Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

no nat-control on ASA

I had no nat-control on ASA, what I think is the ASA will allow traffic to traverse different interfaces as long as ACL permit it. No nat needed at all. However, when I tried to ping from outside to inside, ping failed and I found these debug information on the ASA:

No translation group found for icmp src...

Anyone know why?

Thanks,

5 REPLIES
New Member

Re: no nat-control on ASA

Hello,

And have you tried to ping from the inside to the outside ?

Because in the case of the ping fails, is logical to don't have any translation.

Other thing, if you ping from inside to outside and it passes without NAT translations, you may run in a transparent mode.

Regards,

Omar

Blue

Re: no nat-control on ASA

Yu:

How are you?

The no-nat feature only applies to traffic that is traversing a higher level security interface to a lower one. So in other words, from inside to outside. In those instances, if no NAT statement is configured, the ASA will act as a regular router and forward packets based on the rules of the ACL only.

Just as a side note, Im not sure this applies to your situation, but if you want to remove or disable the nat-control statement in the PIX/ASA, you need to remove all NAT statements from the security appliance. In general, you need to remove the NAT before you turn off NAT control. You have to reconfigure the NAT statement in PIX/ASA to work as expected.

Does that answer your question?

Victor

New Member

Re: no nat-control on ASA

Thanks for the quick responses; I don't want to remove all NAT, we are just setting up a site-to-site VPN, and Site2 (remote) is running the terminal ping with is being logged with the error.  When we attempt to 'pathping' the site2's ip, our traffic is getting routed out the public interface (to the internet).  We're not thinking that on our end, there is not a proper route statement for site2, on the other side of the new VPN.  And it is attempting to NAT the Site2 traffic to our internal LAN.  Not sure though, we just need connectivity from 10.3.3.0/24 to/from 172.31.1.0/24.

Cisco Employee

Re: no nat-control on ASA

Hello,

Can you please post the relevant configuration (for VPN) here from both

sides? Also an output of "show run nat" would be great.

Regards,

NT

New Member

Re: no nat-control on ASA

This was actually resolved under the other post:

ASA 5505 VPN Issue

https://supportforums.cisco.com/message/3141073#3141073

Thanks again Nagaraja.

2082
Views
0
Helpful
5
Replies
CreatePlease to create content