Question

Cisco ASA - no translation group found

Asked by: magnuso

I have a Cisco ASA5510 that's been working fine for over a year now. However, after a reload none of the VPN connections and translations are coming up again. I receive a lot of "%ASA-3-305005: No translation group found for udp src dmz-public:x_web/2861 dst inside:10.11.15.6/53" type syslog messages.

I believe it must be due to some sort of NAT issue, but this was working fine before. I saved the configuration before reloading so it's not an old config either.

Inbound and outbound connections work fine, but it seems that inter-interface traffic is not being passed.

I have the following NAT and global statements:

nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz-dev) 0 access-list dmz-dev_nat0_outbound
nat (dmz-public) 0 access-list dmz-public_nat0_outbound
nat (dmz-public) 1 0.0.0.0 0.0.0.0
nat (dmz-exch) 0 access-list dmz-exch_nonat
nat (dmz-exch) 1 0.0.0.0 0.0.0.0

global (outside) 1 w.x.y.z

Hoping for quick assistance as my servers are currently not working properly. Any ideas of what could be wrong?


//Magnus

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2007-11-28 at 06:06:25ID22987499
Tags

asa

,

translation

,

group

,

found

,

cisco

Topics

Networking Hardware Firewalls

,

Cisco PIX Firewall

Participating Experts
2
Points
500
Comments
14

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. VPN tunnel into Cisco ASA via static NAT from router???
    I have a client with a Layered Cisco network solution. Their Cisco router is public facing and provides a private IP address to the Cisco ASA behind it. I need to be able to create a VPN tunnel into the ASA. There are public IP addresses available to be statically NAT'ed t...
  2. cisco ASA vpn and nat
    Hello, I'm trying to figure out how to setup NAT on my side of a site to site VPN. The NOC at the concentrator end says that my local subnet is already in use with another of their VPN tunnels so they's like me to NAT across the VPN tunnel. My Local Subnet = 192.168.10.0...
  3. NAT on CISCO ASA 5510
    I have a CISCO ASA 5510 that is firewalling and NATing for our network. We have three DMZ servers on the DMZ interface of this ASA that host websites. SRWEB08 hosts corporate web, SRES01 hosts OWA for Exchange, SRHD01 hosts helpdesk web. Each of these sites work great from...
  4. Problem with Nat Cisco ASA 5505
    I have a problem with a cisco asa 5505. I can´t make nat. i have 12 public ip´s. I want to make a nat to a 3389 port from one of the 12 ip. for examle. for my public ip "84.xxx.xxx.197" nat to 3389 in 192.169.10.10 attached word document with screenshots (images...
  5. DMZ Cisco ASA
    I have a server with dual nic's and an ASA 5505 with Security Plus License. I want to have one nic on the internal Vlan and the other on the DMZ Vlan. Ultimately I plan to have internal access to the server on nic1 and use a chroot jail for the DMZ on nic2, but for right no...
  6. Cisco ASA DMZ problems
    We have a Cisco ASA 5505 with Security Plus licensing. After researching Cisco's documentation and troubleshooting this issue on this site and others I am at a stopping point. I would like to setup a DMZ and allow the following: Allow inside hosts full connectivity to the ...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: grbladesPosted on 2007-11-28 at 06:23:49ID: 20365599

Can you post your current configuration (with the first part of the IP address and the password *'d out).
It helps to see all the configuration. Often 'static' commands are used in addition to nat/global ones.

 

by: magnusoPosted on 2007-11-28 at 06:32:21ID: 20365662

I should perhaps add that I was having trouble (I thought) with the AIP SSM a couple of days back, so I disabled it by:

asa-srl(config)# no service-policy global_policy global
asa-srl(config)# no service-policy interface_policy interface outside

However, after the above trouble, I again enabled it again

asa-srl(config)# service-policy global_policy global
asa-srl(config)# service-policy interface_policy interface outside
asa-srl(config)# sh service-policy

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: pptp, packet 0, drop 0, reset-drop 0

Interface outside:
  Service-policy: interface_policy
    Class-map: ips_class_map
      IPS: card status Up, mode inline fail-open
        packet input 273709, packet output 273715, drop 0, reset-drop 0

//Magnus

 

by: magnusoPosted on 2007-11-28 at 06:38:31ID: 20365718

Here is the full NAT, global and static mappings. Do you need the whole config as it is quite long?

global (outside) 1 x.y.z.69
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz-dev) 0 access-list dmz-dev_nat0_outbound
nat (dmz-public) 0 access-list dmz-public_nat0_outbound
nat (dmz-public) 1 0.0.0.0 0.0.0.0
nat (dmz-exch) 0 access-list dmz-exch_nonat
nat (dmz-exch) 1 0.0.0.0 0.0.0.0
static (dmz-public,outside) mx.xyzagent.com xyzagent-smtp netmask 255.255.255.255
static (dmz-public,outside) www.xyzagent.com xyzagent-web netmask 255.255.255.255
static (dmz-public,outside) x.y.z.80 xyzoil_db netmask 255.255.255.255
static (dmz-public,outside) x.y.z.81 xyzoil_smtp netmask 255.255.255.255
static (dmz-public,outside) x.y.z.82 gml_web netmask 255.255.255.255
static (dmz-public,outside) x.y.z.83 gml_smtp netmask 255.255.255.255
static (dmz-public,outside) x.y.z.84 gml_db netmask 255.255.255.255
static (dmz-public,outside) x.y.z.87 10.11.3.87 netmask 255.255.255.255
static (dmz-public,outside) www.xyztrack.com xyztrack_web netmask 255.255.255.255
static (dmz-public,outside) x.y.z.73 xyzvol_web netmask 255.255.255.255
static (dmz-public,outside) www.xyzship.com xyzship_web netmask 255.255.255.255
static (dmz-public,outside) x.y.z.105 xyzship_eas netmask 255.255.255.255
static (dmz-public,outside) x.y.z.106 xyzship_ase netmask 255.255.255.255
static (dmz-public,outside) x.y.z.107 xyzship_bpg netmask 255.255.255.255
static (dmz-public,outside) x.y.z.109 10.11.3.109 netmask 255.255.255.255
static (dmz-dev,outside) x.y.z.74 10.11.2.74 netmask 255.255.255.255
static (dmz-dev,outside) x.y.z.75 10.11.2.75 netmask 255.255.255.255
static (dmz-dev,outside) x.y.z.76 10.11.2.76 netmask 255.255.255.255
static (dmz-dev,outside) x.y.z.77 10.11.2.77 netmask 255.255.255.255
static (dmz-dev,outside) x.y.z.89 10.11.2.89 netmask 255.255.255.255
static (dmz-dev,outside) x.y.z.111 10.11.2.111 netmask 255.255.255.255
static (dmz-dev,outside) x.y.z.88 10.11.2.88 netmask 255.255.255.255
static (dmz-public,outside) x.y.z.123 10.11.3.3 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz-public_in in interface dmz-public

//Magnus

 

by: grbladesPosted on 2007-11-28 at 06:56:01ID: 20365873

I cant see any NAT rules there to be applied between the internal and dmz-public networks. Try adding the following configuration. Check the IP address and netmask is correct for your internal network as I am guessing from your other configuration.

static (inside,dmz-public) 10.11.15.0 10.11.15.0 netmask 255.255.255.0

 

by: magnusoPosted on 2007-11-28 at 07:01:50ID: 20365902

I have several "internal" networks:

asa-srl(config)# sh route | i inside
S    10.11.10.0 255.255.255.0 [1/0] via 10.11.240.2, inside
S    10.11.15.0 255.255.255.0 [1/0] via 10.11.240.2, inside
S    10.11.40.0 255.255.255.0 [1/0] via 10.11.240.2, inside
S    GML 255.255.255.0 [1/0] via 10.11.240.2, inside
S    10.11.60.0 255.255.255.0 [1/0] via 10.11.240.2, inside
S    10.11.70.0 255.255.255.0 [1/0] via 10.11.240.2, inside
S    10.11.80.0 255.255.255.0 [1/0] via 10.11.240.2, inside
C    10.11.240.0 255.255.255.248 is directly connected, inside

I remember there was a setting somewhere to enable traffic through the firewall without address translation, but find the command anywhere. I can swear that I never had direct NAT rules for all my internal-to-dmz connections.

//Magnus

 

by: grbladesPosted on 2007-11-28 at 07:07:42ID: 20365937

There might be a command. My knowledge is mainly with version 6 of the IOS and enough knowledge of version 7 to do the common things. You must be running version 7 or 8 as you have an ASA.

Someone else may have a better ideal if there is an easier option for you.

 

by: magnusoPosted on 2007-11-28 at 07:09:29ID: 20365947

Correct - I am running 7.0(5).

 

by: magnusoPosted on 2007-11-28 at 07:47:01ID: 20366259

I found the problem !  I was missing the nat 0 for all outbound connections on the inside interface.

nat (inside) 0 access-list inside_nat0_outbound

It really is quite strange since I have no idea of how a reload could make one of the nat lines dissappear. Like I said - it was working for months until the reload, and just before the reload I saved the config. Very strange...

 

by: magnusoPosted on 2007-11-28 at 08:00:19ID: 20366384

Upon further checking I found that there was probably something wrong with my inside_nat0_outbound access-list. When I tried to re-apply it, it complained with:

asa-srl(config)# nat (inside) 0 access-list inside_nat0_outbound
ERROR: access-list has protocol or port

When I checked the access-list I found the following three lines that did indeed include protocol and port details:
access-list inside_nat0_outbound extended permit tcp host 10.11.15.9 dmz-public_NET 255.255.255.0 object-group EPOServerToAgent
access-list inside_nat0_outbound extended permit tcp host 10.11.15.9 dmz-dev_NET 255.255.255.0 object-group EPOServerToAgent
access-list inside_nat0_outbound extended permit tcp GML 255.255.255.0 host 10.11.2.89 eq 2048

Once these three lines were removed from the access-list, it could be reapplied with just a warning:
asa-srl(config)# nat (inside) 0 access-list inside_nat0_outbound
INFO: Outside address overlap with static NAT configuration

Don't quite know what that warning is about, but everything seems to work now again. Could it be that the access-list allowed me to add the protocol/port lines without complaining, but upon rebooting the ASA would have found the access-list in violation of some rules and removed it? It would be good to know for future reference.

//Magnus

 

by: grbladesPosted on 2007-11-28 at 08:07:07ID: 20366460

Yes you can have protocols and ports in a nat0 acl.
You must have added them at a later date after applying the nat 0 command. When it rebooted it would have applied the configuration to the memory and when it came to the nat 0 command it would have generated the error you saw, logged it to the console ot whatever and then continued. That would be why that command disappeared.

 

by: magnusoPosted on 2007-11-28 at 08:09:34ID: 20366484

Yes, I did add them later after first applying the nat0 acl. However, you say that I can have protocols and ports in a nat0 acl - so why then did it not allow it, and proceed to remove it?

//Magnus

 

by: grbladesPosted on 2007-11-28 at 08:14:56ID: 20366527

Sorry I meant to say that you cant have protocols and ports in a nat 0 acl.

An ACL can have protocols and ports. Its just the acl used by nat 0 that cannot have them.
The ASA gives an error when running the nat 0 command with an incorrect acl specified but when you edit an already existing acl it does not go through and look to see what else is using it and give any errors at that time.

 

by: magnusoPosted on 2007-11-28 at 08:17:31ID: 20366552

Interesting. Anyway, thanks for all your help. Even though you didn't find the solution, as you were the only one helping me at all, I will award you the points as the problem is now solved.

Thanks,
Magnus

 

by: dvandusenPosted on 2008-07-09 at 11:29:29ID: 21966750

static (inside,dmz-public) 10.11.15.x 10.11.15.x netmask 255.255.255.255

This solution worked for me where the 10.11.15.x was a specific server.
Thanks grblades

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...