NAT question Cisco ASA 5505

[HupAhh]

Hi,

I'm reasonably new to Cisco ASA firewalls and I'm having trouble getting one to work as an internal firewall on my network. Its replacing a Sonicwall 3600 firewall.

Here's what I'm trying to do:

I have a production network (outside - security level 0) (PLC's, old PC's etc.) which is on the 192.168.131.0/24 range. I have a server network (inside - security level 100) which is on the 10.39.192.0/22 range.

The devices on the production network are all PLC's and old PC's and I can't change the config. In order for servers on the server network to pull information from them I've enabled a dynamic NAT rule on the firewall so all traffic coming from the server network is NAT'd behind the IP of the firewall interface on the production network. This works fine, I can ping devices on the production network and my application works no problem.

Now I have a requirement to allow traffic from the production network access devices on the server network. I have a new PC on the production network and its default gateway is the firewall interface IP. I've created a rule to allow it Remote Desktop to a server on the server network (10.39.193.55) but when I attempt to connect I get the following error in the logs:

"No translation group found for tcp outside:192.168.131.222/46195 dst inside: 10.39.193.55/3389"

I've tried a few different rules to get it working but no matter what I do I get the same error. Would anyone be able to help? What I need is for the firewall not to NAT traffic from production to server networks but maintain the NAT from the server to the production network (disabling this will allow the traffic from the production to the server network strangly enough!)

Thanks in advance,
P

 

[HupAhh]

It'd probably help if I posted the NAT config:

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside

Here's the access list, one to allow file sharing (CIFS) from the server network to the production network and one to allow Remote Desktop (mstsc) from the production network to the server network.


access-list inside_access_in extended permit tcp 10.39.192.0 255.255.252.0 192.168.131.0 255.255.255.0 object-group CIFS
access-list outside_access_in extended permit tcp 192.168.131.0 255.255.255.0 10.39.192.0 255.255.252.0 object-group mstsc

 

[unclerico]

did you end up getting this to work or do you still need assitance?

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[HupAhh]

No, I didn't get it working since. Any ideas?

 

[unclerico]

the following is assuming you are running code 8.2 and lower:

access-list outside_access_in extended permit object-group mstsc  192.168.131.0 255.255.255.0 interface outside

static (inside,outside) tcp interface 3389 10.39.193.55 3389

this will get you traffic to only a single host (10.39.193.55) behind the firewall.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[HupAhh]

I've just tried this config but I get the same error.

ASA-3-305005: No translation group found for protocol src
interface_name: source_address/source_port dst interface_name:dest_address/dest_port

A packet does not match any of the outboud NAT rules. If NAT is not configured for the specfied source and destination systems, the message will be generated frequently.

Here's my config now:

object-group service mstsc tcp
description Remote Desktop
port-object eq 3389
access-list outside_access_in extended permit tcp 192.168.131.0 255.255.255.0 10.39.192.0 255.255.252.0 object-group mstsc
access-list outside_access_in extended permit tcp 192.168.131.0 255.255.255.0 host 10.39.193.55 object-group mstsc

global (outside) 1 interface
static (inside,outside) tcp interface 3389 10.39.193.55 3389 netmask 255.255.255.255

 

[HupAhh]

I've done a little bit more testing and I can get the connection from the 192.168.131.0/24 network to work if I use this nat command:

static (outside,inside) tcp interface 3389 10.39.193.55 3389 netmask 255.255.255.255

But as soon as I try to enable NAT from inside to outside the error above starts appearing in the log again. Here's my current config:

access-list outside_access_in extended permit tcp 192.168.131.0 255.255.255.0 host 10.39.193.55 object-group mstsc

global (outside) 1 interface
nat (inside) 1 10.39.192.0 255.255.252.0
static (outside,inside) tcp interface 3389 10.39.193.55 3389 netmask 255.255.255.255
access-group outside_access_in in interface outside


Please help!

 

[brianinms]

Should be

access-list outside_access_in extended permit tcp 192.168.131.0 255.255.255.0 interface outside eq 3389

global (outside) 1 interface
nat (inside) 1 10.39.192.0 255.255.252.0
static (inside,outside) tcp interface 3389 10.39.193.55 3389 netmask 255.255.255.255
access-group outside_access_in in interface outside

After you save the configuration, reboot and give it a try.

 

[HupAhh]

I've tried that but now I'm getting:

Inbound TCP connection denied from 192.168.131.222/49388 to 10.39.193.55/3389 flags SYN on interface outside

I wasn't sure how to interpret the access-list command so I also tried connecting to 3389 on the interface IP (which would be OK as well, 192.168.131.1) but I get this messge:

Inbound TCP connection denied from 192.168.131.222/49388 to 192.168.131.1/3389 flags SYN on interface outside

Here's my config now, I'm trying to connect from 192.168.131.222 to 10.39.193.55 over 3389

access-list outside_access_in extended permit tcp 192.168.131.0 255.255.255.0 interface outside eq 3389

global (outside) 1 interface
nat (inside) 1 10.39.192.0 255.255.252.0 (works OK, I can connect into the Production network no problem. If I use Wireshark I can see that the traffic is coming from the firewall interface IP)

static (inside,outside) tcp interface 3389 10.39.193.55 3389 netmask 255.255.255.255