No Translation Group Found - WebVPN SVC on ASA - HELP!!!

Unanswered Question

I need some help with my config. I have tried numerous combos to try and get this to go with no luck. Basically, I get connected via WebVPN using the SVC, get an IP from my ip pool, but when I try and ping or access a resource on the inside interface via tcp/udp, i get the following error - "No translation group found for tcp src outside: dst inside:" (for instance). Unfortunately I am in dire straights here and need to get this fixed ASAP since this implementation was supposed to be completed yesterday. Any help is appreciated. I'm sure it is a simple fix that I am just not seeing. Thx.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Wed, 06/20/2007 - 05:52
User Badges:
  • Green, 3000 points or more

Firstly, your vpn client pool should never be in the same subnet as your inside subnet. I would start by changing the pool to something else. What user are you logging in with?

OK, so I have made the following changes - access-list vpn-no-nat extended permit ip any

ip local pool VPN-Pool mask

no access-list vpn-no-nat extended permit ip any

no ip local pool VPN-Pool mask

I am using the "Somone" account which has IP any access once connected.

Still doesn't work.

Just out of curiosity, why have the pool addresses on a different subnet than internal? The Cisco docs say you have to use the same subnet for both.

acomiskey Wed, 06/20/2007 - 06:40
User Badges:
  • Green, 3000 points or more

Sorry, looks like I was wrong about that part.

About the IP Pool range? Honestly, I am not sure it matters since I have found working examples of both.

Any other ideas of what might be happening here?

If I look at the stats on my VPN client, there is traffic being sent but not received. If I PING the client VPN address from the ASA, it doesn't work but the client received stats increment up. It's a stinking NAT issue, I know it is.

markbialik Tue, 07/24/2007 - 08:32
User Badges:

I tried that release a few weeks ago on an ASA. It was awful. I have multiple VLAN's on multiple interfaces. None of the VLAN's could talk with one another. I kept getting the "no port map translation group" error message for all traffic between interfaces/VLAN's. I had to roll back. Everything was good again. I'd love to know why this release is still posted. It could be there is something majorly wrong with my config, but it's worked fine since 7.0.


This Discussion