[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Cisco ASA - no translation group found

Posted on 2007-11-28
14
Medium Priority
?
18,055 Views
Last Modified: 2008-07-09
I have a Cisco ASA5510 that's been working fine for over a year now. However, after a reload none of the VPN connections and translations are coming up again. I receive a lot of "%ASA-3-305005: No translation group found for udp src dmz-public:x_web/2861 dst inside:10.11.15.6/53" type syslog messages.

I believe it must be due to some sort of NAT issue, but this was working fine before. I saved the configuration before reloading so it's not an old config either.

Inbound and outbound connections work fine, but it seems that inter-interface traffic is not being passed.

I have the following NAT and global statements:

nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz-dev) 0 access-list dmz-dev_nat0_outbound
nat (dmz-public) 0 access-list dmz-public_nat0_outbound
nat (dmz-public) 1 0.0.0.0 0.0.0.0
nat (dmz-exch) 0 access-list dmz-exch_nonat
nat (dmz-exch) 1 0.0.0.0 0.0.0.0

global (outside) 1 w.x.y.z

Hoping for quick assistance as my servers are currently not working properly. Any ideas of what could be wrong?


//Magnus
0
Comment
Question by:magnuso
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 5
14 Comments
 
LVL 36

Expert Comment

by:grblades
ID: 20365599
Can you post your current configuration (with the first part of the IP address and the password *'d out).
It helps to see all the configuration. Often 'static' commands are used in addition to nat/global ones.
0
 

Author Comment

by:magnuso
ID: 20365662
I should perhaps add that I was having trouble (I thought) with the AIP SSM a couple of days back, so I disabled it by:

asa-srl(config)# no service-policy global_policy global
asa-srl(config)# no service-policy interface_policy interface outside

However, after the above trouble, I again enabled it again

asa-srl(config)# service-policy global_policy global
asa-srl(config)# service-policy interface_policy interface outside
asa-srl(config)# sh service-policy

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: pptp, packet 0, drop 0, reset-drop 0

Interface outside:
  Service-policy: interface_policy
    Class-map: ips_class_map
      IPS: card status Up, mode inline fail-open
        packet input 273709, packet output 273715, drop 0, reset-drop 0

//Magnus
0
 

Author Comment

by:magnuso
ID: 20365718
Here is the full NAT, global and static mappings. Do you need the whole config as it is quite long?

global (outside) 1 x.y.z.69
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz-dev) 0 access-list dmz-dev_nat0_outbound
nat (dmz-public) 0 access-list dmz-public_nat0_outbound
nat (dmz-public) 1 0.0.0.0 0.0.0.0
nat (dmz-exch) 0 access-list dmz-exch_nonat
nat (dmz-exch) 1 0.0.0.0 0.0.0.0
static (dmz-public,outside) mx.xyzagent.com xyzagent-smtp netmask 255.255.255.255
static (dmz-public,outside) www.xyzagent.com xyzagent-web netmask 255.255.255.255
static (dmz-public,outside) x.y.z.80 xyzoil_db netmask 255.255.255.255
static (dmz-public,outside) x.y.z.81 xyzoil_smtp netmask 255.255.255.255
static (dmz-public,outside) x.y.z.82 gml_web netmask 255.255.255.255
static (dmz-public,outside) x.y.z.83 gml_smtp netmask 255.255.255.255
static (dmz-public,outside) x.y.z.84 gml_db netmask 255.255.255.255
static (dmz-public,outside) x.y.z.87 10.11.3.87 netmask 255.255.255.255
static (dmz-public,outside) www.xyztrack.com xyztrack_web netmask 255.255.255.255
static (dmz-public,outside) x.y.z.73 xyzvol_web netmask 255.255.255.255
static (dmz-public,outside) www.xyzship.com xyzship_web netmask 255.255.255.255
static (dmz-public,outside) x.y.z.105 xyzship_eas netmask 255.255.255.255
static (dmz-public,outside) x.y.z.106 xyzship_ase netmask 255.255.255.255
static (dmz-public,outside) x.y.z.107 xyzship_bpg netmask 255.255.255.255
static (dmz-public,outside) x.y.z.109 10.11.3.109 netmask 255.255.255.255
static (dmz-dev,outside) x.y.z.74 10.11.2.74 netmask 255.255.255.255
static (dmz-dev,outside) x.y.z.75 10.11.2.75 netmask 255.255.255.255
static (dmz-dev,outside) x.y.z.76 10.11.2.76 netmask 255.255.255.255
static (dmz-dev,outside) x.y.z.77 10.11.2.77 netmask 255.255.255.255
static (dmz-dev,outside) x.y.z.89 10.11.2.89 netmask 255.255.255.255
static (dmz-dev,outside) x.y.z.111 10.11.2.111 netmask 255.255.255.255
static (dmz-dev,outside) x.y.z.88 10.11.2.88 netmask 255.255.255.255
static (dmz-public,outside) x.y.z.123 10.11.3.3 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz-public_in in interface dmz-public

//Magnus
0
Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

 
LVL 36

Expert Comment

by:grblades
ID: 20365873
I cant see any NAT rules there to be applied between the internal and dmz-public networks. Try adding the following configuration. Check the IP address and netmask is correct for your internal network as I am guessing from your other configuration.

static (inside,dmz-public) 10.11.15.0 10.11.15.0 netmask 255.255.255.0
0
 

Author Comment

by:magnuso
ID: 20365902
I have several "internal" networks:

asa-srl(config)# sh route | i inside
S    10.11.10.0 255.255.255.0 [1/0] via 10.11.240.2, inside
S    10.11.15.0 255.255.255.0 [1/0] via 10.11.240.2, inside
S    10.11.40.0 255.255.255.0 [1/0] via 10.11.240.2, inside
S    GML 255.255.255.0 [1/0] via 10.11.240.2, inside
S    10.11.60.0 255.255.255.0 [1/0] via 10.11.240.2, inside
S    10.11.70.0 255.255.255.0 [1/0] via 10.11.240.2, inside
S    10.11.80.0 255.255.255.0 [1/0] via 10.11.240.2, inside
C    10.11.240.0 255.255.255.248 is directly connected, inside

I remember there was a setting somewhere to enable traffic through the firewall without address translation, but find the command anywhere. I can swear that I never had direct NAT rules for all my internal-to-dmz connections.

//Magnus
0
 
LVL 36

Expert Comment

by:grblades
ID: 20365937
There might be a command. My knowledge is mainly with version 6 of the IOS and enough knowledge of version 7 to do the common things. You must be running version 7 or 8 as you have an ASA.

Someone else may have a better ideal if there is an easier option for you.
0
 

Author Comment

by:magnuso
ID: 20365947
Correct - I am running 7.0(5).
0
 

Author Comment

by:magnuso
ID: 20366259
I found the problem !  I was missing the nat 0 for all outbound connections on the inside interface.

nat (inside) 0 access-list inside_nat0_outbound

It really is quite strange since I have no idea of how a reload could make one of the nat lines dissappear. Like I said - it was working for months until the reload, and just before the reload I saved the config. Very strange...
0
 

Author Comment

by:magnuso
ID: 20366384
Upon further checking I found that there was probably something wrong with my inside_nat0_outbound access-list. When I tried to re-apply it, it complained with:

asa-srl(config)# nat (inside) 0 access-list inside_nat0_outbound
ERROR: access-list has protocol or port

When I checked the access-list I found the following three lines that did indeed include protocol and port details:
access-list inside_nat0_outbound extended permit tcp host 10.11.15.9 dmz-public_NET 255.255.255.0 object-group EPOServerToAgent
access-list inside_nat0_outbound extended permit tcp host 10.11.15.9 dmz-dev_NET 255.255.255.0 object-group EPOServerToAgent
access-list inside_nat0_outbound extended permit tcp GML 255.255.255.0 host 10.11.2.89 eq 2048

Once these three lines were removed from the access-list, it could be reapplied with just a warning:
asa-srl(config)# nat (inside) 0 access-list inside_nat0_outbound
INFO: Outside address overlap with static NAT configuration

Don't quite know what that warning is about, but everything seems to work now again. Could it be that the access-list allowed me to add the protocol/port lines without complaining, but upon rebooting the ASA would have found the access-list in violation of some rules and removed it? It would be good to know for future reference.

//Magnus
0
 
LVL 36

Expert Comment

by:grblades
ID: 20366460
Yes you can have protocols and ports in a nat0 acl.
You must have added them at a later date after applying the nat 0 command. When it rebooted it would have applied the configuration to the memory and when it came to the nat 0 command it would have generated the error you saw, logged it to the console ot whatever and then continued. That would be why that command disappeared.
0
 

Author Comment

by:magnuso
ID: 20366484
Yes, I did add them later after first applying the nat0 acl. However, you say that I can have protocols and ports in a nat0 acl - so why then did it not allow it, and proceed to remove it?

//Magnus
0
 
LVL 36

Accepted Solution

by:
grblades earned 1500 total points
ID: 20366527
Sorry I meant to say that you cant have protocols and ports in a nat 0 acl.

An ACL can have protocols and ports. Its just the acl used by nat 0 that cannot have them.
The ASA gives an error when running the nat 0 command with an incorrect acl specified but when you edit an already existing acl it does not go through and look to see what else is using it and give any errors at that time.
0
 

Author Comment

by:magnuso
ID: 20366552
Interesting. Anyway, thanks for all your help. Even though you didn't find the solution, as you were the only one helping me at all, I will award you the points as the problem is now solved.

Thanks,
Magnus
0
 

Expert Comment

by:dvandusen
ID: 21966750
static (inside,dmz-public) 10.11.15.x 10.11.15.x netmask 255.255.255.255

This solution worked for me where the 10.11.15.x was a specific server.
Thanks grblades
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question