Using PIX for IPSEC VPN

- A
- Ann Tone
  
  Contact options for registered users
posted
14 years ago

Mon, Oct 19, 2009 4:14 AM

Hello All,

I have a PIX 515 that's configured as a VPN IPSEC provider, amongst other things. When establishing a tunnel, everything goes fine but the VPN machine isn't able to ping anything inside. The log is showing something like

305005: No translation group found for icmp src outside:192.168.10.2 dst inside:192.168.2.11 (type 8, code 0)

whereby 192.168.10.2 is the VPN IP address.

What's going wrong here ? Do I need nat/global or static entry for the VPNed network, especially given that they seem to be on the outside interface ? Many thanks for your help in advance !

Best wishes

- C
- Christoph Gartmann
  
  Contact options for registered users
Vote on answer
posted
14 years ago

Mon, Oct 19, 2009 9:45 AM

You may need a routing statement, either of the form crypto dynamic-map outside_dyn_map 20 set reverse-route and/or something like route guests 0.0.0.0 0.0.0.0 192.168.20.254 tunneled

Regards, Christoph Gartmann

- J
- Jyri Korhonen
  
  Contact options for registered users
Vote on answer
posted
14 years ago

Mon, Oct 19, 2009 9:56 AM

Maybe you don't have a no-nat rule for VPN clients. Something like this:

access-list VPNclients permit ip 192.168.2.0 255.255.255.0 192.168.10.0

255.255.255.0 nat 0 access-list VPNclients