• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 18108
  • Last Modified:

Cisco ASA - no translation group found

I have a Cisco ASA5510 that's been working fine for over a year now. However, after a reload none of the VPN connections and translations are coming up again. I receive a lot of "%ASA-3-305005: No translation group found for udp src dmz-public:x_web/2861 dst inside:10.11.15.6/53" type syslog messages.

I believe it must be due to some sort of NAT issue, but this was working fine before. I saved the configuration before reloading so it's not an old config either.

Inbound and outbound connections work fine, but it seems that inter-interface traffic is not being passed.

I have the following NAT and global statements:

nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz-dev) 0 access-list dmz-dev_nat0_outbound
nat (dmz-public) 0 access-list dmz-public_nat0_outbound
nat (dmz-public) 1 0.0.0.0 0.0.0.0
nat (dmz-exch) 0 access-list dmz-exch_nonat
nat (dmz-exch) 1 0.0.0.0 0.0.0.0

global (outside) 1 w.x.y.z

Hoping for quick assistance as my servers are currently not working properly. Any ideas of what could be wrong?


//Magnus
0
magnuso
Asked:
magnuso
  • 8
  • 5
1 Solution
 
grbladesCommented:
Can you post your current configuration (with the first part of the IP address and the password *'d out).
It helps to see all the configuration. Often 'static' commands are used in addition to nat/global ones.
0
 
magnusoAuthor Commented:
I should perhaps add that I was having trouble (I thought) with the AIP SSM a couple of days back, so I disabled it by:

asa-srl(config)# no service-policy global_policy global
asa-srl(config)# no service-policy interface_policy interface outside

However, after the above trouble, I again enabled it again

asa-srl(config)# service-policy global_policy global
asa-srl(config)# service-policy interface_policy interface outside
asa-srl(config)# sh service-policy

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: pptp, packet 0, drop 0, reset-drop 0

Interface outside:
  Service-policy: interface_policy
    Class-map: ips_class_map
      IPS: card status Up, mode inline fail-open
        packet input 273709, packet output 273715, drop 0, reset-drop 0

//Magnus
0
 
magnusoAuthor Commented:
Here is the full NAT, global and static mappings. Do you need the whole config as it is quite long?

global (outside) 1 x.y.z.69
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz-dev) 0 access-list dmz-dev_nat0_outbound
nat (dmz-public) 0 access-list dmz-public_nat0_outbound
nat (dmz-public) 1 0.0.0.0 0.0.0.0
nat (dmz-exch) 0 access-list dmz-exch_nonat
nat (dmz-exch) 1 0.0.0.0 0.0.0.0
static (dmz-public,outside) mx.xyzagent.com xyzagent-smtp netmask 255.255.255.255
static (dmz-public,outside) www.xyzagent.com xyzagent-web netmask 255.255.255.255
static (dmz-public,outside) x.y.z.80 xyzoil_db netmask 255.255.255.255
static (dmz-public,outside) x.y.z.81 xyzoil_smtp netmask 255.255.255.255
static (dmz-public,outside) x.y.z.82 gml_web netmask 255.255.255.255
static (dmz-public,outside) x.y.z.83 gml_smtp netmask 255.255.255.255
static (dmz-public,outside) x.y.z.84 gml_db netmask 255.255.255.255
static (dmz-public,outside) x.y.z.87 10.11.3.87 netmask 255.255.255.255
static (dmz-public,outside) www.xyztrack.com xyztrack_web netmask 255.255.255.255
static (dmz-public,outside) x.y.z.73 xyzvol_web netmask 255.255.255.255
static (dmz-public,outside) www.xyzship.com xyzship_web netmask 255.255.255.255
static (dmz-public,outside) x.y.z.105 xyzship_eas netmask 255.255.255.255
static (dmz-public,outside) x.y.z.106 xyzship_ase netmask 255.255.255.255
static (dmz-public,outside) x.y.z.107 xyzship_bpg netmask 255.255.255.255
static (dmz-public,outside) x.y.z.109 10.11.3.109 netmask 255.255.255.255
static (dmz-dev,outside) x.y.z.74 10.11.2.74 netmask 255.255.255.255
static (dmz-dev,outside) x.y.z.75 10.11.2.75 netmask 255.255.255.255
static (dmz-dev,outside) x.y.z.76 10.11.2.76 netmask 255.255.255.255
static (dmz-dev,outside) x.y.z.77 10.11.2.77 netmask 255.255.255.255
static (dmz-dev,outside) x.y.z.89 10.11.2.89 netmask 255.255.255.255
static (dmz-dev,outside) x.y.z.111 10.11.2.111 netmask 255.255.255.255
static (dmz-dev,outside) x.y.z.88 10.11.2.88 netmask 255.255.255.255
static (dmz-public,outside) x.y.z.123 10.11.3.3 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz-public_in in interface dmz-public

//Magnus
0
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

 
grbladesCommented:
I cant see any NAT rules there to be applied between the internal and dmz-public networks. Try adding the following configuration. Check the IP address and netmask is correct for your internal network as I am guessing from your other configuration.

static (inside,dmz-public) 10.11.15.0 10.11.15.0 netmask 255.255.255.0
0
 
magnusoAuthor Commented:
I have several "internal" networks:

asa-srl(config)# sh route | i inside
S    10.11.10.0 255.255.255.0 [1/0] via 10.11.240.2, inside
S    10.11.15.0 255.255.255.0 [1/0] via 10.11.240.2, inside
S    10.11.40.0 255.255.255.0 [1/0] via 10.11.240.2, inside
S    GML 255.255.255.0 [1/0] via 10.11.240.2, inside
S    10.11.60.0 255.255.255.0 [1/0] via 10.11.240.2, inside
S    10.11.70.0 255.255.255.0 [1/0] via 10.11.240.2, inside
S    10.11.80.0 255.255.255.0 [1/0] via 10.11.240.2, inside
C    10.11.240.0 255.255.255.248 is directly connected, inside

I remember there was a setting somewhere to enable traffic through the firewall without address translation, but find the command anywhere. I can swear that I never had direct NAT rules for all my internal-to-dmz connections.

//Magnus
0
 
grbladesCommented:
There might be a command. My knowledge is mainly with version 6 of the IOS and enough knowledge of version 7 to do the common things. You must be running version 7 or 8 as you have an ASA.

Someone else may have a better ideal if there is an easier option for you.
0
 
magnusoAuthor Commented:
Correct - I am running 7.0(5).
0
 
magnusoAuthor Commented:
I found the problem !  I was missing the nat 0 for all outbound connections on the inside interface.

nat (inside) 0 access-list inside_nat0_outbound

It really is quite strange since I have no idea of how a reload could make one of the nat lines dissappear. Like I said - it was working for months until the reload, and just before the reload I saved the config. Very strange...
0
 
magnusoAuthor Commented:
Upon further checking I found that there was probably something wrong with my inside_nat0_outbound access-list. When I tried to re-apply it, it complained with:

asa-srl(config)# nat (inside) 0 access-list inside_nat0_outbound
ERROR: access-list has protocol or port

When I checked the access-list I found the following three lines that did indeed include protocol and port details:
access-list inside_nat0_outbound extended permit tcp host 10.11.15.9 dmz-public_NET 255.255.255.0 object-group EPOServerToAgent
access-list inside_nat0_outbound extended permit tcp host 10.11.15.9 dmz-dev_NET 255.255.255.0 object-group EPOServerToAgent
access-list inside_nat0_outbound extended permit tcp GML 255.255.255.0 host 10.11.2.89 eq 2048

Once these three lines were removed from the access-list, it could be reapplied with just a warning:
asa-srl(config)# nat (inside) 0 access-list inside_nat0_outbound
INFO: Outside address overlap with static NAT configuration

Don't quite know what that warning is about, but everything seems to work now again. Could it be that the access-list allowed me to add the protocol/port lines without complaining, but upon rebooting the ASA would have found the access-list in violation of some rules and removed it? It would be good to know for future reference.

//Magnus
0
 
grbladesCommented:
Yes you can have protocols and ports in a nat0 acl.
You must have added them at a later date after applying the nat 0 command. When it rebooted it would have applied the configuration to the memory and when it came to the nat 0 command it would have generated the error you saw, logged it to the console ot whatever and then continued. That would be why that command disappeared.
0
 
magnusoAuthor Commented:
Yes, I did add them later after first applying the nat0 acl. However, you say that I can have protocols and ports in a nat0 acl - so why then did it not allow it, and proceed to remove it?

//Magnus
0
 
grbladesCommented:
Sorry I meant to say that you cant have protocols and ports in a nat 0 acl.

An ACL can have protocols and ports. Its just the acl used by nat 0 that cannot have them.
The ASA gives an error when running the nat 0 command with an incorrect acl specified but when you edit an already existing acl it does not go through and look to see what else is using it and give any errors at that time.
0
 
magnusoAuthor Commented:
Interesting. Anyway, thanks for all your help. Even though you didn't find the solution, as you were the only one helping me at all, I will award you the points as the problem is now solved.

Thanks,
Magnus
0
 
dvandusenCommented:
static (inside,dmz-public) 10.11.15.x 10.11.15.x netmask 255.255.255.255

This solution worked for me where the 10.11.15.x was a specific server.
Thanks grblades
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

  • 8
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now