Solved

Baffled By ASA

Posted on 2013-07-01
9
310 Views
Last Modified: 2013-07-07
I need a little help here...I'm an experienced PIX admin and I'm finally getting going on ASA's but I'm having a heck of a time wrapping my head around the way Cisco is doing things these days.  I've configured 2 ASA boxes with the help of TAC, but I've got a couple new ones that I'm trying to configure on my own so I can understand the what & why's but I'm stuck.  I can't seem to get traffic from the DMZ to the inside interface...I just keep getting a "no translation group found" in the logs.  Below is my config (although there may be some vital parts missing as I've just started hacking away at it, removing parts I've added that didn't seem to do any good):

names
name 192.168.0.2 IP-192.168.0.2
name 192.168.130.36 APOWeb1-36
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.123.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 192.168.0.1 255.255.255.248
!
interface Vlan4
 nameif dmz
<--- More --->
             
 security-level 50
 ip address 192.168.130.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
 switchport access vlan 4
!
interface Ethernet0/5
 switchport access vlan 4
!
interface Ethernet0/6
 switchport access vlan 4
!
interface Ethernet0/7
 switchport access vlan 4
!
<--- More --->
             

object-group service DM_INLINE_TCP_0 tcp
 port-object eq www
 port-object eq https
object-group network inside-subnet
 network-object 192.168.123.0 255.255.255.0
object-group network dmz-subnet
 network-object 192.168.130.0 255.255.255.0
object-group service MS_SQL tcp
 port-object eq 1433
object-group service DM_INLINE_TCP_1 tcp
 group-object MS_SQL
 port-object eq www
access-list dmz_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any host IP-192.168.0.2 object-group DM_INLINE_TCP_0
access-list inside_access_in extended permit tcp host APOWeb1-36 192.168.123.0 255.255.255.0 object-group DM_INLINE_TCP_1
access-list dmz-acl extended permit ip 192.168.130.0 255.255.255.0 192.168.123.0 255.255.255.0

global (outside) 101 interface
global (dmz) 1 192.168.123.2 netmask 255.255.255.0
nat (inside) 101 0.0.0.0 0.0.0.0
nat (dmz) 101 0.0.0.0 0.0.0.0
static (dmz,outside) IP-192.168.0.2 APOWeb1-36 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
0
Comment
Question by:itsgi
  • 6
  • 3
9 Comments
 
LVL 20

Expert Comment

by:rauenpc
ID: 39290764
ASA versions 8.2.5 and lower have 'nat-control' in place which essentially states that all traffic going from one interface to another *must* have a related nat statement even if the nat statement is simply to not nat.

The nat you would need to essentially not nat DMZ to inside traffic:

static (inside,dmz) 192.168.130.0 192.168.130.0  netmask 255.255.255.0

You will still need the appropriate ACL's in place inbound on the DMZ interface to allow traffic from a lower security to a higher security interface.
0
 

Author Comment

by:itsgi
ID: 39290798
Yea, I read that in another post somewhere, tried with same result.  Here's the exact error from the log:

3      Jul 01 2013      12:19:08      305005      192.168.123.10      1433                  No translation group found for tcp src dmz:APOWeb1-36/49204 dst inside:192.168.123.10/1433
0
 

Author Comment

by:itsgi
ID: 39293674
Anyone?
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 39293705
Could you repost a scrubbed config so we can see any changes?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:itsgi
ID: 39293875
Here's the latest (I've been playing around as well):


names
name 192.168.0.2 IP-192.168.0.2
name 192.168.130.36 APOWeb1-36
name 192.168.123.10 APODB1
name 192.168.123.36 APOWeb1-36_Inside
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.123.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 192.168.0.1 255.255.255.248
!
interface Vlan4
 nameif dmz
 security-level 50
 ip address 192.168.130.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
 switchport access vlan 4
!
interface Ethernet0/5
 switchport access vlan 4
!
interface Ethernet0/6
 switchport access vlan 4
!
interface Ethernet0/7
             
 switchport access vlan 4
!

object-group service DM_INLINE_TCP_0 tcp
 port-object eq www
 port-object eq https
object-group network inside-subnet
 network-object 192.168.123.0 255.255.255.0
object-group network dmz-subnet
 network-object 192.168.130.0 255.255.255.0
object-group service MS_SQL tcp
 port-object eq 1433
object-group service DM_INLINE_TCP_1 tcp
 group-object MS_SQL
 port-object eq www
access-list dmz_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any host APOWeb1-36 object-group DM_INLINE_TCP_0
access-list inside_access_in extended permit tcp host APOWeb1-36 192.168.123.0 255.255.255.0 object-group DM_INLINE_TCP_1
access-list inside_access_in extended permit ip host APOWeb1-36_Inside any
access-list dmz-acl extended permit ip 192.168.130.0 255.255.255.0 192.168.123.0 255.255.255.0

global (outside) 101 interface
global (dmz) 1 192.168.123.2 netmask 255.255.255.0
nat (inside) 101 0.0.0.0 0.0.0.0
nat (dmz) 101 0.0.0.0 0.0.0.0
static (dmz,outside) IP-192.168.0.2 APOWeb1-36 netmask 255.255.255.255
static (inside,dmz) 192.168.130.0 192.168.130.0 netmask 255.255.255.0
static (inside,inside) APOWeb1-36_Inside APOWeb1-36 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
0
 

Accepted Solution

by:
itsgi earned 0 total points
ID: 39294008
Nevermind, I figured it out...
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 39294207
What was the solution?
0
 

Author Comment

by:itsgi
ID: 39294306
The NAT was getting all screwed up for whatever reason - I dropped all my NAT statements except and created a static between the inside and DMZ, then applied the appropriate ACL.  I then put in my static NAT for outside -> DMZ and all is good.
0
 

Author Closing Comment

by:itsgi
ID: 39305085
I figured it out myself
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now