Solved

Baffled By ASA

Posted on 2013-07-01
9
314 Views
Last Modified: 2013-07-07
I need a little help here...I'm an experienced PIX admin and I'm finally getting going on ASA's but I'm having a heck of a time wrapping my head around the way Cisco is doing things these days.  I've configured 2 ASA boxes with the help of TAC, but I've got a couple new ones that I'm trying to configure on my own so I can understand the what & why's but I'm stuck.  I can't seem to get traffic from the DMZ to the inside interface...I just keep getting a "no translation group found" in the logs.  Below is my config (although there may be some vital parts missing as I've just started hacking away at it, removing parts I've added that didn't seem to do any good):

names
name 192.168.0.2 IP-192.168.0.2
name 192.168.130.36 APOWeb1-36
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.123.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 192.168.0.1 255.255.255.248
!
interface Vlan4
 nameif dmz
<--- More --->
             
 security-level 50
 ip address 192.168.130.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
 switchport access vlan 4
!
interface Ethernet0/5
 switchport access vlan 4
!
interface Ethernet0/6
 switchport access vlan 4
!
interface Ethernet0/7
 switchport access vlan 4
!
<--- More --->
             

object-group service DM_INLINE_TCP_0 tcp
 port-object eq www
 port-object eq https
object-group network inside-subnet
 network-object 192.168.123.0 255.255.255.0
object-group network dmz-subnet
 network-object 192.168.130.0 255.255.255.0
object-group service MS_SQL tcp
 port-object eq 1433
object-group service DM_INLINE_TCP_1 tcp
 group-object MS_SQL
 port-object eq www
access-list dmz_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any host IP-192.168.0.2 object-group DM_INLINE_TCP_0
access-list inside_access_in extended permit tcp host APOWeb1-36 192.168.123.0 255.255.255.0 object-group DM_INLINE_TCP_1
access-list dmz-acl extended permit ip 192.168.130.0 255.255.255.0 192.168.123.0 255.255.255.0

global (outside) 101 interface
global (dmz) 1 192.168.123.2 netmask 255.255.255.0
nat (inside) 101 0.0.0.0 0.0.0.0
nat (dmz) 101 0.0.0.0 0.0.0.0
static (dmz,outside) IP-192.168.0.2 APOWeb1-36 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
0
Comment
Question by:itsgi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
9 Comments
 
LVL 20

Expert Comment

by:rauenpc
ID: 39290764
ASA versions 8.2.5 and lower have 'nat-control' in place which essentially states that all traffic going from one interface to another *must* have a related nat statement even if the nat statement is simply to not nat.

The nat you would need to essentially not nat DMZ to inside traffic:

static (inside,dmz) 192.168.130.0 192.168.130.0  netmask 255.255.255.0

You will still need the appropriate ACL's in place inbound on the DMZ interface to allow traffic from a lower security to a higher security interface.
0
 

Author Comment

by:itsgi
ID: 39290798
Yea, I read that in another post somewhere, tried with same result.  Here's the exact error from the log:

3      Jul 01 2013      12:19:08      305005      192.168.123.10      1433                  No translation group found for tcp src dmz:APOWeb1-36/49204 dst inside:192.168.123.10/1433
0
 

Author Comment

by:itsgi
ID: 39293674
Anyone?
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 20

Expert Comment

by:rauenpc
ID: 39293705
Could you repost a scrubbed config so we can see any changes?
0
 

Author Comment

by:itsgi
ID: 39293875
Here's the latest (I've been playing around as well):


names
name 192.168.0.2 IP-192.168.0.2
name 192.168.130.36 APOWeb1-36
name 192.168.123.10 APODB1
name 192.168.123.36 APOWeb1-36_Inside
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.123.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 192.168.0.1 255.255.255.248
!
interface Vlan4
 nameif dmz
 security-level 50
 ip address 192.168.130.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
 switchport access vlan 4
!
interface Ethernet0/5
 switchport access vlan 4
!
interface Ethernet0/6
 switchport access vlan 4
!
interface Ethernet0/7
             
 switchport access vlan 4
!

object-group service DM_INLINE_TCP_0 tcp
 port-object eq www
 port-object eq https
object-group network inside-subnet
 network-object 192.168.123.0 255.255.255.0
object-group network dmz-subnet
 network-object 192.168.130.0 255.255.255.0
object-group service MS_SQL tcp
 port-object eq 1433
object-group service DM_INLINE_TCP_1 tcp
 group-object MS_SQL
 port-object eq www
access-list dmz_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any host APOWeb1-36 object-group DM_INLINE_TCP_0
access-list inside_access_in extended permit tcp host APOWeb1-36 192.168.123.0 255.255.255.0 object-group DM_INLINE_TCP_1
access-list inside_access_in extended permit ip host APOWeb1-36_Inside any
access-list dmz-acl extended permit ip 192.168.130.0 255.255.255.0 192.168.123.0 255.255.255.0

global (outside) 101 interface
global (dmz) 1 192.168.123.2 netmask 255.255.255.0
nat (inside) 101 0.0.0.0 0.0.0.0
nat (dmz) 101 0.0.0.0 0.0.0.0
static (dmz,outside) IP-192.168.0.2 APOWeb1-36 netmask 255.255.255.255
static (inside,dmz) 192.168.130.0 192.168.130.0 netmask 255.255.255.0
static (inside,inside) APOWeb1-36_Inside APOWeb1-36 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
0
 

Accepted Solution

by:
itsgi earned 0 total points
ID: 39294008
Nevermind, I figured it out...
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 39294207
What was the solution?
0
 

Author Comment

by:itsgi
ID: 39294306
The NAT was getting all screwed up for whatever reason - I dropped all my NAT statements except and created a static between the inside and DMZ, then applied the appropriate ACL.  I then put in my static NAT for outside -> DMZ and all is good.
0
 

Author Closing Comment

by:itsgi
ID: 39305085
I figured it out myself
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question