NATing Problem after moving from PIX 515 to ASA 5510

Answered Question
Dec 2nd, 2007
User Badges:

I have LAN- LAN connections on VPN Concentrator I have done static NAT on PIX 515

static (VPN,inside) 172.31.9.xx 191.2.1.xx netmask 255.255.255.255 0 0


Any user from inside sends traffic to 172.31.9.xx which in turns initiates the tunnel through VPN Concentrator User can start the tunnel by sending traffic to actual IP 191.2.1.3 also from LAN


After I moved the configuration from PIX 515 to ASA 5510 I can send the traffic through 172.31.9.xx but not through 191.2.1.xx(Actual IP) Logs on ASA shows "No Translation group found icmp src inside 172.20.xx.xx dst VPN 191.2.1.xx (type 8,code 0) If I remove the static NAT from ASA it starts sending traffic through actual IP 191.2.1.xx


It was working on PIX 515 but not on ASA 5510


Anybody can please help me

Correct Answer by husycisco about 9 years 3 months ago

Hi sharma

Please rate for the post that resolved the issue.


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
husycisco Sun, 12/02/2007 - 06:46
User Badges:
  • Gold, 750 points or more

Most probably, your global statement is missing in config, or you used to apply exempt nat for 191.x.x in inside and now you dont.


nat (inside) 1 x.x.x.x x.x.x.x lets say that this is your crrent NAT, if so, add the following

global (VPN) 1 interface


or


nat (inside) 0 access-list anaclname

access-list anaclname permit 172.31.9.0 255.255.255.0 host 191.2.1.xx


or


static (VPN,inside) 191.2.1.x 191.2.1.x netmask 255.255.255.255



Regards

sharma_arpit Sun, 12/02/2007 - 07:22
User Badges:

Hi

I applied this statement and it was working

static (VPN,inside) 191.2.1.x 191.2.1.x netmask 255.255.255.255

Thanks a lot !!!!

But one thing I could not understand is why it was working in PIX 515 without this statement

Again Thanks a Lot

Correct Answer
husycisco Wed, 12/05/2007 - 04:36
User Badges:
  • Gold, 750 points or more

Hi sharma

Please rate for the post that resolved the issue.


Thanks

husycisco Sun, 12/02/2007 - 07:26
User Badges:
  • Gold, 750 points or more

you are welcome. I really have to see your previous PIX config to accurately answer this question.


Using global command would be better in my opinion. Can you post the previous PIX configuration?

srue Wed, 12/05/2007 - 06:34
User Badges:
  • Blue, 1500 points or more

nat-control must be enabled.


I'd also be curious to know what OS version was on the pix 515, specifically if it was a 7.x or earlier.

sharma_arpit Wed, 12/05/2007 - 07:44
User Badges:

I enabled nat-control but it was not working

PIX 515 has 6.3 and ASA has 7.0

srue Wed, 12/05/2007 - 17:30
User Badges:
  • Blue, 1500 points or more

that's why it wasn't working - be/c nat-control is enabled.

that's why adding the static statement made it work.

Actions

This Discussion