Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2551
Views
0
Helpful
5
Replies

no nat-control on ASA

yuhuiyao
Level 1
Level 1

‎04-08-2009 01:21 PM - edited ‎03-04-2019 04:18 AM

I had no nat-control on ASA, what I think is the ASA will allow traffic to traverse different interfaces as long as ACL permit it. No nat needed at all. However, when I tried to ping from outside to inside, ping failed and I found these debug information on the ASA:

No translation group found for icmp src...

Anyone know why?

Thanks,

Labels:
0 Helpful
5 Replies 5

omar.elmohri
Level 1
Level 1

‎04-10-2009 04:49 AM

Hello,

And have you tried to ping from the inside to the outside ?

Because in the case of the ping fails, is logical to don't have any translation.

Other thing, if you ping from inside to outside and it passes without NAT translations, you may run in a transparent mode.

Regards,

Omar

0 Helpful

lamav
Level 8
Level 8

‎04-10-2009 05:00 AM

Yu:

How are you?

The no-nat feature only applies to traffic that is traversing a higher level security interface to a lower one. So in other words, from inside to outside. In those instances, if no NAT statement is configured, the ASA will act as a regular router and forward packets based on the rules of the ACL only.

Just as a side note, Im not sure this applies to your situation, but if you want to remove or disable the nat-control statement in the PIX/ASA, you need to remove all NAT statements from the security appliance. In general, you need to remove the NAT before you turn off NAT control. You have to reconfigure the NAT statement in PIX/ASA to work as expected.

Does that answer your question?

Victor

0 Helpful

bradkenn75
Level 1
Level 1
In response to lamav

‎07-20-2010 01:58 PM

Thanks for the quick responses; I don't want to remove all NAT, we are just setting up a site-to-site VPN, and Site2 (remote) is running the terminal ping with is being logged with the error.  When we attempt to 'pathping' the site2's ip, our traffic is getting routed out the public interface (to the internet).  We're not thinking that on our end, there is not a proper route statement for site2, on the other side of the new VPN.  And it is attempting to NAT the Site2 traffic to our internal LAN.  Not sure though, we just need connectivity from 10.3.3.0/24 to/from 172.31.1.0/24.

0 Helpful

Nagaraja Thanthry
Cisco Employee
Cisco Employee
In response to bradkenn75

‎07-20-2010 02:02 PM

Hello,

Can you please post the relevant configuration (for VPN) here from both

sides? Also an output of "show run nat" would be great.

Regards,

NT

0 Helpful

bradkenn75
Level 1
Level 1
In response to Nagaraja Thanthry

‎07-21-2010 06:03 AM

This was actually resolved under the other post:

ASA 5505 VPN Issue

https://supportforums.cisco.com/message/3141073#3141073

Thanks again Nagaraja.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card