02-28-2008 10:12 AM - edited 03-03-2019 08:54 PM
Hi All,
I have been stuck with NAT problem. It gives me a error my ASA. like this
No translation group found for icmp src fugen-dmz:172.16.2.253 dst outside:4.2.2.2 (type 8, code 0)
These hosts are coming from interface etherent0/3 (named as fg-idsys) on my ASA but here it says it comes from ethernet 0/2 (named as fugen-dmz).
when i see my security level the eth0/3 is high than the eth0/2. Probably i think it falls to low security level to reach outside.
The hosts connected to the eth0/2 are able to reach outside.
Attached my NAT configs
Let me know what is missing in NAT configurations
NAT show outputs
02-28-2008 10:33 AM
Hi,
why the NAT of (fg-idsys) shows:
nat (fg-idsys) 1 0.0.0.0 0.0.0.0
this means it doesnt match any thing,
Could you clarify your nat config,
HTH
Mohamed
02-28-2008 11:15 AM
Hi,
i have now changed that to
nat (fg-idsys) 1 172.16.0.0 255.255.0.0
02-28-2008 12:22 PM
Hi Caliber,
Great to be of help.
The Normal Security level for the LAN is 100 and this shouldnt affect any Nat operation.
HTH
Mohamed
02-28-2008 12:38 PM
I agree with it . security level doesn't affects NAT.
But wondering why my error message on ASA shows like
No translation group found for icmp src fugen-dmz:172.16.2.253 dst outside:4.2.2.2
If you look at the error it shows src fugen-dmz but actually the hosts are connected to fg-idsys
four interface in ASA
----------------------
eth0/0 - outside with public ip address ..security level 0
eth0/1 - Internal security level 100 LAN
eth0/2 - DMZ (named as fuen-dmz) security level 50
eth0/3 - Named as fg-idsys security level 70
i want some of my hosts to reach outside interface through fg-idsys interface.
ican able to ping from host to fg-idsys interface (vice versa) but they were not able to go internet.
The hosts that were connected to fugen-dmz and internal where able to go outside and able to get internet.
02-28-2008 02:39 PM
Hi caliber,
Have you configured access-list or associated the Interface subnet to the Nat pool.
could you double check,
HTH
Mohamed
02-28-2008 03:03 PM
i haven't created any ACL 's for this.
I m sure something is missing in my NAT config. I couldn't able to find it.
i have configured PAT.
02-28-2008 03:21 PM
Hi,
Could you post full config,
regds,
02-28-2008 03:40 PM
02-28-2008 04:22 PM
Hi,
Pls double check the ip address at interface (fg-idsys), i think it should be changed to be within 172.16.x.x subnet.
also add the following:
nat (fg-idsys) 1 access-list fg-idsys
you have already ACL permits the Pool to any destination but not associated with it
HTH
Mohamed
02-28-2008 04:58 PM
Hi
i have changed my ip address of the fg-idsys to 172.16.0.1
and also given the suggested NAT config on ASA
like this
nat (fg-idsys) 1 access-list fg-idsys
but still the error message is the same and they were not able to reach outside.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: