cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
630
Views
0
Helpful
7
Replies

NATing Problem after moving from PIX 515 to ASA 5510

sharma_arpit
Level 1
Level 1

I have LAN- LAN connections on VPN Concentrator I have done static NAT on PIX 515

static (VPN,inside) 172.31.9.xx 191.2.1.xx netmask 255.255.255.255 0 0

Any user from inside sends traffic to 172.31.9.xx which in turns initiates the tunnel through VPN Concentrator User can start the tunnel by sending traffic to actual IP 191.2.1.3 also from LAN

After I moved the configuration from PIX 515 to ASA 5510 I can send the traffic through 172.31.9.xx but not through 191.2.1.xx(Actual IP) Logs on ASA shows "No Translation group found icmp src inside 172.20.xx.xx dst VPN 191.2.1.xx (type 8,code 0) If I remove the static NAT from ASA it starts sending traffic through actual IP 191.2.1.xx

It was working on PIX 515 but not on ASA 5510

Anybody can please help me

1 Accepted Solution

Accepted Solutions

Hi sharma

Please rate for the post that resolved the issue.

Thanks

View solution in original post

7 Replies 7

husycisco
Level 7
Level 7

Most probably, your global statement is missing in config, or you used to apply exempt nat for 191.x.x in inside and now you dont.

nat (inside) 1 x.x.x.x x.x.x.x lets say that this is your crrent NAT, if so, add the following

global (VPN) 1 interface

or

nat (inside) 0 access-list anaclname

access-list anaclname permit 172.31.9.0 255.255.255.0 host 191.2.1.xx

or

static (VPN,inside) 191.2.1.x 191.2.1.x netmask 255.255.255.255

Regards

Hi

I applied this statement and it was working

static (VPN,inside) 191.2.1.x 191.2.1.x netmask 255.255.255.255

Thanks a lot !!!!

But one thing I could not understand is why it was working in PIX 515 without this statement

Again Thanks a Lot

Hi sharma

Please rate for the post that resolved the issue.

Thanks

husycisco
Level 7
Level 7

you are welcome. I really have to see your previous PIX config to accurately answer this question.

Using global command would be better in my opinion. Can you post the previous PIX configuration?

nat-control must be enabled.

I'd also be curious to know what OS version was on the pix 515, specifically if it was a 7.x or earlier.

I enabled nat-control but it was not working

PIX 515 has 6.3 and ASA has 7.0

that's why it wasn't working - be/c nat-control is enabled.

that's why adding the static statement made it work.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: