I'm getting following error message while trying to ping from management workstation to one of my CISCO PIX interface. But in between 2 devices, I have got CISCO ASA which is dropping traffic and I can see following error message in syslog.
I am pinging from 192.168.1.151 to 10.254.231.252.
%ASA-3-305005: No translation group found for icmp src management:192.168.1.151 dst Operators:10.254.231.252 (type 8, code 0)
Here is my half config:
ip address 10.254.231.254 255.255.255.0
ip address 192.168.1.1 255.255.255.0
global (management) 1 interface
nat (Operators) 1 10.254.231.0 255.255.255.0
nat (Operators) 1 192.168.0.0 255.255.255.0
I dont have any static NAT config. on the firewall for these vlans but if you want to see other rule, it is as follow:
static (Operators,PABX) 10.254.231.180 10.254.231.180 netmask 255.255.255.255
static (InterFWInterconnect,Outside) 10.254.224.0 10.254.224.0 netmask 255.255.255.0
Please let me know if you need more config or if you have got any suggestion for me.
static(operators,management) 10.254.231.0 10.254.231.0 netmask 255.255.255.0
I hope this helps.
Thanks for quick response... I will configure this NAT statement but wanted to know that will it cause any problem with any other vlan traffic ??? I am bit causes thats the reason I am asking you...
I don't know how your topology network is implemented but the instruction let your hosts in operators network projected on management network.
I hope this helps.
I think that the static statement (static(operators,management) 10.254.231.0 10.254.231.0 netmask 255.255.255.0
)will keep the operators network untranslated when hosts inside operators net will communicate with management net.
To allow management network to communicate with operators net add this rule also :
access-list nonat_mngt permit ip 192.168.1.0 255.255.255.0 10.254.231.0 255.255.255.0
nat(management) 0 access-list nonat_mngt
This rule allow bidirectional communication if you want a unidirectional communication, it should change.
The error log message sounds that it's a NAT issue but if the suggestions don't work, it could be better to send a sanitized configuration of you ASA and a network diagram.
Here I have attached NW diagram but for security reason I have removed few tags and IP addresses but you can see my management workstation and destination IP address where I am trying to ping . Please also find attached config file but as usual removed few stuff from it as well...
let me know if you need more details:
When u are trying to access any resources from your management interface(whose security level is 90) to your operator interface(whose security level is 100) you need to have two things
1.static nat between operators and management interface.
2.access-list allowing appropriate traffic (eg.icmp,ip,tcp.select whichever you want to allow) from management network to operator network and bind it to management interface using access-group command.
Please try the following configuration :
1. you should have a statement authorizing icmp from management to operators in management_access_in access-list
2. you can add the following statments also :
static (management,operators) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
access-list nonat 10.254.231.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list nonat
3. in the default policy-map
add inspect icmp
I will try this and let you know abt it soon... So do you also want me to write access-list on the management interface, is that right ? and i will type down your given static NAT statement.
In fact, I read that you have a access-group applied to your management interface so in this case I would ensure that returning icmp trafic will be authorized.
Another method is to add a inspect icmp in the default policy-map