?
Solved

Baffled By ASA

Posted on 2013-07-01
9
Medium Priority
?
317 Views
Last Modified: 2013-07-07
I need a little help here...I'm an experienced PIX admin and I'm finally getting going on ASA's but I'm having a heck of a time wrapping my head around the way Cisco is doing things these days.  I've configured 2 ASA boxes with the help of TAC, but I've got a couple new ones that I'm trying to configure on my own so I can understand the what & why's but I'm stuck.  I can't seem to get traffic from the DMZ to the inside interface...I just keep getting a "no translation group found" in the logs.  Below is my config (although there may be some vital parts missing as I've just started hacking away at it, removing parts I've added that didn't seem to do any good):

names
name 192.168.0.2 IP-192.168.0.2
name 192.168.130.36 APOWeb1-36
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.123.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 192.168.0.1 255.255.255.248
!
interface Vlan4
 nameif dmz
<--- More --->
             
 security-level 50
 ip address 192.168.130.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
 switchport access vlan 4
!
interface Ethernet0/5
 switchport access vlan 4
!
interface Ethernet0/6
 switchport access vlan 4
!
interface Ethernet0/7
 switchport access vlan 4
!
<--- More --->
             

object-group service DM_INLINE_TCP_0 tcp
 port-object eq www
 port-object eq https
object-group network inside-subnet
 network-object 192.168.123.0 255.255.255.0
object-group network dmz-subnet
 network-object 192.168.130.0 255.255.255.0
object-group service MS_SQL tcp
 port-object eq 1433
object-group service DM_INLINE_TCP_1 tcp
 group-object MS_SQL
 port-object eq www
access-list dmz_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any host IP-192.168.0.2 object-group DM_INLINE_TCP_0
access-list inside_access_in extended permit tcp host APOWeb1-36 192.168.123.0 255.255.255.0 object-group DM_INLINE_TCP_1
access-list dmz-acl extended permit ip 192.168.130.0 255.255.255.0 192.168.123.0 255.255.255.0

global (outside) 101 interface
global (dmz) 1 192.168.123.2 netmask 255.255.255.0
nat (inside) 101 0.0.0.0 0.0.0.0
nat (dmz) 101 0.0.0.0 0.0.0.0
static (dmz,outside) IP-192.168.0.2 APOWeb1-36 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
0
Comment
Question by:itsgi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
9 Comments
 
LVL 20

Expert Comment

by:rauenpc
ID: 39290764
ASA versions 8.2.5 and lower have 'nat-control' in place which essentially states that all traffic going from one interface to another *must* have a related nat statement even if the nat statement is simply to not nat.

The nat you would need to essentially not nat DMZ to inside traffic:

static (inside,dmz) 192.168.130.0 192.168.130.0  netmask 255.255.255.0

You will still need the appropriate ACL's in place inbound on the DMZ interface to allow traffic from a lower security to a higher security interface.
0
 

Author Comment

by:itsgi
ID: 39290798
Yea, I read that in another post somewhere, tried with same result.  Here's the exact error from the log:

3      Jul 01 2013      12:19:08      305005      192.168.123.10      1433                  No translation group found for tcp src dmz:APOWeb1-36/49204 dst inside:192.168.123.10/1433
0
 

Author Comment

by:itsgi
ID: 39293674
Anyone?
0
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

 
LVL 20

Expert Comment

by:rauenpc
ID: 39293705
Could you repost a scrubbed config so we can see any changes?
0
 

Author Comment

by:itsgi
ID: 39293875
Here's the latest (I've been playing around as well):


names
name 192.168.0.2 IP-192.168.0.2
name 192.168.130.36 APOWeb1-36
name 192.168.123.10 APODB1
name 192.168.123.36 APOWeb1-36_Inside
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.123.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 192.168.0.1 255.255.255.248
!
interface Vlan4
 nameif dmz
 security-level 50
 ip address 192.168.130.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
 switchport access vlan 4
!
interface Ethernet0/5
 switchport access vlan 4
!
interface Ethernet0/6
 switchport access vlan 4
!
interface Ethernet0/7
             
 switchport access vlan 4
!

object-group service DM_INLINE_TCP_0 tcp
 port-object eq www
 port-object eq https
object-group network inside-subnet
 network-object 192.168.123.0 255.255.255.0
object-group network dmz-subnet
 network-object 192.168.130.0 255.255.255.0
object-group service MS_SQL tcp
 port-object eq 1433
object-group service DM_INLINE_TCP_1 tcp
 group-object MS_SQL
 port-object eq www
access-list dmz_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any host APOWeb1-36 object-group DM_INLINE_TCP_0
access-list inside_access_in extended permit tcp host APOWeb1-36 192.168.123.0 255.255.255.0 object-group DM_INLINE_TCP_1
access-list inside_access_in extended permit ip host APOWeb1-36_Inside any
access-list dmz-acl extended permit ip 192.168.130.0 255.255.255.0 192.168.123.0 255.255.255.0

global (outside) 101 interface
global (dmz) 1 192.168.123.2 netmask 255.255.255.0
nat (inside) 101 0.0.0.0 0.0.0.0
nat (dmz) 101 0.0.0.0 0.0.0.0
static (dmz,outside) IP-192.168.0.2 APOWeb1-36 netmask 255.255.255.255
static (inside,dmz) 192.168.130.0 192.168.130.0 netmask 255.255.255.0
static (inside,inside) APOWeb1-36_Inside APOWeb1-36 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
0
 

Accepted Solution

by:
itsgi earned 0 total points
ID: 39294008
Nevermind, I figured it out...
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 39294207
What was the solution?
0
 

Author Comment

by:itsgi
ID: 39294306
The NAT was getting all screwed up for whatever reason - I dropped all my NAT statements except and created a static between the inside and DMZ, then applied the appropriate ACL.  I then put in my static NAT for outside -> DMZ and all is good.
0
 

Author Closing Comment

by:itsgi
ID: 39305085
I figured it out myself
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question