Cisco Support Community
Community Member


I have established IPSec VPN between ASA 5510 and MCAfee firewall. IPSec tunnel is up and we are able to reach destination also through ICMP. When try to do telnet on port 1521, able to establish a session but not able to access the application. Please find attached ASA firewall log for reference.




Hi, from logs it seems you



from logs it seems you don't have NAT configured between "internet" and  "manage" interface.

Could you please post configuration of your ASA?




Hi Satish,

Hi Satish, It seems that NAT-Control is enabled on your ASA.

What the error message "No translation group found for tcp src internet: dst manage:" means is that you do not have a NAT rule for traffic coming from going to manage host, and you need to have one.

Here is the official Cisco documentation for that error, perhaps it can make things clearer.


Error Message %PIX|ASA-3-305005: No translation group found for protocol src interface_name: source_address/source_port dst interface_name: dest_address/dest_port

A packet does not match any of the outbound nat command rules. If NAT is not configured for the specified source and destination systems, the message will be generated frequently. This message indicates a configuration error.

If dynamic NAT is desired for the source host, ensure that the nat command matches the source IP address. If static NAT is desired for the source host, ensure that the local IP address of the static command matches. If no NAT is desired for the source host, check the ACL bound to the NAT 0 ACL.

What is exactly going on is that ASA ACL allows traffic to come in, but when the packet is processed the ASA does not find a NAT that matches that specific traffic, therefore traffic gets dropped and you get that error message. So to allow traffic to pass through the ASA Firewall you can either add a NAT rule for example: static (iniside,outside) ; or you can disable nat-control.


"Please rate helpul posts"

CreatePlease to create content