ASA syslog error 305005

I'm always getting this syslog message (305005), I tried to do the NAT exempt feature, and I'm still getting the same error syslog message. I don't want to translate some IPs, because I don't want to give them Internet access. Is there any work around to avoid this syslog messages from appearing continuously.
omar07Asked:
Who is Participating?
 
Ernie BeekConnect With a Mentor ExpertCommented:
Well if you just want to prevent the message from popping up, use the no logging message 305005 like I stated above.

When using NAT exempt, the machines are still allowed through the ASA, only they're not NATted. I assume the nat0 range you defined is a subset of the NATted range (?) That can give some strange results.
I would say: get rid of that nat exempt and block the addresses you don't want to pass through by using an ACL on the inside interface (and/or use the no logging commande).
0
 
SandyCommented:
This message indicates a configuration error. If dynamic NAT is desired for the source host, ensure that the nat command matches the source IP address. If static NAT is desired for the source host, ensure that the local IP address of the static command matches. If no NAT is desired for the source host, check the ACL bound to the NAT 0 ACL.
0
 
Ernie BeekExpertCommented:
Well, in this case it isn't a configuration error because you don't want some IP's to be translated.
What you could do is:
-just keep the message from appearing by using:  no logging message 305005
-adjust the NAT statement so only the IP range that is allowed to access internet is in there.
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
thpipfhCommented:
Hello,

For error 305005:  This message indicates a configuration error. If dynamic NAT is desired for the source host, ensure that the nat command matches the source IP address. If static NAT is desired for the source host, ensure that the local IP address of the static command matches. If no NAT is desired for the source host, check the ACL bound to the NAT 0 ACL.

and Study about NAT and ACL's with below urls:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/acl_overview.html

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_overview.html
0
 
Ernie BeekExpertCommented:
I took the liberty of adding the PIX/ASA topic to your question to draw some extra attention.
0
 
thpipfhCommented:
Please refer below link for ASA sys log errors

http://www.cisco.com/en/US/docs/security/asa/asa71/system/message/logmsgs.html#wp1280900

Good Luck
0
 
omar07Author Commented:
Erniebeek,
I tried to do NAT 0 with ACL for the IP addresses that do not require translation, but I still get the same log messages.
0
 
Ernie BeekExpertCommented:
Could you give us some more info?
For starters, a sanitized copy of your configuration would help a lot :)
0
 
omar07Author Commented:
Erniebeek,

I used NAt exempt just to prevent the syslog message from popping up every now and then, something like:

      access-list inside_nat0_outbound line 1 extended permit ip 192.168.1.1 255.255.255.255     209.165.32.1 255.255.255.255
      nat (inside) 0 access-list inside_nat0_outbound  tcp 0 0 udp 0

I used the code above, and I'm still getting the error 305005
0
 
thpipfhCommented:
Please verify security levels and NAT rules and try with

 nat (outside) 0 access-list inside_nat0_outbound  tcp 0 0 udp 0
0
 
omar07Author Commented:
Ok. and how can I use ACL to block the addresses that I don't want to translate.
0
 
Ernie BeekExpertCommented:
Something like:

access-list inside deny ip host 192.168.1.10 any (Deny one address)
access-list inside deny ip 192.168.1.0 255.255.255.240 any (or deny a range)
access-list inside permit ip any any (then permit the rest)

access-group inside in interface inside if your inside interface is named 'inside' :)

So you first block everything you don't want to go through and then allow everything (because an ACL is processed top-down).
0
 
thpipfhCommented:
please give me your runing configuration.... for better understanding.
0
 
omar07Author Commented:
The no logging command works fine, but the ACL is denying everything not natting only. How can deny the range I want from nat only.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.