1. Home
  2. Cisco Systems
  3. Nat Translation

Nat Translation

I have a pix 515-e, running 6.3(5), and have been trying to get a basic vpn up and running, but can't finish for the life of me. I have the vpn connection working just fine, I get an ip from a local pool that I specify, but whenever I try to access the network behind the inside interface of the pix from the vpn I get an error: Jun 2 12:46:07 172.16.1.1 %PIX-3-305005: No translation group found for icmp src outside:172.16.3.11 dst inside:172.16.1.1 (type 8, code 0)

I am pulling out my hair trying to get this damn thing working but just don't know what else to try. Below is my config. Any help would be greatly appreciated:

interface ethernet0 auto interface ethernet1 auto interface ethernet1 vlan2 logical interface ethernet2 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 intf2 security4 nameif vlan2 vlan security50 enable password 2KFQnbNIdI.2KYOU encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pix0 domain-name domain.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list inbound permit icmp any any access-list inbound permit tcp any any access-list inbound permit udp any any access-list inbound permit ip any any access-list vpn_acl permit ip 172.16.3.0 255.255.255.0 172.16.1.0

255.255.255.0 access-list vpn_acl permit icmp 172.16.3.0 255.255.255.0 172.16.1.0 255.255.255.0 access-list vpn_acl permit udp 172.16.3.0 255.255.255.0 172.16.1.0 255.255.255.0 pager lines 24 logging on logging timestamp logging standby logging trap debugging logging facility 19 logging host inside 172.16.1.15 mtu outside 1500 mtu inside 1500 mtu intf2 1500 ip address outside 63.x.x.80 255.255.255.0 ip address inside 172.16.1.1 255.255.255.0 no ip address intf2 ip address vlan 172.16.2.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool vpn 172.16.3.1-172.16.3.254 pdm history enable arp timeout 60 global (outside) 1 interface nat (inside) 0 access-list vpn_acl nat (inside) 1 172.16.1.0 255.255.255.0 0 0 static (inside,outside) 63.x.x.82 172.16.1.4 netmask 255.255.255.255 0 0 access-group inbound in interface outside route outside 0.0.0.0 0.0.0.0 63.122.61.1 1 timeout xlate 0:05:00 timeout conn 0:30:00 half-closed 0:05:00 udp 0:01:00 rpc 0:10:00 h225 0:30:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server RADIUS (inside) host 172.16.1.15 cisco timeout 5 aaa-server LOCAL protocol local aaa-server radius protocol radius aaa-server radius max-failed-attempts 3 aaa-server radius deadtime 10 aaa-server partnerauth protocol radius aaa-server partnerauth max-failed-attempts 3 aaa-server partnerauth deadtime 10 aaa-server partnerauth (inside) host 172.16.1.15 abcdef timeout 5 http server enable http 172.16.1.3 255.255.255.255 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec sysopt connection permit-pptp sysopt connection permit-l2tp crypto ipsec transform-set myset esp-des esp-md5-hmac crypto dynamic-map dyna 20 set security-association lifetime seconds 3600 kilobytes 4608000 crypto dynamic-map dynmap 10 set transform-set myset crypto map mymap 10 ipsec-isakmp dynamic dynmap crypto map mymap client configuration address initiate crypto map mymap client configuration address respond crypto map mymap interface outside isakmp enable outside isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 isakmp identity address isakmp client configuration address-pool local vpn outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 86400 isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 vpngroup vpn3000-all address-pool vpn vpngroup vpn3000-all dns-server 63.x.x.10 vpngroup vpn3000-all wins-server 63.x.x.10 vpngroup vpn3000-all default-domain domain.com vpngroup vpn3000-all idle-time 1800 vpngroup vpn3000-all password ******** telnet 172.16.1.0 255.255.255.0 inside telnet timeout 30 ssh 0.0.0.0 0.0.0.0 outside ssh 172.16.1.0 255.255.255.0 inside ssh timeout 60 console timeout 0 vpdn group 1 accept dialin pptp vpdn group 1 ppp authentication pap vpdn group 1 ppp authentication chap vpdn group 1 ppp authentication mschap vpdn group 1 ppp encryption mppe 40 vpdn group 1 client configuration address local vpn vpdn group 1 pptp echo 60 vpdn group 1 client authentication local vpdn username jtrooney password ********* vpdn enable outside terminal width 80
Reply to
jtrooney
Loading thread data ...

You have to nonat the traffic from inside to outside , but you are nonating the traffic from outside to inside

try replacing vpn_acl with

access-list vpn_acl permit ip 172.16.1.0 255.255.255.0 172.16.3.0

255.255.255.0 access-list vpn_acl permit icmp 172.16.1.0 255.255.255.0 172.16.3.0 255.255.255.0 access-list vpn_acl permit udp 172.16.1.0 255.255.255.0 172.16.3.0 255.255.255.0
Reply to
mcaissie

Getting closser, I can actually see the icmp traffic hitting the access-lists now =) Now the error that I'm getting is:

Jun 2 14:29:16 172.16.1.1 %PIX-6-302013: Built inbound TCP connection

2211258 for outside:172.16.3.11/1078 (172.16.3.11/1078) to inside:172.16.1.10/22 (172 .16.1.10/22) Jun 2 14:31:18 172.16.1.1 %PIX-6-302014: Teardown TCP connection 2211258 for outside:172.16.3.11/1078 to inside:172.16.1.10/22 duration 0:02:01 bytes 0 SYN Timeout

or if i turn on the debug icmp i get:

2420: ICMP echo-request from outside:172.16.3.11 to 172.16.1.1 ID=768 seq=40960 length=40 2421: ICMP echo-request from outside:172.16.3.11 to 172.16.1.1 ID=768 seq=41216 length=40 2422: ICMP echo-request from outside:172.16.3.11 to 172.16.1.1 ID=768 seq=41472 length=40 2423: ICMP echo-request from outside:172.16.3.11 to 172.16.1.1 ID=768 seq=41728 length=40 2424: ICMP echo-request from outside:172.16.3.11 to 172.16.1.1 ID=768 seq=41984 length=40

Any Ideas? Thanks for your help so far =)

mcaissie wrote:

Reply to
jtrooney

It's normal no being able to ping the inside interface from the outside, even through a vpn. Do you have the same problem pinging a pc on the inside ?

If you want your inside to be accessible from the outside through a vpn you must add the command;

management-access inside

Reply to
mcaissie

Reply to
jtrooney

Maybe the PIX sees the ping as a reply from a previous translation before you change the nonat stuff.

If 172.16.1.20 tried to communicate with 172.16.3.x before the changes, it got translated. And the translation remains event if you change your config . So a good thing to do would be to clear translation.

sh xlate will you you the existing translations

clear xlate will clear all translations ( and all existing session so don't use it if you don't want to interrupt anybody)

I don't recall the syntax to clear a single translation , but you can also wait 3 hours for the translation to timeout.

Reply to
mcaissie

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.