Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Packet trace output

Hi all,

 

I have the following output from my packet trace, and I need to know if the Phase 5 will be an error or not.

 

And then in my logs I get this error

 

%ASA-3-305005: No translation group found for tcp src

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   172.17.2.0     255.255.255.0   DMZ

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZ_access_in in interface DMZ
access-list DMZ_access_in extended permit ip any any
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (DMZ) 0 0.0.0.0 0.0.0.0
nat-control
  match ip DMZ any outside any
    no translation group, implicit deny
    policy_hits = 0
Additional Information:

Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (DMZ,outside) 190.17.221.69 172.17.2.69 netmask 255.255.255.255
nat-control
  match ip DMZ host 172.17.2.69 outside any
    static translation to 190.17.221.69
    translate_hits = 0, untranslate_hits = 0
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 6, packet dispatched to next module

Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: allow

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

As indicated in Phase 5, you

As indicated in Phase 5, you will not be NATting anything from the DMZ to the outside interface per that rule. Phase 6 finds a static NAT for your host address.

The summary indicating "Action: allow" shows that the ASA will indeed pass the packets through since the source and destination you specified are apparently both on DMZ interface per the ASA's understanding..

7 REPLIES
Hall of Fame Super Silver

As indicated in Phase 5, you

As indicated in Phase 5, you will not be NATting anything from the DMZ to the outside interface per that rule. Phase 6 finds a static NAT for your host address.

The summary indicating "Action: allow" shows that the ASA will indeed pass the packets through since the source and destination you specified are apparently both on DMZ interface per the ASA's understanding..

New Member

Hello Marvin, Thanks for your

Hello Marvin,

 

Thanks for your help, but can you tell me why I have this error

 

 %ASA-3-305005: No translation group found for tcp src DMZ:172.17.2.69 /443 dst DMZ1:SRV/443

Hall of Fame Super Silver

Your error message references

Your error message references a source on the DMZ interface and destination on the DMZ1 interface.

Please re-run packet-tracer with source address 172.17.2.69 coming on on DMZ and destined for SRV (a network-object or name) on DMZ1, That will show you the rule you are hitting.

New Member

Hello Marvin, when i do a

Hello Marvin,

 

when i do a packt trace,  I have the drop by ACL but when i do the detail I dont have any info. how can i debug what acl is dropping my info?

 

 

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xd8635f60, priority=500, domain=permit, deny=true
        hits=3, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=197.80.10.68, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

 

thanks.

Hall of Fame Super Silver

Your latest output shows drop

Your latest output shows drop due to "implicit rule". Most often this means you have applied an access list on an interface and not explicitly allowed the traffic you are checking with the packet-tracer.

Remember when you have ANY access list applied to an interface it adds an implicit deny at the end. That is, anything not explicitly allowed is denied.

The second most common case would be between same security interfaces. If you have no access lists on the interfaces and they are same security, you need to explicitly allow "same-security inter-interface".

New Member

Marvin, Can I send you my

Marvin,

 

Can I send you my config so you can check it?

 

Really Thanks.

Hall of Fame Super Silver

OK. Please check your private

OK. Please check your private messages for my e-mail address.

73
Views
0
Helpful
7
Replies
CreatePlease to create content