Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Baffled By ASA

Posted on 2013-07-01
9
Medium Priority
?
321 Views
Last Modified: 2013-07-07
I need a little help here...I'm an experienced PIX admin and I'm finally getting going on ASA's but I'm having a heck of a time wrapping my head around the way Cisco is doing things these days.  I've configured 2 ASA boxes with the help of TAC, but I've got a couple new ones that I'm trying to configure on my own so I can understand the what & why's but I'm stuck.  I can't seem to get traffic from the DMZ to the inside interface...I just keep getting a "no translation group found" in the logs.  Below is my config (although there may be some vital parts missing as I've just started hacking away at it, removing parts I've added that didn't seem to do any good):

names
name 192.168.0.2 IP-192.168.0.2
name 192.168.130.36 APOWeb1-36
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.123.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 192.168.0.1 255.255.255.248
!
interface Vlan4
 nameif dmz
<--- More --->
             
 security-level 50
 ip address 192.168.130.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
 switchport access vlan 4
!
interface Ethernet0/5
 switchport access vlan 4
!
interface Ethernet0/6
 switchport access vlan 4
!
interface Ethernet0/7
 switchport access vlan 4
!
<--- More --->
             

object-group service DM_INLINE_TCP_0 tcp
 port-object eq www
 port-object eq https
object-group network inside-subnet
 network-object 192.168.123.0 255.255.255.0
object-group network dmz-subnet
 network-object 192.168.130.0 255.255.255.0
object-group service MS_SQL tcp
 port-object eq 1433
object-group service DM_INLINE_TCP_1 tcp
 group-object MS_SQL
 port-object eq www
access-list dmz_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any host IP-192.168.0.2 object-group DM_INLINE_TCP_0
access-list inside_access_in extended permit tcp host APOWeb1-36 192.168.123.0 255.255.255.0 object-group DM_INLINE_TCP_1
access-list dmz-acl extended permit ip 192.168.130.0 255.255.255.0 192.168.123.0 255.255.255.0

global (outside) 101 interface
global (dmz) 1 192.168.123.2 netmask 255.255.255.0
nat (inside) 101 0.0.0.0 0.0.0.0
nat (dmz) 101 0.0.0.0 0.0.0.0
static (dmz,outside) IP-192.168.0.2 APOWeb1-36 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
0
Comment
Question by:itsgi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
9 Comments
 
LVL 20

Expert Comment

by:rauenpc
ID: 39290764
ASA versions 8.2.5 and lower have 'nat-control' in place which essentially states that all traffic going from one interface to another *must* have a related nat statement even if the nat statement is simply to not nat.

The nat you would need to essentially not nat DMZ to inside traffic:

static (inside,dmz) 192.168.130.0 192.168.130.0  netmask 255.255.255.0

You will still need the appropriate ACL's in place inbound on the DMZ interface to allow traffic from a lower security to a higher security interface.
0
 

Author Comment

by:itsgi
ID: 39290798
Yea, I read that in another post somewhere, tried with same result.  Here's the exact error from the log:

3      Jul 01 2013      12:19:08      305005      192.168.123.10      1433                  No translation group found for tcp src dmz:APOWeb1-36/49204 dst inside:192.168.123.10/1433
0
 

Author Comment

by:itsgi
ID: 39293674
Anyone?
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
LVL 20

Expert Comment

by:rauenpc
ID: 39293705
Could you repost a scrubbed config so we can see any changes?
0
 

Author Comment

by:itsgi
ID: 39293875
Here's the latest (I've been playing around as well):


names
name 192.168.0.2 IP-192.168.0.2
name 192.168.130.36 APOWeb1-36
name 192.168.123.10 APODB1
name 192.168.123.36 APOWeb1-36_Inside
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.123.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 192.168.0.1 255.255.255.248
!
interface Vlan4
 nameif dmz
 security-level 50
 ip address 192.168.130.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
 switchport access vlan 4
!
interface Ethernet0/5
 switchport access vlan 4
!
interface Ethernet0/6
 switchport access vlan 4
!
interface Ethernet0/7
             
 switchport access vlan 4
!

object-group service DM_INLINE_TCP_0 tcp
 port-object eq www
 port-object eq https
object-group network inside-subnet
 network-object 192.168.123.0 255.255.255.0
object-group network dmz-subnet
 network-object 192.168.130.0 255.255.255.0
object-group service MS_SQL tcp
 port-object eq 1433
object-group service DM_INLINE_TCP_1 tcp
 group-object MS_SQL
 port-object eq www
access-list dmz_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any host APOWeb1-36 object-group DM_INLINE_TCP_0
access-list inside_access_in extended permit tcp host APOWeb1-36 192.168.123.0 255.255.255.0 object-group DM_INLINE_TCP_1
access-list inside_access_in extended permit ip host APOWeb1-36_Inside any
access-list dmz-acl extended permit ip 192.168.130.0 255.255.255.0 192.168.123.0 255.255.255.0

global (outside) 101 interface
global (dmz) 1 192.168.123.2 netmask 255.255.255.0
nat (inside) 101 0.0.0.0 0.0.0.0
nat (dmz) 101 0.0.0.0 0.0.0.0
static (dmz,outside) IP-192.168.0.2 APOWeb1-36 netmask 255.255.255.255
static (inside,dmz) 192.168.130.0 192.168.130.0 netmask 255.255.255.0
static (inside,inside) APOWeb1-36_Inside APOWeb1-36 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
0
 

Accepted Solution

by:
itsgi earned 0 total points
ID: 39294008
Nevermind, I figured it out...
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 39294207
What was the solution?
0
 

Author Comment

by:itsgi
ID: 39294306
The NAT was getting all screwed up for whatever reason - I dropped all my NAT statements except and created a static between the inside and DMZ, then applied the appropriate ACL.  I then put in my static NAT for outside -> DMZ and all is good.
0
 

Author Closing Comment

by:itsgi
ID: 39305085
I figured it out myself
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question