No translation group found for tcp src outside:

Answered Question
Feb 14th, 2008

Hi

I can't seem to figure it out, I have VPN client, i'm able to "dialin" to my PIX 515E 7.2(2) w/ ASDM 5.2(2), yet I can't access anything on the network, I'm getting one of these famouse "No translation group found for tcp src outside:192.168.1.129/49175 dst inside:192.168.1.251/65535", no matter what I do...

can someone help me here please?

thanks

I have this problem too.
0 votes
Correct Answer by husycisco about 8 years 11 months ago

You are welcome dmitry. May I ask you to start a new conversation for Windows auth and finalize this question by rating+choosing the "resolved my issue" post?

Regards

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
husycisco Fri, 02/15/2008 - 10:27

Hi Alexus

You dont have an exempt nat rule defnition for this traffic. Please post your config and let me suggest the necessary change

Regards

*Please do not forget to rate helpful posts and choose "accept as answer" for post which solved your issue

Regards

alexus Fri, 02/15/2008 - 14:13

: Saved

:

PIX Version 7.2(2)

!

hostname pix

domain-name default.domain.invalid

enable password ********** encrypted

names

!

interface Ethernet0

speed 100

duplex full

nameif outside

security-level 0

ip address 38.99.194.174 255.255.255.248

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Ethernet2

nameif dmz

security-level 10

ip address 216.112.241.29 255.255.255.248

!

passwd ********** encrypted

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group network alexus

description 24.185.136.252

network-object host 64.237.55.82

network-object host 24.185.136.252

network-object host 69.10.67.16

object-group network www

network-object host 38.96.132.42

network-object host 38.96.132.43

network-object host 38.96.132.44

access-list outside_access_in extended permit icmp any any echo

access-list outside_access_in extended permit icmp any any echo-reply

access-list outside_access_in extended permit icmp any any time-exceeded

access-list outside_access_in extended permit icmp any any traceroute

access-list outside_access_in extended permit ip object-group alexus any

access-list outside_access_in extended permit udp interface outside interface inside eq sip

access-list outside_access_in extended permit tcp any object-group www eq www

access-list tgn_splitTunnelAcl standard permit any

access-list inside_nat0_outbound extended permit ip any 192.168.1.128 255.255.255.248

pager lines 24

logging enable

logging asdm notifications

logging host inside 192.168.1.251

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip local pool ipp 192.168.1.129-192.168.1.134 mask 255.255.255.248

ip verify reverse-path interface outside

icmp unreachable rate-limit 1 burst-size 1

asdm image flash:/asdm-pix-522.bin

asdm history enable

arp timeout 14400

global (outside) 101 interface

global (dmz) 101 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 101 0.0.0.0 0.0.0.0

static (inside,outside) 38.96.132.42 192.168.1.251 netmask 255.255.255.255

static (inside,outside) 38.96.132.43 192.168.1.250 netmask 255.255.255.255

static (inside,outside) 38.96.132.44 192.168.1.234 netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 38.99.194.173 1 track 1

route dmz 0.0.0.0 0.0.0.0 216.112.241.25 254

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

aaa-server aaasg-ntd protocol nt

aaa-server aaasg-ntd host 192.168.1.234

nt-auth-domain-controller ACIES

alexus Fri, 02/15/2008 - 14:17

group-policy tgn internal

group-policy tgn attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value tgn_splitTunnelAcl

username alexus password ********** encrypted privilege 15

http server enable

http 192.168.1.251 255.255.255.255 inside

http 24.185.136.252 255.255.255.255 outside

http 192.168.1.129 255.255.255.255 inside

http 69.10.67.16 255.255.255.255 outside

snmp-server host inside 192.168.1.251 community public

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sla monitor 1

type echo protocol ipIcmpEcho 38.99.194.173 interface outside

sla monitor schedule 1 life forever start-time now

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

!

track 1 rtr 1 reachability

tunnel-group tgn type ipsec-ra

tunnel-group tgn general-attributes

address-pool ipp

default-group-policy tgn

tunnel-group tgn ipsec-attributes

pre-shared-key *

telnet timeout 5

ssh scopy enable

ssh 64.237.55.82 255.255.255.255 outside

ssh 192.168.1.251 255.255.255.255 inside

ssh timeout 5

console timeout 0

management-access inside

!

class-map class_sip_udp

match port udp eq sip

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

class class_sip_udp

inspect sip

!

service-policy global_policy global

ntp server 207.46.232.182 source outside prefer

tftp-server inside 192.168.1.251 /

smtp-server 192.168.1.234

prompt hostname context

Cryptochecksum:de5bd8bcc1ac9210e21e3bd28c779b1e

: end

[OK]

husycisco Fri, 02/15/2008 - 15:08

Alexus

1)Do not use a VPN pool which is covered by an interface of firewall. VPN pool is in same subnet with Inside interface.

2)Do not use "any" in NAT or split tunnel ACLs. Specify the networks

Do the following modifications

ip local pool vpnpool 172.16.100.1-172.16.100.254 netmask 255.255.255.0

no access-list tgn_splitTunnelAcl standard permit any

access-list tgn_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 172.16.100.0 255.255.255.0

no access-list inside_nat0_outbound extended permit ip any 192.168.1.128 255.255.255.248

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 172.16.100.0 255.255.255.0

crypto isakmp nat-traversal 20

tunnel-group tgn general-attributes

no address-pool ipp

address-pool vpnpool

Recommendation: 192.168.1.0 is the network of most out of the box internet modem/routers' IP range, this will cause trouble if PC acquired IP address from one of them. You should change your inside interface ip range.

Regards

*Please do not forget to rate helpful posts and choose "resolved my issue" for the post that resolved your issue

alexus Fri, 02/15/2008 - 15:35

ok, now it works, but i'm not able to "surf" at the same time whenever i'm vpnin

husycisco Fri, 02/15/2008 - 15:47

You dont have a DNS server specified for VPN clients. Do you have a DNS server or DC with ad integrated DNS at main office? If you have, then...

group-policy tgn attributes

dns-server value DNSserverIPatmainoffice

If you dont have, then...

group-policy tgn attributes

dns-server value 4.2.2.2

alexus Fri, 02/15/2008 - 15:51

seems like after specifying dns it's able to resolve domains into IPs, yet looks like NAT isn't working for me

husycisco Fri, 02/15/2008 - 16:04

Please describe what you cant do and what you want to do right now and attach your current running-config

alexus Fri, 02/15/2008 - 16:08

i would like to be able to surf internet while i'm vpn in, and if its possible to be able to have my users to authenticate against my windows 2003 active directory server (thats only if possible, if not then i'm ok without it) but browsing internet is important.

thanks in advance

alexus Fri, 02/15/2008 - 16:08

pix(config)# wr t

: Saved

:

PIX Version 7.2(2)

!

hostname pix

domain-name default.domain.invalid

enable password ********** encrypted

names

!

interface Ethernet0

speed 100

duplex full

nameif outside

security-level 0

ip address 38.99.194.174 255.255.255.248

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Ethernet2

nameif dmz

security-level 10

ip address 216.112.241.29 255.255.255.248

!

passwd ********** encrypted

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group network alexus

description 24.185.136.252

network-object host 64.237.55.82

network-object host 24.185.136.252

network-object host 69.10.67.16

object-group network www

network-object host 38.96.132.42

network-object host 38.96.132.43

network-object host 38.96.132.44

access-list outside_access_in extended permit icmp any any echo

access-list outside_access_in extended permit icmp any any echo-reply

access-list outside_access_in extended permit icmp any any time-exceeded

access-list outside_access_in extended permit icmp any any traceroute

access-list outside_access_in extended permit ip object-group alexus any

access-list outside_access_in extended permit udp interface outside interface inside eq sip

access-list outside_access_in extended permit tcp any object-group www eq www

access-list tgn_splitTunnelAcl extended permit ip 192.168.1.0 255.255.255.0 172.31.255.240 255.255.255.240

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 172.31.255.240 255.255.255.240

pager lines 24

logging enable

logging asdm notifications

logging host inside 192.168.1.251

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip local pool ipp 172.31.255.241-172.31.255.254 mask 255.255.255.240

ip verify reverse-path interface outside

icmp unreachable rate-limit 1 burst-size 1

asdm image flash:/asdm-pix-522.bin

asdm history enable

arp timeout 14400

global (outside) 101 interface

global (dmz) 101 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 101 0.0.0.0 0.0.0.0

static (inside,outside) 38.96.132.42 192.168.1.251 netmask 255.255.255.255

static (inside,outside) 38.96.132.43 192.168.1.250 netmask 255.255.255.255

static (inside,outside) 38.96.132.44 192.168.1.234 netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 38.99.194.173 1 track 1

route dmz 0.0.0.0 0.0.0.0 216.112.241.25 254

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

aaa-server aaasg-ntd protocol nt

aaa-server aaasg-ntd host 192.168.1.234

nt-auth-domain-controller ACIES

alexus Fri, 02/15/2008 - 16:08

group-policy tgn internal

group-policy tgn attributes

dns-server value 192.168.1.234

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

username alexus password ********** encrypted privilege 15

http server enable

http 192.168.1.251 255.255.255.255 inside

http 24.185.136.252 255.255.255.255 outside

http 192.168.1.129 255.255.255.255 inside

http 69.10.67.16 255.255.255.255 outside

snmp-server host inside 192.168.1.251 community public

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sla monitor 1

type echo protocol ipIcmpEcho 38.99.194.173 interface outside

sla monitor schedule 1 life forever start-time now

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 20

!

track 1 rtr 1 reachability

tunnel-group tgn type ipsec-ra

tunnel-group tgn general-attributes

address-pool ipp

default-group-policy tgn

tunnel-group tgn ipsec-attributes

pre-shared-key *

telnet timeout 5

ssh scopy enable

ssh 64.237.55.82 255.255.255.255 outside

ssh 192.168.1.251 255.255.255.255 inside

ssh timeout 5

console timeout 0

management-access inside

!

class-map class_sip_udp

match port udp eq sip

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

class class_sip_udp

inspect sip

!

service-policy global_policy global

ntp server 207.46.232.182 source outside prefer

tftp-server inside 192.168.1.251 /

smtp-server 192.168.1.234

prompt hostname context

Cryptochecksum:f916a44904763c9c160e223db1a917d5

: end

[OK]

pix(config)#

husycisco Fri, 02/15/2008 - 16:24

"and if its possible to be able to have my users to authenticate against my windows 2003 active directory server"

We would handle it after we resolve internet issue.

In client, when VPN connected, issue the following commands in command line and paste here the outputs

nslookup

www.google.com

and

tracert 64.156.132.140

and finally

route print

Make sure you get the outputs of commands above while connecte to VPN

alexus Fri, 02/15/2008 - 16:28

Microsoft Windows [Version 6.0.6000]

Copyright (c) 2006 Microsoft Corporation. All rights reserved.

D:\Users\a1exus>nslookup www.google.com

Server: UnKnown

Address: 192.168.1.234:53

Non-authoritative answer:

Name: www.l.google.com

Addresses: 64.233.169.104, 64.233.169.99, 64.233.169.103, 64.233.169.147

Aliases: www.google.com

D:\Users\a1exus>tracert 64.156.132.140

Tracing route to www-level3.experts-exchange.com [64.156.132.140]

over a maximum of 30 hops:

1 * * * Request timed out.

2 * * * Request timed out.

3 * * * Request timed out.

4 ^C

D:\Users\a1exus>

alexus Fri, 02/15/2008 - 16:29

D:\Users\a1exus>netstat -rn

===========================================================================

Interface List

15 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN Adapter

8 ...00 19 d1 e4 4b d0 ...... Intel(R) 82566DC Gigabit Platform LAN Connect

10 ...7a 79 05 6d 5c e3 ...... Hamachi Network Interface

1 ........................... Software Loopback Interface 1

23 ...00 00 00 00 00 00 00 e0 isatap.{80D152C1-EF16-4DEB-A624-81201E1AA5DD}

9 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface

24 ...00 00 00 00 00 00 00 e0 6TO4 Adapter

22 ...00 00 00 00 00 00 00 e0 isatap.WRVS4400N

29 ...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3

===========================================================================

IPv4 Route Table

===========================================================================

Active Routes:

Network Destination Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 172.31.255.242 172.31.255.241 266

10.10.10.1 255.255.255.255 On-link 10.10.10.10 100

38.99.194.174 255.255.255.255 10.10.10.1 10.10.10.10 100

127.0.0.0 255.0.0.0 On-link 127.0.0.1 306

127.0.0.1 255.255.255.255 On-link 127.0.0.1 306

127.255.255.255 255.255.255.255 On-link 127.0.0.1 306

172.31.255.240 255.255.255.240 On-link 172.31.255.241 266

172.31.255.241 255.255.255.255 On-link 172.31.255.241 266

172.31.255.255 255.255.255.255 On-link 172.31.255.241 266

224.0.0.0 240.0.0.0 On-link 127.0.0.1 306

224.0.0.0 240.0.0.0 On-link 5.109.92.227 9256

224.0.0.0 240.0.0.0 On-link 10.10.10.10 266

224.0.0.0 240.0.0.0 On-link 172.31.255.241 266

255.255.255.255 255.255.255.255 On-link 127.0.0.1 306

255.255.255.255 255.255.255.255 On-link 5.109.92.227 9256

255.255.255.255 255.255.255.255 On-link 10.10.10.10 266

255.255.255.255 255.255.255.255 On-link 172.31.255.241 266

===========================================================================

Persistent Routes:

Network Address Netmask Gateway Address Metric

0.0.0.0 0.0.0.0 5.0.0.1 Default

0.0.0.0 0.0.0.0 172.31.255.242 Default

===========================================================================

IPv6 Route Table

===========================================================================

Active Routes:

If Metric Network Destination Gateway

24 1125 ::/0 2002:c058:6301::c058:6301

1 306 ::1/128 On-link

9 18 2001::/32 On-link

9 266 2001:0:4137:9e66:27:325f:53e0:e/128

On-link

24 1025 2002::/16 On-link

24 281 2002:56d:5ce3::56d:5ce3/128

On-link

8 266 fe80::/64 On-link

9 266 fe80::/64 On-link

22 266 fe80::5efe:10.10.10.10/128

On-link

29 266 fe80::5efe:172.31.255.241/128

On-link

9 266 fe80::27:325f:53e0:e/128 On-link

23 281 fe80::200:5efe:5.109.92.227/128

On-link

8 266 fe80::9170:2be2:270c:d7f6/128

On-link

1 306 ff00::/8 On-link

9 266 ff00::/8 On-link

8 266 ff00::/8 On-link

15 266 ff00::/8 On-link

===========================================================================

Persistent Routes:

None

D:\Users\a1exus>

husycisco Fri, 02/15/2008 - 16:36

You dont have the following line in your current config, please add it

group-policy tgn attributes

split-tunnel-network-list value tgn_splitTunnelAcl

alexus Fri, 02/15/2008 - 16:41

that seems to do the trick:)

thank you so much!

how 'bout windows authentication now?

Correct Answer
husycisco Fri, 02/15/2008 - 17:14

You are welcome dmitry. May I ask you to start a new conversation for Windows auth and finalize this question by rating+choosing the "resolved my issue" post?

Regards

Actions

This Discussion