12-02-2007 03:02 AM - edited 03-11-2019 04:37 AM
I have LAN- LAN connections on VPN Concentrator I have done static NAT on PIX 515
static (VPN,inside) 172.31.9.xx 191.2.1.xx netmask 255.255.255.255 0 0
Any user from inside sends traffic to 172.31.9.xx which in turns initiates the tunnel through VPN Concentrator User can start the tunnel by sending traffic to actual IP 191.2.1.3 also from LAN
After I moved the configuration from PIX 515 to ASA 5510 I can send the traffic through 172.31.9.xx but not through 191.2.1.xx(Actual IP) Logs on ASA shows "No Translation group found icmp src inside 172.20.xx.xx dst VPN 191.2.1.xx (type 8,code 0) If I remove the static NAT from ASA it starts sending traffic through actual IP 191.2.1.xx
It was working on PIX 515 but not on ASA 5510
Anybody can please help me
Solved! Go to Solution.
12-05-2007 04:36 AM
12-02-2007 06:46 AM
Most probably, your global statement is missing in config, or you used to apply exempt nat for 191.x.x in inside and now you dont.
nat (inside) 1 x.x.x.x x.x.x.x lets say that this is your crrent NAT, if so, add the following
global (VPN) 1 interface
or
nat (inside) 0 access-list anaclname
access-list anaclname permit 172.31.9.0 255.255.255.0 host 191.2.1.xx
or
static (VPN,inside) 191.2.1.x 191.2.1.x netmask 255.255.255.255
Regards
12-02-2007 07:22 AM
Hi
I applied this statement and it was working
static (VPN,inside) 191.2.1.x 191.2.1.x netmask 255.255.255.255
Thanks a lot !!!!
But one thing I could not understand is why it was working in PIX 515 without this statement
Again Thanks a Lot
12-05-2007 04:36 AM
Hi sharma
Please rate for the post that resolved the issue.
Thanks
12-02-2007 07:26 AM
you are welcome. I really have to see your previous PIX config to accurately answer this question.
Using global command would be better in my opinion. Can you post the previous PIX configuration?
12-05-2007 06:34 AM
nat-control must be enabled.
I'd also be curious to know what OS version was on the pix 515, specifically if it was a 7.x or earlier.
12-05-2007 07:44 AM
I enabled nat-control but it was not working
PIX 515 has 6.3 and ASA has 7.0
12-05-2007 05:30 PM
that's why it wasn't working - be/c nat-control is enabled.
that's why adding the static statement made it work.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: