Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

ASA syslog error 305005

Posted on 2013-01-01
14
Medium Priority
?
777 Views
Last Modified: 2013-01-06
I'm always getting this syslog message (305005), I tried to do the NAT exempt feature, and I'm still getting the same error syslog message. I don't want to translate some IPs, because I don't want to give them Internet access. Is there any work around to avoid this syslog messages from appearing continuously.
0
Comment
Question by:omar07
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 4
  • +1
14 Comments
 
LVL 13

Expert Comment

by:Sandy
ID: 38735730
This message indicates a configuration error. If dynamic NAT is desired for the source host, ensure that the nat command matches the source IP address. If static NAT is desired for the source host, ensure that the local IP address of the static command matches. If no NAT is desired for the source host, check the ACL bound to the NAT 0 ACL.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38735820
Well, in this case it isn't a configuration error because you don't want some IP's to be translated.
What you could do is:
-just keep the message from appearing by using:  no logging message 305005
-adjust the NAT statement so only the IP range that is allowed to access internet is in there.
0
 
LVL 1

Expert Comment

by:thpipfh
ID: 38735932
Hello,

For error 305005:  This message indicates a configuration error. If dynamic NAT is desired for the source host, ensure that the nat command matches the source IP address. If static NAT is desired for the source host, ensure that the local IP address of the static command matches. If no NAT is desired for the source host, check the ACL bound to the NAT 0 ACL.

and Study about NAT and ACL's with below urls:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/acl_overview.html

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_overview.html
0
Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38735940
I took the liberty of adding the PIX/ASA topic to your question to draw some extra attention.
0
 
LVL 1

Expert Comment

by:thpipfh
ID: 38735949
Please refer below link for ASA sys log errors

http://www.cisco.com/en/US/docs/security/asa/asa71/system/message/logmsgs.html#wp1280900

Good Luck
0
 

Author Comment

by:omar07
ID: 38736273
Erniebeek,
I tried to do NAT 0 with ACL for the IP addresses that do not require translation, but I still get the same log messages.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38736312
Could you give us some more info?
For starters, a sanitized copy of your configuration would help a lot :)
0
 

Author Comment

by:omar07
ID: 38737172
Erniebeek,

I used NAt exempt just to prevent the syslog message from popping up every now and then, something like:

      access-list inside_nat0_outbound line 1 extended permit ip 192.168.1.1 255.255.255.255     209.165.32.1 255.255.255.255
      nat (inside) 0 access-list inside_nat0_outbound  tcp 0 0 udp 0

I used the code above, and I'm still getting the error 305005
0
 
LVL 1

Expert Comment

by:thpipfh
ID: 38739149
Please verify security levels and NAT rules and try with

 nat (outside) 0 access-list inside_nat0_outbound  tcp 0 0 udp 0
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 2000 total points
ID: 38739339
Well if you just want to prevent the message from popping up, use the no logging message 305005 like I stated above.

When using NAT exempt, the machines are still allowed through the ASA, only they're not NATted. I assume the nat0 range you defined is a subset of the NATted range (?) That can give some strange results.
I would say: get rid of that nat exempt and block the addresses you don't want to pass through by using an ACL on the inside interface (and/or use the no logging commande).
0
 

Author Comment

by:omar07
ID: 38739655
Ok. and how can I use ACL to block the addresses that I don't want to translate.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38739694
Something like:

access-list inside deny ip host 192.168.1.10 any (Deny one address)
access-list inside deny ip 192.168.1.0 255.255.255.240 any (or deny a range)
access-list inside permit ip any any (then permit the rest)

access-group inside in interface inside if your inside interface is named 'inside' :)

So you first block everything you don't want to go through and then allow everything (because an ACL is processed top-down).
0
 
LVL 1

Expert Comment

by:thpipfh
ID: 38739711
please give me your runing configuration.... for better understanding.
0
 

Author Comment

by:omar07
ID: 38746366
The no logging command works fine, but the ACL is denying everything not natting only. How can deny the range I want from nat only.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question