No translation group found

Answered Question
Feb 28th, 2007

Hello, I'm trying to set up a site-to-site VPN between our Pix515 (running 6.3) and a third party's eFinity device (running Linux). I've followed the VPN wizard in PDM but when they try to ping one of our servers, they get error 'No translation group found for icmp src outside:62.69.58.233 dst inside:128.31.2.1'.

Their LAN is 194.201.29.0/24 and firewall address is 62.69.58.233. Our LAN is 128.31.0.0/16, firewall address is 194.70.27.46.

Any help is greatly appreciated.

Rex

I have this problem too.
0 votes
Correct Answer by acomiskey about 9 years 7 months ago

According to your log message, the source is 62.69.58.233, not 194.201.29.x, which means it is being nated. You would not have to add 62.69.58.233 to your acl if they did a no nat from their inside lan to yours.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
acomiskey Wed, 02/28/2007 - 07:35

62.69.58.233 is not defined as interesting traffic on your pix. This address would need to be added to access-list outside_cryptomap_40 as well as your no nat acl. Also, are you pinging from outside address of remote firewall, or from client inside who is nating to outside firwall address? If you want to see inside clients from their inside address (which is how your interesting traffic is written) they need to no nat on the remote side.

Also, clean up your config before you post( passwords etc.).

Rex Biesty Wed, 02/28/2007 - 07:46

Thanks for the response. I'll look at the access lists. The pinging is coming from a server on their LAN (outside) to a server on ours.

Correct Answer
acomiskey Wed, 02/28/2007 - 07:49

According to your log message, the source is 62.69.58.233, not 194.201.29.x, which means it is being nated. You would not have to add 62.69.58.233 to your acl if they did a no nat from their inside lan to yours.

Rex Biesty Wed, 02/28/2007 - 07:59

Cheers. I've spoken to the guys who manage their firewall who will look into it. Presumably I'll be OK to add the relevant rules to our firewall (as you originally suggested) if there's a problem with them doing no nat?

Actions

This Discussion