Cisco WAN :: ASA5510 / No Translation Group Found
Nov 1, 2011
I'm seeing plenty of these errors on my ASA5510. The ip's in question are IP's that my ASA is assigning VPN connection from my General IP pool.
Here are some examples:
<179>%ASA-3-305005: No translation group found for udp src External:172.16.50.112/29239 dst External:172.16.50.140/10009
<179>%ASA-3-305005: No translation group found for udp src External:172.16.50.113/20066 dst External:172.16.50.140/10009
<179>%ASA-3-305005: No translation group found for tcp src External:172.16.50.140/51228 dst External:172.16.50.111/29395
View 8 Replies
ADVERTISEMENT
Aug 1, 2010
My remote VPN clients aren't able to do anything network wise once they have connected to the VPN. The ASA keeps coming up with "no translation group found" in the log.
Result of the command: "show running"
: Saved:ASA Version 7.2(2) !hostname ciscoasadomain-name office.propertyfinder.comenable password ######## encryptednamesdns-guard!interface GigabitEthernet0/0 description Office Network Interface nameif Office-LAN security-level 100 ip address 10.121.10.4 255.255.255.0 ospf cost 10!interface GigabitEthernet0/1 description 4Mbps BTNet Internet Connection nameif Internet-Primary security-level 0 ip address 213.121.253.33 255.255.255.248 ospf cost 10!interface GigabitEthernet0/2 shutdown no nameif no security-level no ip address!interface GigabitEthernet0/3 description Office Wireless Interface nameif Office-Wireless security-level 10 ip address 172.16.0.1 255.255.255.0 ospf cost 10!interface Management0/0 nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 ospf cost 10 management-only!passwd 2KFQnbNIdI.2KYOU encryptedboot system disk0:/asa722-k8.binftp mode passivedns domain-lookup Office-LANdns server-group DefaultDNS name-server 10.121.10.20 name-server 10.121.10.21 domain-name
[code]....
View 13 Replies
View Related
Mar 17, 2012
i wounder why i'm getting such log message whenever i'm trying to reach my remote site: No translation group found for tcp src outside XXXX dst dmz ZZZZ, i have a Cisco PIX515E firewall and that message is captured there, the traffic is going through a VPN tunnel (the VPN are up on both ends)
View 2 Replies
View Related
Jun 26, 2011
Error message
305005: No translation group found for udp src c_dmz:10.0.176.120/51910 dst inside:195.244.192.16/53
305005: No translation group found for udp src c_dmz:10.0.176.120/51910 dst inside:195.244.192.166/53
[Code]....
I thought it needed a nat (c_dmz) command but I got the following error message
PIX(config)# nat (c_dmz) 0 0.0.0.0 0.0.0.0 0 0 nat 0 0.0.0.0 will be identity translated for outbound WARNING: Binding inside nat statement to outermost interface. WARNING: Keyword "outside" is probably missing.
View 2 Replies
View Related
Dec 13, 2011
I have seen a few of these 305005 threads and they're usually related to NAT and resolved quickly. I have poked around a little, but can't seem to get it right. I'm using the Real-Time Log Viewer in my ASA 5510 and see lots of these 305005 errors between VPN clients and a server. Packet Tracer says it's being stopped at the PAT_POOL dynamic traslation to pool 1. I'm not solidly sure of what to change. [code]
View 9 Replies
View Related
May 31, 2011
I have a 5510 with just a inside and outside interface, everything works on the lan inc internet access and exchange hosting to the net, but I have another exchange server on the wan and I can't get to that because I'm not natting inbound traffic and the default route sends traffic elsewhere.
If I put a nat any statement on the inside interface inbound it works, however all LAN internet traffic fails with a No translation group found error.I've removed the static nat commands as they are all named anyway, but below is what I have before I do a nat any inside inbound command global (outside) 1 interfaceglobal (inside) 2 interfacenat (inside) 0 access-list inside_nat0_outboundnat (inside) 1 0.0.0.0 0.0.0.0.
View 3 Replies
View Related
Jan 10, 2013
I have seen many of these errors lately. We have just moved to a new office and I have basically only assigned a new IP to the outside interface.
[code]....
View 6 Replies
View Related
May 22, 2012
See the error below on my ASA5510.
305006 200.200.0.34 53 portmap translation creation failed for udp src inside:192.168.1.4/1047 dst outside:200.200.0.34/53
The first two computers work normally( IP 2 and 3) , but the third computer gets ip does not work on the Internet.
View 2 Replies
View Related
Apr 3, 2011
I have Cisco ASA5510 OS version 8.4(1), when i try to apply static command, this command is not found, the NAT issues used nat(inside,outside).
So why i can't found this command ?
View 1 Replies
View Related
Feb 7, 2012
For years now we've had an ASA5510 running an old version of ASA/ASDM (7.0/5.0) and couldn't access ASDM through a modern system with a recent JRE, so we didn't bother with this.
However, we've recently upgraded ASA/ASDM for purposes of adding failover and want to be able to access ASDM through our site to site tunnel. The site to site tunnel gives us access to the VLAN that the firewall is the gateway for, but not access to the firewall itself.
This side of the network is the 10.1.55.0 subnet, and that side of the network is the 192.168.1.0 subnet. I can ping devices on the 192.168.1.0 subnet, but not the firewall, (not that I really need to) and devices can ping me back. I can access ASDM through RDP or ssh into a server on the 192.168.1.0 subnet, but not directly from the 10.1.55.0 subnet.
This is the current config relative to the 10.1.55.0 subnet:
access-list trust_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 10.1.55.0 255.255.255.0
access-list untrust_cryptomap_600 extended permit ip 192.168.0.0 255.255.0.0
[Code]....
As far as I'm aware, the tunnel comes into the firewall through the untrust (public) interface, because that is the destination of the tunnel on the 10.1.55.0 subnet side.
What am I missing here that would allow asdm access through the untrust interface for the 10.1.55.0 subnet?
View 27 Replies
View Related
Nov 25, 2012
How to limit maximum SSL VPN sessions per group-policy on ASA5510?
There are 2 group-policy: in one maximum of 10 connections, in the second - 15 (In total licenses for SSL VPN 25 connections).
View 5 Replies
View Related
Dec 2, 2012
Cisco Adaptive Security Appliance Software Version 8.4(4)1
Device Manager Version 7.0(2)
Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
#show webvpn anyconnect
1.disk0:/anyconnect-win-3.1.00495-k9.pkg 1 dyn-regex=/Windows NT/
CISCO STC win2k+
3,1,00495
Hostscan Version 3.1.00495
Profile in atthach-file. After this profile is uploaded to client Optimal Gateway Selection doesn't work propertly: When 'vpn1.mydomain.com/mygroup' (it best TTL server) is unreachable, then OGS try to be connected to other servers, but without group-url, for example 'vpn2.mydomain.com' (instead of 'vpn2.mydomain.com/mygroup')
View 2 Replies
View Related
Jul 31, 2012
I try to map LDAP Group to ASA Group policy following documentation:
[URL]
This is a config for ASA 8.0. I would have expected it to work on 8.4 as well but I do run into problems. The mapping as shown in LDAP Debug and ASA Log will actually happen but it is overwritten by the "GPnoAccess" Group Policy configured locally in the Tunnel Group. From earlier works with RADIUS I would have expected the user specific Attribute to be "stronger"?
ASA Log:
AAA retrieved user specific group policy (correct Policy) for user = XXX
AAA retrieved default group policy (GPnoAccess) for user = XXX
View 3 Replies
View Related
Jun 6, 2012
ASA 5510 have two model Bun-K9 and Sec-Bun-K9 from the datasheet find out difference Port related and Redundancy. My questions is : Have any major difference for Security service between two model ?
View 3 Replies
View Related
May 1, 2012
how to associate an AD group - which i have defined in users and identity stores/external identity stores/Active Directory/Directory attributes to associate with the relevant identity groups - Users and identity stores/identity groups Is there an example of this being done somewhere as i am having problems understanding how to do this from the user guide.All i want to do is associate identity groups with ad groups.
View 3 Replies
View Related
Jun 16, 2011
currently I face problem with outside nat translation and Im not sure how to solve it. I gotta 881 router
int vlan1
ip address 10.10.10.1 255.255.255.0
ip nat inside
[code]...
and remote server 100.100.100.25 routed to interface fa0/0. So the problem is that hosts from V lan 1 and V lan 2 want to communicate to this server, but they cannot route, which means, that I have to "give" them some IP from their range as fake address of this server and translate it. So I did
ip nat outside source static 100.100.100.25 10.10.10.7 (for Vlan 1)
ip nat outside source static 100.100.100.25 20.20.20.7 (for Vlan 2)
but I get
% 100.100.100.25 already mapped (10.10.10.7 -> 100.100.100.25)
As far as I understand router doesn't allow this translation, because if the communication would be started from outside (initial packet would come from server side), router wouldn't know how to translate its source address.
View 2 Replies
View Related
Aug 24, 2012
I am going with ASA 5520, know how many NAT translation is possible.
View 2 Replies
View Related
Jan 5, 2012
I am looking for the SNMP OID to monitor the sh ip nat translations on a cisco 881.
#sh ver
Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 12.4(24)T, RELEASE SOFTWARE (fc1)
Technical Support: [URL]
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Thu 26-Feb-09 06:01 by prod_rel_team
[code]....
View 1 Replies
View Related
Apr 8, 2012
We have a VPN configuration currently using a VPN3000 device. According to this [URL] and some others I seen DNS payload can also be translated in NAT configuration.How can I doing it with the VPN3000 box ? On my configuration DNS payload aren't translated, but it is maybe an option I need to set or unset !
View 1 Replies
View Related
Oct 18, 2011
I have 5 static public IP addresses assigned by my ISP. I like to use one of these static public IP addresses to access one of my PCs in my office from the outside. So I like to configure something like:65.11.22.44 <-> 192.168.1.100.This translation is good for all protocols and all ports. Where I can configure this on the DIR655?
View 2 Replies
View Related
Nov 22, 2012
We've got an application that is running on our LAN that is using IP addressing to connect to the server (they refused to use DNS).The server is now being moved to a VM which will be on a different subnet. The supplier is now concerned that there will be a big down time due to him having to reconfigure each device (about 100) with the new server IP. If the server was external I know I'd be able to do NAT on the FW to make this work but can it be done internally on my 6500s? I want to have the devices pointing at their hardcoded IP address off 1.1.1.10 and NAT the destination to the VMware servers IP 2.2.2.10? Is this possible using cisco NAT?
View 13 Replies
View Related
Dec 6, 2010
I have a nat and vpn setup on my Cisco 2801 router.Everything is working as expected except the NAT. I have a single static nat translation but it only works for inbound and not outbound. Going outbound, it uses the default overload nat address of the outside interface. [code] I want to add another mailserver. But I fear if one mailserver were to get black-listed, they would both be reporting there ip address as the same address (the one on the ethernet interface) which would blacklist both mail servers.Again, inbound nat works ok, but outbound is just using the IP of the ethernet0/0 address.
View 2 Replies
View Related
Feb 20, 2013
Some network pros have setup our Cisco 3620 many years back during implementation.
I've just added a new server, with new ip, wanted to change the ip of ip nat translation in this router.
I did a show run, the config is this;
interface FastEthernet0/0
ip address 57.31.132.116 255.255.255.240
no ip redirects
[Code]......
View 5 Replies
View Related
Jun 17, 2010
I upgraded an ACS4.2 to ACS5.1, and in the ACS View Dashboard „ACS – System Errors” I see the following error message: [code] Unfortunately I can't find any documentation what describe what ERROR codes mean, so I don't know what does 32603 ERROR code mean.
View 11 Replies
View Related
Apr 26, 2012
I'm having a problem with the language translation for anyconnect.here's my setup:
-asa 5505
-asa version: 8.4(3)
-asdm version 6.4(7)
-anyconnect essentials
-anyconnect webdeploy: anyconnect-win-3.0.5080-k9.pkg
The anyconnect client is deployed by the asa using the webdeploy.my client machine is a windows 7 with regionnal settings set to french (canada).I added the language localization transform files for web deploy (the mst for french) to my asa using the asdm:remote access VPN -> network (client) Access -> anyconnect customization/localization -> Localized Installer Transforms -> add the french mst.
View 1 Replies
View Related
May 30, 2011
I'm trying to migrate from olda PIX to newest ASA 8.4.1. Everything seems to be good except the static NAT. [code]
The inside interface uses implicit rule. ( permit any less secure network )
Although te above config the ASA logs the following.
TCP access denied by ACL from 94.94.94.94/2003 to outside:86.101.228.221/80
The 86.101.228.221 our public Internet IP whic are used as outside IP also.
View 8 Replies
View Related
Mar 1, 2012
I have some issues with Twin PAT on ASA (8.4.2), there is sth I dont udnerstand FTP server is on the inside and client is in outside.
I did sth like this
object network NATED-11
host 20.20.20.11
object network REAL-2
host 10.200.200.2
object service SRV-FTP
service tcp destination eq ftp
nat (outside,inside) source static any any destination static NATED-11 REAL-2 service SRV-FTP SRV-FTP so teoretically there should be a problem in NAT cause there is a second channel for data etc. BUT according to docs "For applications that require application inspection for secondary channels (for example, FTP and VoIP),the ASA automatically translates the secondary ports."
The problem is that it doesn't work at all and got the syslogs
Debug on ASA shows
ASA5510(config)# nat: untranslation - outside:20.20.20.11/21 to inside:10.200.200.2/21
nat: untranslation - outside:20.20.20.11/21 to inside:10.200.200.2/21
nat: untranslation - outside:20.20.20.11/21 to inside:10.200.200.2/21
nat: translation - outside:20.20.20.252/37924 failed - port is not found in xlate(0-0)
[code]....
To make it work I need to modify the nat rule to sth like this (translate source of client to inside inteface of ASA) nat (outside,inside) 1 source static any interface destination static NATED-11 REAL-2 service SRV-FTP SRV-FTP / why its not working in the first place? aaa I forgot to mention that both modes of FTP were tested (passive and active)
View 1 Replies
View Related
Jul 19, 2011
I am trying to change a static nat entry from this:
ip nat inside source list 1 interface Dialer0 overloadip nat inside source static tcp 192.168.0.246 25 interface Dialer0 25ip nat inside source static tcp 192.168.0.246 80 interface Dialer0 80ip nat inside source static tcp 192.168.0.246 443 interface Dialer0 443
to
ip nat inside source list 1 interface Dialer0 overloadip nat inside source static tcp 192.168.0.247 25 interface Dialer0 25ip nat inside source static tcp 192.168.0.247 80 interface Dialer0 80ip nat inside source static tcp 192.168.0.247 443 interface Dialer0 443
I have tried various methods from exec mode clear ip nat translation *
no ip nat inside source static tcp 192.168.0.246 443 interface dialer0 443 But I am getting cisco2800(config)#%Static entry in use, cannot remove.
View 2 Replies
View Related
Dec 5, 2012
I have a server in a DMZ of my 8.4 ASA with nat:
object network FTP-SERVER
host 192.168.1.102
nat (dmz,outside) static interface tcp ftp ftp
And that's working well. However, I now need to translate the source address of connections from the outside to the FTP server as well. The aim is that the source address of packets when they reach the FTP server is an address on the DMZ subnet (as the default route for the FTP server now needs to be something else, not the ASA) as well as this outside-dmz NAT. I thought overloading the DMZ interface of the ASA? Or another IP in that range?
View 2 Replies
View Related
Nov 12, 2011
I would like to know if Cisco Collector Engine 6.0 can recive and reading the sent address traslation logging of router ASR1006. Using Netflow v9.
View 4 Replies
View Related
Mar 10, 2012
Trying to translate telnet for switches to the outside ip address at some random ports.
172.16.200.2:23 -> 10.199.199.2:2300
172.16.200.3:23 -> 10.199.199.2:2301
172.16.200.4:23 -> 10.199.199.2:2302
etc....
ASA 5510 running 8.4(3):
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.199.199.2 255.255.255.248
interface Ethernet0/1.200
vlan 200
nameif inside
security-level 100
ip address 172.16.200.254 255.255.255.0
[code]....
I can not access the switch at 10.199.199.2:2301 . What am I doing wrong? Or should cleaning toilets be something I really should look at! Now if i run this NAT statment:
object network Switch_TN
nat (inside,outside) static 10.199.199.3 service tcp telnet 2301
I am able to access the switch at 10.199.199.3:2301
View 7 Replies
View Related
Apr 18, 2011
How Stuff Works "How Network Address Translation Works"."This is where NAT (RFC 1631) comes to the rescue. Network Address Translation allows a single device, such as a router, to act as an agent between the Internet (or "public network") and a local (or "private") network. This means that only a single, unique IP address is required to represent an entire group of computers." so let's say 6-7 pc's can have access to the internet using the same IP. doesn't this causes any problems? what if one of those pc's was used fore doing something illegal? how can they spot it later on? or what if 2 or more pc's access (from that subnetwork) access the same website with the same IP?
View 3 Replies
View Related
Oct 1, 2011
I bougth a DIR-600 router and i'm trying to configure the option Advance/Traffic Control, but the interface is in spanish and i think is not translated accurately. I need the original text in english of the of every option's description in that menu, specialy Maximum Download Bandwidth.Also if there is a way to change the language of the interface to English. HW C1 FW 3.02
View 4 Replies
View Related