Solved

Baffled By ASA

Posted on 2013-07-01
9
312 Views
Last Modified: 2013-07-07
I need a little help here...I'm an experienced PIX admin and I'm finally getting going on ASA's but I'm having a heck of a time wrapping my head around the way Cisco is doing things these days.  I've configured 2 ASA boxes with the help of TAC, but I've got a couple new ones that I'm trying to configure on my own so I can understand the what & why's but I'm stuck.  I can't seem to get traffic from the DMZ to the inside interface...I just keep getting a "no translation group found" in the logs.  Below is my config (although there may be some vital parts missing as I've just started hacking away at it, removing parts I've added that didn't seem to do any good):

names
name 192.168.0.2 IP-192.168.0.2
name 192.168.130.36 APOWeb1-36
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.123.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 192.168.0.1 255.255.255.248
!
interface Vlan4
 nameif dmz
<--- More --->
             
 security-level 50
 ip address 192.168.130.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
 switchport access vlan 4
!
interface Ethernet0/5
 switchport access vlan 4
!
interface Ethernet0/6
 switchport access vlan 4
!
interface Ethernet0/7
 switchport access vlan 4
!
<--- More --->
             

object-group service DM_INLINE_TCP_0 tcp
 port-object eq www
 port-object eq https
object-group network inside-subnet
 network-object 192.168.123.0 255.255.255.0
object-group network dmz-subnet
 network-object 192.168.130.0 255.255.255.0
object-group service MS_SQL tcp
 port-object eq 1433
object-group service DM_INLINE_TCP_1 tcp
 group-object MS_SQL
 port-object eq www
access-list dmz_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any host IP-192.168.0.2 object-group DM_INLINE_TCP_0
access-list inside_access_in extended permit tcp host APOWeb1-36 192.168.123.0 255.255.255.0 object-group DM_INLINE_TCP_1
access-list dmz-acl extended permit ip 192.168.130.0 255.255.255.0 192.168.123.0 255.255.255.0

global (outside) 101 interface
global (dmz) 1 192.168.123.2 netmask 255.255.255.0
nat (inside) 101 0.0.0.0 0.0.0.0
nat (dmz) 101 0.0.0.0 0.0.0.0
static (dmz,outside) IP-192.168.0.2 APOWeb1-36 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
0
Comment
Question by:itsgi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
9 Comments
 
LVL 20

Expert Comment

by:rauenpc
ID: 39290764
ASA versions 8.2.5 and lower have 'nat-control' in place which essentially states that all traffic going from one interface to another *must* have a related nat statement even if the nat statement is simply to not nat.

The nat you would need to essentially not nat DMZ to inside traffic:

static (inside,dmz) 192.168.130.0 192.168.130.0  netmask 255.255.255.0

You will still need the appropriate ACL's in place inbound on the DMZ interface to allow traffic from a lower security to a higher security interface.
0
 

Author Comment

by:itsgi
ID: 39290798
Yea, I read that in another post somewhere, tried with same result.  Here's the exact error from the log:

3      Jul 01 2013      12:19:08      305005      192.168.123.10      1433                  No translation group found for tcp src dmz:APOWeb1-36/49204 dst inside:192.168.123.10/1433
0
 

Author Comment

by:itsgi
ID: 39293674
Anyone?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 20

Expert Comment

by:rauenpc
ID: 39293705
Could you repost a scrubbed config so we can see any changes?
0
 

Author Comment

by:itsgi
ID: 39293875
Here's the latest (I've been playing around as well):


names
name 192.168.0.2 IP-192.168.0.2
name 192.168.130.36 APOWeb1-36
name 192.168.123.10 APODB1
name 192.168.123.36 APOWeb1-36_Inside
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.123.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 192.168.0.1 255.255.255.248
!
interface Vlan4
 nameif dmz
 security-level 50
 ip address 192.168.130.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
 switchport access vlan 4
!
interface Ethernet0/5
 switchport access vlan 4
!
interface Ethernet0/6
 switchport access vlan 4
!
interface Ethernet0/7
             
 switchport access vlan 4
!

object-group service DM_INLINE_TCP_0 tcp
 port-object eq www
 port-object eq https
object-group network inside-subnet
 network-object 192.168.123.0 255.255.255.0
object-group network dmz-subnet
 network-object 192.168.130.0 255.255.255.0
object-group service MS_SQL tcp
 port-object eq 1433
object-group service DM_INLINE_TCP_1 tcp
 group-object MS_SQL
 port-object eq www
access-list dmz_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any host APOWeb1-36 object-group DM_INLINE_TCP_0
access-list inside_access_in extended permit tcp host APOWeb1-36 192.168.123.0 255.255.255.0 object-group DM_INLINE_TCP_1
access-list inside_access_in extended permit ip host APOWeb1-36_Inside any
access-list dmz-acl extended permit ip 192.168.130.0 255.255.255.0 192.168.123.0 255.255.255.0

global (outside) 101 interface
global (dmz) 1 192.168.123.2 netmask 255.255.255.0
nat (inside) 101 0.0.0.0 0.0.0.0
nat (dmz) 101 0.0.0.0 0.0.0.0
static (dmz,outside) IP-192.168.0.2 APOWeb1-36 netmask 255.255.255.255
static (inside,dmz) 192.168.130.0 192.168.130.0 netmask 255.255.255.0
static (inside,inside) APOWeb1-36_Inside APOWeb1-36 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
0
 

Accepted Solution

by:
itsgi earned 0 total points
ID: 39294008
Nevermind, I figured it out...
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 39294207
What was the solution?
0
 

Author Comment

by:itsgi
ID: 39294306
The NAT was getting all screwed up for whatever reason - I dropped all my NAT statements except and created a static between the inside and DMZ, then applied the appropriate ACL.  I then put in my static NAT for outside -> DMZ and all is good.
0
 

Author Closing Comment

by:itsgi
ID: 39305085
I figured it out myself
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question