Comments on: No translation group found for tcp src http://www.networkingblog.in/no-translation-group-found-for-tcp-src-9095 Cisco Netpro Blog Wed, 23 Jun 2010 06:07:14 +0000 hourly 1 http://wordpress.org/?v=3.0 By: arul http://www.networkingblog.in/no-translation-group-found-for-tcp-src-9095/comment-page-1#comment-9142 arul Sun, 06 Jun 2010 05:46:53 +0000 http://www.networkingblog.in/?p=9095#comment-9142 I really appreciate the time you are taking to help me, but I need to understand what is going on here. Looking at the Series of ASA messages below, I have a couple of questions. 03-05-2010 13:42:21 Local4.Info 159.105.221.114 %ASA-6-302013: Built outbound TCP connection 580927 for govnet:159.105.97.20/8080 (159.105.97.20/8080) to wireless:10.1.0.9/36326 (159.105.221.114/12156) 03-05-2010 13:42:21 Local4.Info 159.105.221.114 %ASA-6-305011: Built dynamic TCP translation from wireless:10.1.0.9/36326 to govnet:159.105.221.114/12156 03-05-2010 13:42:21 Local4.Debug 159.105.221.114 %ASA-7-609001: Built local-host wireless:10.1.0.9 03-05-2010 13:42:21 Local4.Error 170.222.200.97 %ASA-3-305005: No translation group found for tcp src govnet:159.105.221.114/12156 dst inside:Proxy1/8080 What does the message "No translation group found for tcp src govnet:159.105.221.114/12156 dst inside:Proxy1/8080" actually mean? The 170 number is our inside 170 subnet IP named "170inside". I think the series is saying that my request from 10.1.0.9 to Proxy1 was received by the ASA but it could not do something. Since I cannot get a Deny in the ASA logs I think it might be accepting the request but doesn't know how to get back to me with the response. I really am trying to understand exactly what is going on here. When setting up the same routine from a different location I received DENY messages in the ASA logs and once the ACL changes were made everything worked. I never saw this "No translation group" message before. I really appreciate the time you are taking to help me, but I need to understand what is going on here.
Looking at the Series of ASA messages below, I have a couple of questions.
03-05-2010 13:42:21 Local4.Info 159.105.221.114 %ASA-6-302013:
Built outbound TCP connection 580927 for govnet:159.105.97.20/8080 (159.105.97.20/8080) to wireless:10.1.0.9/36326 (159.105.221.114/12156)
03-05-2010 13:42:21 Local4.Info 159.105.221.114 %ASA-6-305011:
Built dynamic TCP translation from wireless:10.1.0.9/36326 to govnet:159.105.221.114/12156
03-05-2010 13:42:21 Local4.Debug 159.105.221.114 %ASA-7-609001:
Built local-host wireless:10.1.0.9
03-05-2010 13:42:21 Local4.Error 170.222.200.97 %ASA-3-305005:
No translation group found for tcp src govnet:159.105.221.114/12156 dst inside:Proxy1/8080
What does the message “No translation group found for tcp src govnet:159.105.221.114/12156 dst inside:Proxy1/8080″ actually mean? The 170 number is our inside 170 subnet IP named “170inside”.
I think the series is saying that my request from 10.1.0.9 to Proxy1 was received by the ASA but it could not do something. Since I cannot get a Deny in the ASA logs I think it might be accepting the request but doesn’t know how to get back to me with the response.
I really am trying to understand exactly what is going on here. When setting up the same routine from a different location I received DENY messages in the ASA logs and once the ACL changes were made everything worked. I never saw this “No translation group” message before.

]]> By: Kumar http://www.networkingblog.in/no-translation-group-found-for-tcp-src-9095/comment-page-1#comment-9141 Kumar Sun, 06 Jun 2010 05:45:48 +0000 http://www.networkingblog.in/?p=9095#comment-9141 If you want to pass traffic from an outside to an inside interface in an ASA, you need to make sure that you have two things: 1.- An access-group that allows traffic to come in. 2.- A NAT rule that matches the traffic. So in this case if we have the source on the outside interface with an ip address: 10.1.0.9 and a destination on the inside with the ip address: 159.105.###.20 First we configure the rule to allow traffic to come in: access-list out permit ip host 10.1.0.9 host 159.105.###.20 then we ensure that we have a NAT rule for this traffic. If you don't want to change neither the source or destination when traffic flows through the FW, you just use an static command using the same ip addresss. For example: static(inside,outside) 159.105.###.20 159.105.###.20 If you don't want to use any NAT rule, you will have to disable nat-control. To disable it, issue the following command in global config mode no nat-control If you want to pass traffic from an outside to an inside interface in an ASA, you need to make sure that you have two things:
1.- An access-group that allows traffic to come in.
2.- A NAT rule that matches the traffic.
So in this case if we have the source on the outside interface with an ip address:
10.1.0.9
and a destination on the inside with the ip address:
159.105.###.20
First we configure the rule to allow traffic to come in:
access-list out permit ip host 10.1.0.9 host 159.105.###.20
then we ensure that we have a NAT rule for this traffic. If you don’t want to change neither the source or destination when traffic flows through the FW, you just use an static command using the same ip addresss. For example:
static(inside,outside) 159.105.###.20 159.105.###.20
If you don’t want to use any NAT rule, you will have to disable nat-control. To disable it, issue the following command in global config mode
no nat-control

]]> By: Kumar http://www.networkingblog.in/no-translation-group-found-for-tcp-src-9095/comment-page-1#comment-9140 Kumar Sun, 06 Jun 2010 05:44:18 +0000 http://www.networkingblog.in/?p=9095#comment-9140 Yes, that is exactly right Yes, that is exactly right

]]> By: arul http://www.networkingblog.in/no-translation-group-found-for-tcp-src-9095/comment-page-1#comment-9139 arul Sun, 06 Jun 2010 05:43:54 +0000 http://www.networkingblog.in/?p=9095#comment-9139 I just want to make sure I have the right picture... You just want to allow traffico from a host outside (10.1.0.9) to a host on the inside (159.105.###.20) Is that correct or am I missing something? I just want to make sure I have the right picture…
You just want to allow traffico from a host outside (10.1.0.9) to a host on the inside (159.105.###.20)
Is that correct or am I missing something?

]]> By: Kumar http://www.networkingblog.in/no-translation-group-found-for-tcp-src-9095/comment-page-1#comment-9138 Kumar Sun, 06 Jun 2010 05:43:24 +0000 http://www.networkingblog.in/?p=9095#comment-9138 don't think we want global nat for this. Let me explain a little bit more. Wireless(outside) to proxy server 10.1.0.9(outside) goes through the tunnel using 159.105.###.### with a destination of inside 159.105.###.20 (Proxy1)(inside). All we would want is to allow that one specific IP (10.1.0.9) to access Proxy1 and pass information. What really confuses me is that everything above the error is on the 159.105.###.### network but it looks like the error is being generated by the 170 outside network? don’t think we want global nat for this. Let me explain a little bit more.

Wireless(outside) to proxy server 10.1.0.9(outside) goes through the tunnel using 159.105.###.### with a destination of inside 159.105.###.20 (Proxy1)(inside). All we would want is to allow that one specific IP (10.1.0.9) to access Proxy1 and pass information.
What really confuses me is that everything above the error is on the 159.105.###.### network but it looks like the error is being generated by the 170 outside network?

]]> By: arul http://www.networkingblog.in/no-translation-group-found-for-tcp-src-9095/comment-page-1#comment-9137 arul Sun, 06 Jun 2010 05:42:55 +0000 http://www.networkingblog.in/?p=9095#comment-9137 When using an ASA, when you pass from an interface to another you need to have a NAT rule, either a static or a nat-global. For example, if you want a static rule for all your network you can do the following: static (govnet,inside) 159.105.0.0 159.105.0.0 netmask 255.255.0.0 This is a NAT rule for traffic flowing form govnet to inside interface. Both networks are the same to avoid any real translation and move traffic with its original ip address. When using an ASA, when you pass from an interface to another you need to have a NAT rule, either a static or a nat-global.

For example, if you want a static rule for all your network you can do the following:

static (govnet,inside) 159.105.0.0 159.105.0.0 netmask 255.255.0.0
This is a NAT rule for traffic flowing form govnet to inside interface. Both networks are the same to avoid any real translation and move traffic with its original ip address.

]]>