09-10-2014 08:20 AM - edited 03-11-2019 09:44 PM
Hi all,
I have the following output from my packet trace, and I need to know if the Phase 5 will be an error or not.
And then in my logs I get this error
%ASA-3-305005: No translation group found for tcp src
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.17.2.0 255.255.255.0 DMZ
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZ_access_in in interface DMZ
access-list DMZ_access_in extended permit ip any any
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (DMZ) 0 0.0.0.0 0.0.0.0
nat-control
match ip DMZ any outside any
no translation group, implicit deny
policy_hits = 0
Additional Information:
Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (DMZ,outside) 190.17.221.69 172.17.2.69 netmask 255.255.255.255
nat-control
match ip DMZ host 172.17.2.69 outside any
static translation to 190.17.221.69
translate_hits = 0, untranslate_hits = 0
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 6, packet dispatched to next module
Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: allow
Thanks.
Solved! Go to Solution.
09-10-2014 11:42 AM
As indicated in Phase 5, you will not be NATting anything from the DMZ to the outside interface per that rule. Phase 6 finds a static NAT for your host address.
The summary indicating "Action: allow" shows that the ASA will indeed pass the packets through since the source and destination you specified are apparently both on DMZ interface per the ASA's understanding..
09-10-2014 11:42 AM
As indicated in Phase 5, you will not be NATting anything from the DMZ to the outside interface per that rule. Phase 6 finds a static NAT for your host address.
The summary indicating "Action: allow" shows that the ASA will indeed pass the packets through since the source and destination you specified are apparently both on DMZ interface per the ASA's understanding..
09-10-2014 11:42 AM
Hello Marvin,
Thanks for your help, but can you tell me why I have this error
%ASA-3-305005: No translation group found for tcp src DMZ:172.17.2.69 /443 dst DMZ1:SRV/443
09-10-2014 03:47 PM
Your error message references a source on the DMZ interface and destination on the DMZ1 interface.
Please re-run packet-tracer with source address 172.17.2.69 coming on on DMZ and destined for SRV (a network-object or name) on DMZ1, That will show you the rule you are hitting.
09-11-2014 06:44 PM
Hello Marvin,
when i do a packt trace, I have the drop by ACL but when i do the detail I dont have any info. how can i debug what acl is dropping my info?
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd8635f60, priority=500, domain=permit, deny=true
hits=3, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=197.80.10.68, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
thanks.
09-11-2014 07:24 PM
Your latest output shows drop due to "implicit rule". Most often this means you have applied an access list on an interface and not explicitly allowed the traffic you are checking with the packet-tracer.
Remember when you have ANY access list applied to an interface it adds an implicit deny at the end. That is, anything not explicitly allowed is denied.
The second most common case would be between same security interfaces. If you have no access lists on the interfaces and they are same security, you need to explicitly allow "same-security inter-interface".
09-12-2014 03:02 AM
Marvin,
Can I send you my config so you can check it?
Really Thanks.
09-12-2014 07:03 AM
OK. Please check your private messages for my e-mail address.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: