06-20-2007 05:35 AM - edited 02-21-2020 01:34 AM
I need some help with my config. I have tried numerous combos to try and get this to go with no luck. Basically, I get connected via WebVPN using the SVC, get an IP from my ip pool, but when I try and ping or access a resource on the inside interface via tcp/udp, i get the following error - "No translation group found for tcp src outside:192.168.100.249/4144 dst inside:192.168.100.10/5900" (for instance). Unfortunately I am in dire straights here and need to get this fixed ASAP since this implementation was supposed to be completed yesterday. Any help is appreciated. I'm sure it is a simple fix that I am just not seeing. Thx.
06-20-2007 05:52 AM
Firstly, your vpn client pool should never be in the same subnet as your inside subnet. I would start by changing the pool to something else. What user are you logging in with?
06-20-2007 06:35 AM
OK, so I have made the following changes - access-list vpn-no-nat extended permit ip any 172.16.100.248 255.255.255.248
ip local pool VPN-Pool 172.16.100.249-172.16.100.254 mask 255.255.255.248
no access-list vpn-no-nat extended permit ip any 192.168.100.248 255.255.255.248
no ip local pool VPN-Pool 192.168.100.249-192.168.100.254 mask 255.255.255.0
I am using the "Somone" account which has IP any access once connected.
Still doesn't work.
Just out of curiosity, why have the pool addresses on a different subnet than internal? The Cisco docs say you have to use the same subnet for both.
06-20-2007 06:40 AM
Sorry, looks like I was wrong about that part.
06-20-2007 10:00 AM
About the IP Pool range? Honestly, I am not sure it matters since I have found working examples of both.
Any other ideas of what might be happening here?
If I look at the stats on my VPN client, there is traffic being sent but not received. If I PING the client VPN address from the ASA, it doesn't work but the client received stats increment up. It's a stinking NAT issue, I know it is.
06-20-2007 10:03 AM
This example does not have nat exemption..I wonder why. (nat (inside) 0 access-list ...)
http://cisco.com/en/US/products/ps6120/products_configuration_example09186a008071c428.shtml
06-20-2007 10:28 AM
Stange isn't it. I have gone through this doc many times with no luck.
06-21-2007 07:27 AM
OK, so I found the problem. It is a bug in interim release 7.2.2.22. I rolled back to 7.2.2 and everything works fine. Thanks for the help!
07-24-2007 08:32 AM
I tried that release a few weeks ago on an ASA. It was awful. I have multiple VLAN's on multiple interfaces. None of the VLAN's could talk with one another. I kept getting the "no port map translation group" error message for all traffic between interfaces/VLAN's. I had to roll back. Everything was good again. I'd love to know why this release is still posted. It could be there is something majorly wrong with my config, but it's worked fine since 7.0.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: