Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5520 IOS 7.1(2)

Dear All,

Q1. I have ASA 5520 with IOS 7.1(2), Is this a stable IOS, i am facing some drametic behavour of my firewall.

Q2. I am getting 1000 of logs for below mentined what it means.

3|Jul 22 2007 18:03:41|305005: No translation group found for udp src inside:172.16.7.33/1036 dst outside:202.x.x.33/53

7.33 is my DNS internal IP.

Q3. what is the meaning of below mentioned this command

nat (inside) 0 access-list inside_nat0_outbound

Thanks & Regrds:

Shelesh

6 REPLIES
Cisco Employee

Re: ASA 5520 IOS 7.1(2)

Shelesh,

I will try to answer some of your questions.

Q1. I would suggest 7.2.2 would be a good stable IOS. But 7.2.2(19) Interm build is a pretty stable one.

Q2. Seems like the 7.33 is trying to reach 202 address but there is no translation found for the traffic to pass through the interface.

Check the translation information.

Where is the 7.33 IP? Is it internal network or DMZ. Seems like its going to the internet, so, check if the source interface of that IP has a nat statement to the global interface.

Eg:

nat (inside) 1 172.16.0.0 255.255.0.0

global (outside) 1 interface

something like this...

Q3. That statement is tied to an access-list

nat (inside) 0 statement states that any traffic that is matching that access-list should be exempt from the NAT process.

So, it will not be NAT ted.

Let me know if these answers help you.

Thanks

Gilbert

New Member

Re: ASA 5520 IOS 7.1(2)

Dear Gulbert,

Thanks for rapid reply,

Q.1It means IOS 7.1 is not stable one. and i have to load ios 7.2 , am i right?

Q.2 i don't want any traffic start frpm 7.33 to any public ip.

i have putted command:

ip ACL inside deny ip host 172.16.7.33 any

after this command still i am getting the log, due to so many log firewall behave drametically. once we use this command firewalll should block the oubound connection but it is not doing.please find my nat statemenet

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 172.16.0.3 255.255.255.255

nat (inside) 1 172.16.0.19 255.255.255.255

nat (inside) 1 172.16.7.32 255.255.255.255

as you suggest global(outside) 1 in (it is all ready there)

and

nat (inside) 1 172.16.0.0 255.255.0.0 (what this coomand will do , i thing it will nat all 172.16 subnet right, that we don't want we want only stop the loggs. and in mu comapany we have seprate network for internet access. only certan host we have permitted for talking to public up.

my requrmnet to stop all the log for ip 7.33,

New Member

Re: ASA 5520 IOS 7.1(2)

As the logs are to do with your 7.33 server attempting to access a root DNS server, how should it get its DNS?

New Member

Re: ASA 5520 IOS 7.1(2)

Thanks Gargevarr,

I got yours point, i check my DNS server in DNS server property , they had define root server. i need to remove root server from my internal DNS server. becouse i Intranet is not directly connected with internet. we have seprate network for internet.

Thanks for yours reponce.

I have one more qustion.

Q.1 regarding IOS, as i mentioned i have 7.1 , what you suggest can i change the IOS?

Thanks & Regrds:

SHelesh

Cisco Employee

Re: ASA 5520 IOS 7.1(2)

Shelesh,

7.2.2 would be the next version to go to.

Gilbert

New Member

Re: ASA 5520 IOS 7.1(2)

Hi,

I have upgraded v.722 but now i am facing another problem

I am 3 PC in my INSIDE network

172.16.7.25

172.16.7.30

172.16.7.26

from Remote VPN i am able to ping 172.16.7.25 but i am not able to ping 7.30. and 7.26

i have route for 172.16.0.0 to point core switch. but still not i am able to able to get 7.30 and 7.26

when i will add route for 172.16.7.30 and 7.26 then i am able to ping.

can you help me why it is like that.

357
Views
5
Helpful
6
Replies
CreatePlease login to create content