Solved

Cisco ASA - no translation group found

Posted on 2007-11-28
14
17,594 Views
Last Modified: 2008-07-09
I have a Cisco ASA5510 that's been working fine for over a year now. However, after a reload none of the VPN connections and translations are coming up again. I receive a lot of "%ASA-3-305005: No translation group found for udp src dmz-public:x_web/2861 dst inside:10.11.15.6/53" type syslog messages.

I believe it must be due to some sort of NAT issue, but this was working fine before. I saved the configuration before reloading so it's not an old config either.

Inbound and outbound connections work fine, but it seems that inter-interface traffic is not being passed.

I have the following NAT and global statements:

nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz-dev) 0 access-list dmz-dev_nat0_outbound
nat (dmz-public) 0 access-list dmz-public_nat0_outbound
nat (dmz-public) 1 0.0.0.0 0.0.0.0
nat (dmz-exch) 0 access-list dmz-exch_nonat
nat (dmz-exch) 1 0.0.0.0 0.0.0.0

global (outside) 1 w.x.y.z

Hoping for quick assistance as my servers are currently not working properly. Any ideas of what could be wrong?


//Magnus
0
Comment
Question by:magnuso
  • 8
  • 5
14 Comments
 
LVL 36

Expert Comment

by:grblades
ID: 20365599
Can you post your current configuration (with the first part of the IP address and the password *'d out).
It helps to see all the configuration. Often 'static' commands are used in addition to nat/global ones.
0
 

Author Comment

by:magnuso
ID: 20365662
I should perhaps add that I was having trouble (I thought) with the AIP SSM a couple of days back, so I disabled it by:

asa-srl(config)# no service-policy global_policy global
asa-srl(config)# no service-policy interface_policy interface outside

However, after the above trouble, I again enabled it again

asa-srl(config)# service-policy global_policy global
asa-srl(config)# service-policy interface_policy interface outside
asa-srl(config)# sh service-policy

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: pptp, packet 0, drop 0, reset-drop 0

Interface outside:
  Service-policy: interface_policy
    Class-map: ips_class_map
      IPS: card status Up, mode inline fail-open
        packet input 273709, packet output 273715, drop 0, reset-drop 0

//Magnus
0
 

Author Comment

by:magnuso
ID: 20365718
Here is the full NAT, global and static mappings. Do you need the whole config as it is quite long?

global (outside) 1 x.y.z.69
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz-dev) 0 access-list dmz-dev_nat0_outbound
nat (dmz-public) 0 access-list dmz-public_nat0_outbound
nat (dmz-public) 1 0.0.0.0 0.0.0.0
nat (dmz-exch) 0 access-list dmz-exch_nonat
nat (dmz-exch) 1 0.0.0.0 0.0.0.0
static (dmz-public,outside) mx.xyzagent.com xyzagent-smtp netmask 255.255.255.255
static (dmz-public,outside) www.xyzagent.com xyzagent-web netmask 255.255.255.255
static (dmz-public,outside) x.y.z.80 xyzoil_db netmask 255.255.255.255
static (dmz-public,outside) x.y.z.81 xyzoil_smtp netmask 255.255.255.255
static (dmz-public,outside) x.y.z.82 gml_web netmask 255.255.255.255
static (dmz-public,outside) x.y.z.83 gml_smtp netmask 255.255.255.255
static (dmz-public,outside) x.y.z.84 gml_db netmask 255.255.255.255
static (dmz-public,outside) x.y.z.87 10.11.3.87 netmask 255.255.255.255
static (dmz-public,outside) www.xyztrack.com xyztrack_web netmask 255.255.255.255
static (dmz-public,outside) x.y.z.73 xyzvol_web netmask 255.255.255.255
static (dmz-public,outside) www.xyzship.com xyzship_web netmask 255.255.255.255
static (dmz-public,outside) x.y.z.105 xyzship_eas netmask 255.255.255.255
static (dmz-public,outside) x.y.z.106 xyzship_ase netmask 255.255.255.255
static (dmz-public,outside) x.y.z.107 xyzship_bpg netmask 255.255.255.255
static (dmz-public,outside) x.y.z.109 10.11.3.109 netmask 255.255.255.255
static (dmz-dev,outside) x.y.z.74 10.11.2.74 netmask 255.255.255.255
static (dmz-dev,outside) x.y.z.75 10.11.2.75 netmask 255.255.255.255
static (dmz-dev,outside) x.y.z.76 10.11.2.76 netmask 255.255.255.255
static (dmz-dev,outside) x.y.z.77 10.11.2.77 netmask 255.255.255.255
static (dmz-dev,outside) x.y.z.89 10.11.2.89 netmask 255.255.255.255
static (dmz-dev,outside) x.y.z.111 10.11.2.111 netmask 255.255.255.255
static (dmz-dev,outside) x.y.z.88 10.11.2.88 netmask 255.255.255.255
static (dmz-public,outside) x.y.z.123 10.11.3.3 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz-public_in in interface dmz-public

//Magnus
0
 
LVL 36

Expert Comment

by:grblades
ID: 20365873
I cant see any NAT rules there to be applied between the internal and dmz-public networks. Try adding the following configuration. Check the IP address and netmask is correct for your internal network as I am guessing from your other configuration.

static (inside,dmz-public) 10.11.15.0 10.11.15.0 netmask 255.255.255.0
0
 

Author Comment

by:magnuso
ID: 20365902
I have several "internal" networks:

asa-srl(config)# sh route | i inside
S    10.11.10.0 255.255.255.0 [1/0] via 10.11.240.2, inside
S    10.11.15.0 255.255.255.0 [1/0] via 10.11.240.2, inside
S    10.11.40.0 255.255.255.0 [1/0] via 10.11.240.2, inside
S    GML 255.255.255.0 [1/0] via 10.11.240.2, inside
S    10.11.60.0 255.255.255.0 [1/0] via 10.11.240.2, inside
S    10.11.70.0 255.255.255.0 [1/0] via 10.11.240.2, inside
S    10.11.80.0 255.255.255.0 [1/0] via 10.11.240.2, inside
C    10.11.240.0 255.255.255.248 is directly connected, inside

I remember there was a setting somewhere to enable traffic through the firewall without address translation, but find the command anywhere. I can swear that I never had direct NAT rules for all my internal-to-dmz connections.

//Magnus
0
 
LVL 36

Expert Comment

by:grblades
ID: 20365937
There might be a command. My knowledge is mainly with version 6 of the IOS and enough knowledge of version 7 to do the common things. You must be running version 7 or 8 as you have an ASA.

Someone else may have a better ideal if there is an easier option for you.
0
 

Author Comment

by:magnuso
ID: 20365947
Correct - I am running 7.0(5).
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:magnuso
ID: 20366259
I found the problem !  I was missing the nat 0 for all outbound connections on the inside interface.

nat (inside) 0 access-list inside_nat0_outbound

It really is quite strange since I have no idea of how a reload could make one of the nat lines dissappear. Like I said - it was working for months until the reload, and just before the reload I saved the config. Very strange...
0
 

Author Comment

by:magnuso
ID: 20366384
Upon further checking I found that there was probably something wrong with my inside_nat0_outbound access-list. When I tried to re-apply it, it complained with:

asa-srl(config)# nat (inside) 0 access-list inside_nat0_outbound
ERROR: access-list has protocol or port

When I checked the access-list I found the following three lines that did indeed include protocol and port details:
access-list inside_nat0_outbound extended permit tcp host 10.11.15.9 dmz-public_NET 255.255.255.0 object-group EPOServerToAgent
access-list inside_nat0_outbound extended permit tcp host 10.11.15.9 dmz-dev_NET 255.255.255.0 object-group EPOServerToAgent
access-list inside_nat0_outbound extended permit tcp GML 255.255.255.0 host 10.11.2.89 eq 2048

Once these three lines were removed from the access-list, it could be reapplied with just a warning:
asa-srl(config)# nat (inside) 0 access-list inside_nat0_outbound
INFO: Outside address overlap with static NAT configuration

Don't quite know what that warning is about, but everything seems to work now again. Could it be that the access-list allowed me to add the protocol/port lines without complaining, but upon rebooting the ASA would have found the access-list in violation of some rules and removed it? It would be good to know for future reference.

//Magnus
0
 
LVL 36

Expert Comment

by:grblades
ID: 20366460
Yes you can have protocols and ports in a nat0 acl.
You must have added them at a later date after applying the nat 0 command. When it rebooted it would have applied the configuration to the memory and when it came to the nat 0 command it would have generated the error you saw, logged it to the console ot whatever and then continued. That would be why that command disappeared.
0
 

Author Comment

by:magnuso
ID: 20366484
Yes, I did add them later after first applying the nat0 acl. However, you say that I can have protocols and ports in a nat0 acl - so why then did it not allow it, and proceed to remove it?

//Magnus
0
 
LVL 36

Accepted Solution

by:
grblades earned 500 total points
ID: 20366527
Sorry I meant to say that you cant have protocols and ports in a nat 0 acl.

An ACL can have protocols and ports. Its just the acl used by nat 0 that cannot have them.
The ASA gives an error when running the nat 0 command with an incorrect acl specified but when you edit an already existing acl it does not go through and look to see what else is using it and give any errors at that time.
0
 

Author Comment

by:magnuso
ID: 20366552
Interesting. Anyway, thanks for all your help. Even though you didn't find the solution, as you were the only one helping me at all, I will award you the points as the problem is now solved.

Thanks,
Magnus
0
 

Expert Comment

by:dvandusen
ID: 21966750
static (inside,dmz-public) 10.11.15.x 10.11.15.x netmask 255.255.255.255

This solution worked for me where the 10.11.15.x was a specific server.
Thanks grblades
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now