If this isn’t posted in the right discussion group please let me know and I’ll move it.
My wireless (outside) is using a Proxy Server called Proxy1 (inside). My initial connection to this Proxy server is on Port 8080. Below is a copy of my logs when I try to connect to it from my wireless gateway (10.1.###.###).
I need help understanding what ASA entry I am missing. I also need to connect to other ports, I included the log for 2 port 8080 .
From what I am seeing in the logs it looks like the ASA is snot DENYING the connection.
Thanks
–Joe
For Port 8080:
03-05-2010 13:42:21 Local4.Info 159.105.###.### %ASA-6-302013:
Built outbound TCP connection 580927 for govnet:159.105.###.###/8080 (159.105.###.###/8080) to wireless:10.1.###.###/36326 (159.105.###.###/12156)
03-05-2010 13:42:21 Local4.Info 159.105.###.### %ASA-6-305011:
Built dynamic TCP translation from wireless:10.1.###.###/36326 to govnet:159.105.###.###/12156
03-05-2010 13:42:21 Local4.Debug 159.105.###.### %ASA-7-609001:
Built local-host wireless:10.1.###.###
03-05-2010 13:42:21 Local4.Error 170.222.###.### %ASA-3-305005:
No translation group found for tcp src govnet:159.105.###.###/12156 dst inside:Proxy1/8080
{ 6 comments… read them below or add one }
When using an ASA, when you pass from an interface to another you need to have a NAT rule, either a static or a nat-global.
For example, if you want a static rule for all your network you can do the following:
static (govnet,inside) 159.105.0.0 159.105.0.0 netmask 255.255.0.0
This is a NAT rule for traffic flowing form govnet to inside interface. Both networks are the same to avoid any real translation and move traffic with its original ip address.
don’t think we want global nat for this. Let me explain a little bit more.
Wireless(outside) to proxy server 10.1.0.9(outside) goes through the tunnel using 159.105.###.### with a destination of inside 159.105.###.20 (Proxy1)(inside). All we would want is to allow that one specific IP (10.1.0.9) to access Proxy1 and pass information.
What really confuses me is that everything above the error is on the 159.105.###.### network but it looks like the error is being generated by the 170 outside network?
I just want to make sure I have the right picture…
You just want to allow traffico from a host outside (10.1.0.9) to a host on the inside (159.105.###.20)
Is that correct or am I missing something?
Yes, that is exactly right
If you want to pass traffic from an outside to an inside interface in an ASA, you need to make sure that you have two things:
1.- An access-group that allows traffic to come in.
2.- A NAT rule that matches the traffic.
So in this case if we have the source on the outside interface with an ip address:
10.1.0.9
and a destination on the inside with the ip address:
159.105.###.20
First we configure the rule to allow traffic to come in:
access-list out permit ip host 10.1.0.9 host 159.105.###.20
then we ensure that we have a NAT rule for this traffic. If you don’t want to change neither the source or destination when traffic flows through the FW, you just use an static command using the same ip addresss. For example:
static(inside,outside) 159.105.###.20 159.105.###.20
If you don’t want to use any NAT rule, you will have to disable nat-control. To disable it, issue the following command in global config mode
no nat-control
I really appreciate the time you are taking to help me, but I need to understand what is going on here.
Looking at the Series of ASA messages below, I have a couple of questions.
03-05-2010 13:42:21 Local4.Info 159.105.221.114 %ASA-6-302013:
Built outbound TCP connection 580927 for govnet:159.105.97.20/8080 (159.105.97.20/8080) to wireless:10.1.0.9/36326 (159.105.221.114/12156)
03-05-2010 13:42:21 Local4.Info 159.105.221.114 %ASA-6-305011:
Built dynamic TCP translation from wireless:10.1.0.9/36326 to govnet:159.105.221.114/12156
03-05-2010 13:42:21 Local4.Debug 159.105.221.114 %ASA-7-609001:
Built local-host wireless:10.1.0.9
03-05-2010 13:42:21 Local4.Error 170.222.200.97 %ASA-3-305005:
No translation group found for tcp src govnet:159.105.221.114/12156 dst inside:Proxy1/8080
What does the message “No translation group found for tcp src govnet:159.105.221.114/12156 dst inside:Proxy1/8080″ actually mean? The 170 number is our inside 170 subnet IP named “170inside”.
I think the series is saying that my request from 10.1.0.9 to Proxy1 was received by the ASA but it could not do something. Since I cannot get a Deny in the ASA logs I think it might be accepting the request but doesn’t know how to get back to me with the response.
I really am trying to understand exactly what is going on here. When setting up the same routine from a different location I received DENY messages in the ASA logs and once the ACL changes were made everything worked. I never saw this “No translation group” message before.
You must log in to post a comment.