

-KS

3 REPLIES
Cisco Employee

Re: Outbound NAT problem on ASA5520

You need to have

nat (TAPPY) 50 192.168.1.6 255.255.255.255 outside

global (INISIDE) 50 interface

The above will translate the TAPPY IP address and make it look like it was coming from the inside interface IP.

STATIC (INSIDE,TAPPY) host 10.0.0.2 host 10.0.0.2 netmask 255.255.255.255

This will provide identity translation for the inside hosts when they go to the TAPPY to look like themselves.

With the above lines you can only initiate traffic from the TAPPY to the INSIDE.

P.S. I am assuming TAPPY has a lower security level than the INSIDE.

-KS

Bronze

Re: Outbound NAT problem on ASA5520

Hi Kusankar,

THANK YOU!!!!!!

This solved my issue completely - . . . and my non-technical folks are VERY happy!!!!

And yes your assumption of TAPPY having a lower security level than INSIDE was correct.

Communication can only be initiated from a host on TAPPY.

What if I needed a host on INSIDE to initiate communication to a host on TAPPY?

Since INSIDE has a higher security level than TAPPY, seems there should not be a problem - RIGHT?

Now that I (we) have this working, I have time to read more of the ASA configuration guide for future issues.

It's folks like you that make this Group Discussion work.

Thanks again!!

Frank

Cisco Employee

Re: Outbound NAT problem on ASA5520

Very glad to hear.  Rate the post that helps.

Kudos to you. The problem description (except the missing security level) was very clear.

Inside, even though on a higher security interface cannot initiate because now TAPPY host is behind a PAT (port address translation).

You can however be able to initiate connections to other hosts in TAPPY from the inside.

-KS

1148
Views
0
Helpful
3
Replies
CreatePlease to create content