nat-control

There are times when you think that access-list have some problems, and then you'll find out that the hitcounts are increasing. You're almost sure that the traffic is passing, but you cant find connection in the connection table? You've checked syslog and you've found one of those beautiful syslog messages:

%ASA-3-305005: No translation group found for tcp src inside:10.1.1.9/11039 dst outside:198.133.219.25/80

%ASA-3-305006: regular translation creation failed for tcp src inside:10.1.1.9/11040 dst outside:198.133.219.25/80

%FWSM-3-305005: No translation group found for tcp src inside:10.1.1.9/11039 dst outside:198.133.219.25/80

%FWSM-3-305006: regular translation creation failed for tcp src inside:10.1.1.9/11040 dst outside:198.133.219.25/80

We'll most probably you have nat-control enabled. You can verify it using the following command:

FWSM/CONTEXT# show runn nat-control
nat-control

Well, what is nat-control then? Nat-control is feature on Cisco firewalls to maximise the security. When it is enabled, each packet MUST match a NAT rule in order to pass the firewall. It is important to keep in mind that even packets initiated from HIGHER security level interface (inside) MUST match a NAT rule in order for the packet to be processed to lower security interface (outside). Nat-control is disabled by default.