Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
523
Views
0
Helpful
7
Replies

Packet trace output

Go to solution
opnineopnine
Level 1
Level 1

‎09-10-2014 08:20 AM - edited ‎03-11-2019 09:44 PM

Hi all,

 

I have the following output from my packet trace, and I need to know if the Phase 5 will be an error or not.

 

And then in my logs I get this error

 

%ASA-3-305005: No translation group found for tcp src

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   172.17.2.0     255.255.255.0   DMZ

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZ_access_in in interface DMZ
access-list DMZ_access_in extended permit ip any any
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (DMZ) 0 0.0.0.0 0.0.0.0
nat-control
  match ip DMZ any outside any
    no translation group, implicit deny
    policy_hits = 0
Additional Information:

Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (DMZ,outside) 190.17.221.69 172.17.2.69 netmask 255.255.255.255
nat-control
  match ip DMZ host 172.17.2.69 outside any
    static translation to 190.17.221.69
    translate_hits = 0, untranslate_hits = 0
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 6, packet dispatched to next module

Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: allow

Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-10-2014 11:42 AM

As indicated in Phase 5, you will not be NATting anything from the DMZ to the outside interface per that rule. Phase 6 finds a static NAT for your host address.

The summary indicating "Action: allow" shows that the ASA will indeed pass the packets through since the source and destination you specified are apparently both on DMZ interface per the ASA's understanding..

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-10-2014 11:42 AM

As indicated in Phase 5, you will not be NATting anything from the DMZ to the outside interface per that rule. Phase 6 finds a static NAT for your host address.

The summary indicating "Action: allow" shows that the ASA will indeed pass the packets through since the source and destination you specified are apparently both on DMZ interface per the ASA's understanding..

0 Helpful

Go to solution
opnineopnine
Level 1
Level 1
In response to Marvin Rhoads

‎09-10-2014 11:42 AM

Hello Marvin,

 

Thanks for your help, but can you tell me why I have this error

 

 %ASA-3-305005: No translation group found for tcp src DMZ:172.17.2.69 /443 dst DMZ1:SRV/443

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to opnineopnine

‎09-10-2014 03:47 PM

Your error message references a source on the DMZ interface and destination on the DMZ1 interface.

Please re-run packet-tracer with source address 172.17.2.69 coming on on DMZ and destined for SRV (a network-object or name) on DMZ1, That will show you the rule you are hitting.

0 Helpful

Go to solution
opnineopnine
Level 1
Level 1
In response to Marvin Rhoads

‎09-11-2014 06:44 PM

Hello Marvin,

 

when i do a packt trace,  I have the drop by ACL but when i do the detail I dont have any info. how can i debug what acl is dropping my info?

 

 

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd8635f60, priority=500, domain=permit, deny=true
        hits=3, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=197.80.10.68, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

 

thanks.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to opnineopnine

‎09-11-2014 07:24 PM

Your latest output shows drop due to "implicit rule". Most often this means you have applied an access list on an interface and not explicitly allowed the traffic you are checking with the packet-tracer.

Remember when you have ANY access list applied to an interface it adds an implicit deny at the end. That is, anything not explicitly allowed is denied.

The second most common case would be between same security interfaces. If you have no access lists on the interfaces and they are same security, you need to explicitly allow "same-security inter-interface".

0 Helpful

Go to solution
opnineopnine
Level 1
Level 1
In response to Marvin Rhoads

‎09-12-2014 03:02 AM

Marvin,

 

Can I send you my config so you can check it?

 

Really Thanks.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to opnineopnine

‎09-12-2014 07:03 AM

OK. Please check your private messages for my e-mail address.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card