No Translation Group Found - WebVPN SVC on ASA - HELP!!!

Unanswered Question

I need some help with my config. I have tried numerous combos to try and get this to go with no luck. Basically, I get connected via WebVPN using the SVC, get an IP from my ip pool, but when I try and ping or access a resource on the inside interface via tcp/udp, i get the following error - "No translation group found for tcp src outside:192.168.100.249/4144 dst inside:192.168.100.10/5900" (for instance). Unfortunately I am in dire straights here and need to get this fixed ASAP since this implementation was supposed to be completed yesterday. Any help is appreciated. I'm sure it is a simple fix that I am just not seeing. Thx.

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Wed, 06/20/2007 - 05:52

Firstly, your vpn client pool should never be in the same subnet as your inside subnet. I would start by changing the pool to something else. What user are you logging in with?

OK, so I have made the following changes - access-list vpn-no-nat extended permit ip any 172.16.100.248 255.255.255.248

ip local pool VPN-Pool 172.16.100.249-172.16.100.254 mask 255.255.255.248

no access-list vpn-no-nat extended permit ip any 192.168.100.248 255.255.255.248

no ip local pool VPN-Pool 192.168.100.249-192.168.100.254 mask 255.255.255.0

I am using the "Somone" account which has IP any access once connected.

Still doesn't work.

Just out of curiosity, why have the pool addresses on a different subnet than internal? The Cisco docs say you have to use the same subnet for both.

About the IP Pool range? Honestly, I am not sure it matters since I have found working examples of both.

Any other ideas of what might be happening here?

If I look at the stats on my VPN client, there is traffic being sent but not received. If I PING the client VPN address from the ASA, it doesn't work but the client received stats increment up. It's a stinking NAT issue, I know it is.

markbialik Tue, 07/24/2007 - 08:32

I tried that release a few weeks ago on an ASA. It was awful. I have multiple VLAN's on multiple interfaces. None of the VLAN's could talk with one another. I kept getting the "no port map translation group" error message for all traffic between interfaces/VLAN's. I had to roll back. Everything was good again. I'd love to know why this release is still posted. It could be there is something majorly wrong with my config, but it's worked fine since 7.0.

Actions

This Discussion