NATing Problem after moving from PIX 515 to ASA 5510

Answered Question
Dec 2nd, 2007

I have LAN- LAN connections on VPN Concentrator I have done static NAT on PIX 515

static (VPN,inside) 172.31.9.xx 191.2.1.xx netmask 255.255.255.255 0 0

Any user from inside sends traffic to 172.31.9.xx which in turns initiates the tunnel through VPN Concentrator User can start the tunnel by sending traffic to actual IP 191.2.1.3 also from LAN

After I moved the configuration from PIX 515 to ASA 5510 I can send the traffic through 172.31.9.xx but not through 191.2.1.xx(Actual IP) Logs on ASA shows "No Translation group found icmp src inside 172.20.xx.xx dst VPN 191.2.1.xx (type 8,code 0) If I remove the static NAT from ASA it starts sending traffic through actual IP 191.2.1.xx

It was working on PIX 515 but not on ASA 5510

Anybody can please help me

I have this problem too.
0 votes
Correct Answer by husycisco about 9 years 6 days ago

Hi sharma

Please rate for the post that resolved the issue.

Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
husycisco Sun, 12/02/2007 - 06:46

Most probably, your global statement is missing in config, or you used to apply exempt nat for 191.x.x in inside and now you dont.

nat (inside) 1 x.x.x.x x.x.x.x lets say that this is your crrent NAT, if so, add the following

global (VPN) 1 interface

or

nat (inside) 0 access-list anaclname

access-list anaclname permit 172.31.9.0 255.255.255.0 host 191.2.1.xx

or

static (VPN,inside) 191.2.1.x 191.2.1.x netmask 255.255.255.255

Regards

sharma_arpit Sun, 12/02/2007 - 07:22

Hi

I applied this statement and it was working

static (VPN,inside) 191.2.1.x 191.2.1.x netmask 255.255.255.255

Thanks a lot !!!!

But one thing I could not understand is why it was working in PIX 515 without this statement

Again Thanks a Lot

Correct Answer
husycisco Wed, 12/05/2007 - 04:36

Hi sharma

Please rate for the post that resolved the issue.

Thanks

husycisco Sun, 12/02/2007 - 07:26

you are welcome. I really have to see your previous PIX config to accurately answer this question.

Using global command would be better in my opinion. Can you post the previous PIX configuration?

srue Wed, 12/05/2007 - 06:34

nat-control must be enabled.

I'd also be curious to know what OS version was on the pix 515, specifically if it was a 7.x or earlier.

sharma_arpit Wed, 12/05/2007 - 07:44

I enabled nat-control but it was not working

PIX 515 has 6.3 and ASA has 7.0

srue Wed, 12/05/2007 - 17:30

that's why it wasn't working - be/c nat-control is enabled.

that's why adding the static statement made it work.

Actions

This Discussion