02-14-2008 09:58 PM - edited 03-09-2019 08:06 PM
Hi
I can't seem to figure it out, I have VPN client, i'm able to "dialin" to my PIX 515E 7.2(2) w/ ASDM 5.2(2), yet I can't access anything on the network, I'm getting one of these famouse "No translation group found for tcp src outside:192.168.1.129/49175 dst inside:192.168.1.251/65535", no matter what I do...
can someone help me here please?
thanks
Solved! Go to Solution.
02-15-2008 05:14 PM
You are welcome dmitry. May I ask you to start a new conversation for Windows auth and finalize this question by rating+choosing the "resolved my issue" post?
Regards
02-15-2008 09:39 AM
someone please help me
02-15-2008 10:27 AM
Hi Alexus
You dont have an exempt nat rule defnition for this traffic. Please post your config and let me suggest the necessary change
Regards
*Please do not forget to rate helpful posts and choose "accept as answer" for post which solved your issue
Regards
02-15-2008 02:13 PM
: Saved
:
PIX Version 7.2(2)
!
hostname pix
domain-name default.domain.invalid
enable password ********** encrypted
names
!
interface Ethernet0
speed 100
duplex full
nameif outside
security-level 0
ip address 38.99.194.174 255.255.255.248
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet2
nameif dmz
security-level 10
ip address 216.112.241.29 255.255.255.248
!
passwd ********** encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network alexus
description 24.185.136.252
network-object host 64.237.55.82
network-object host 24.185.136.252
network-object host 69.10.67.16
object-group network www
network-object host 38.96.132.42
network-object host 38.96.132.43
network-object host 38.96.132.44
access-list outside_access_in extended permit icmp any any echo
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any traceroute
access-list outside_access_in extended permit ip object-group alexus any
access-list outside_access_in extended permit udp interface outside interface inside eq sip
access-list outside_access_in extended permit tcp any object-group www eq www
access-list tgn_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 192.168.1.128 255.255.255.248
pager lines 24
logging enable
logging asdm notifications
logging host inside 192.168.1.251
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool ipp 192.168.1.129-192.168.1.134 mask 255.255.255.248
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-pix-522.bin
asdm history enable
arp timeout 14400
global (outside) 101 interface
global (dmz) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) 38.96.132.42 192.168.1.251 netmask 255.255.255.255
static (inside,outside) 38.96.132.43 192.168.1.250 netmask 255.255.255.255
static (inside,outside) 38.96.132.44 192.168.1.234 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 38.99.194.173 1 track 1
route dmz 0.0.0.0 0.0.0.0 216.112.241.25 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server aaasg-ntd protocol nt
aaa-server aaasg-ntd host 192.168.1.234
nt-auth-domain-controller ACIES
02-15-2008 02:17 PM
group-policy tgn internal
group-policy tgn attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value tgn_splitTunnelAcl
username alexus password ********** encrypted privilege 15
http server enable
http 192.168.1.251 255.255.255.255 inside
http 24.185.136.252 255.255.255.255 outside
http 192.168.1.129 255.255.255.255 inside
http 69.10.67.16 255.255.255.255 outside
snmp-server host inside 192.168.1.251 community public
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 1
type echo protocol ipIcmpEcho 38.99.194.173 interface outside
sla monitor schedule 1 life forever start-time now
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
track 1 rtr 1 reachability
tunnel-group tgn type ipsec-ra
tunnel-group tgn general-attributes
address-pool ipp
default-group-policy tgn
tunnel-group tgn ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh scopy enable
ssh 64.237.55.82 255.255.255.255 outside
ssh 192.168.1.251 255.255.255.255 inside
ssh timeout 5
console timeout 0
management-access inside
!
class-map class_sip_udp
match port udp eq sip
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
class class_sip_udp
inspect sip
!
service-policy global_policy global
ntp server 207.46.232.182 source outside prefer
tftp-server inside 192.168.1.251 /
smtp-server 192.168.1.234
prompt hostname context
Cryptochecksum:de5bd8bcc1ac9210e21e3bd28c779b1e
: end
[OK]
02-15-2008 03:08 PM
Alexus
1)Do not use a VPN pool which is covered by an interface of firewall. VPN pool is in same subnet with Inside interface.
2)Do not use "any" in NAT or split tunnel ACLs. Specify the networks
Do the following modifications
ip local pool vpnpool 172.16.100.1-172.16.100.254 netmask 255.255.255.0
no access-list tgn_splitTunnelAcl standard permit any
access-list tgn_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 172.16.100.0 255.255.255.0
no access-list inside_nat0_outbound extended permit ip any 192.168.1.128 255.255.255.248
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 172.16.100.0 255.255.255.0
crypto isakmp nat-traversal 20
tunnel-group tgn general-attributes
no address-pool ipp
address-pool vpnpool
Recommendation: 192.168.1.0 is the network of most out of the box internet modem/routers' IP range, this will cause trouble if PC acquired IP address from one of them. You should change your inside interface ip range.
Regards
*Please do not forget to rate helpful posts and choose "resolved my issue" for the post that resolved your issue
02-15-2008 03:35 PM
ok, now it works, but i'm not able to "surf" at the same time whenever i'm vpnin
02-15-2008 03:47 PM
You dont have a DNS server specified for VPN clients. Do you have a DNS server or DC with ad integrated DNS at main office? If you have, then...
group-policy tgn attributes
dns-server value DNSserverIPatmainoffice
If you dont have, then...
group-policy tgn attributes
dns-server value 4.2.2.2
02-15-2008 03:51 PM
seems like after specifying dns it's able to resolve domains into IPs, yet looks like NAT isn't working for me
02-15-2008 04:04 PM
Please describe what you cant do and what you want to do right now and attach your current running-config
02-15-2008 04:08 PM
i would like to be able to surf internet while i'm vpn in, and if its possible to be able to have my users to authenticate against my windows 2003 active directory server (thats only if possible, if not then i'm ok without it) but browsing internet is important.
thanks in advance
02-15-2008 04:08 PM
pix(config)# wr t
: Saved
:
PIX Version 7.2(2)
!
hostname pix
domain-name default.domain.invalid
enable password ********** encrypted
names
!
interface Ethernet0
speed 100
duplex full
nameif outside
security-level 0
ip address 38.99.194.174 255.255.255.248
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet2
nameif dmz
security-level 10
ip address 216.112.241.29 255.255.255.248
!
passwd ********** encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network alexus
description 24.185.136.252
network-object host 64.237.55.82
network-object host 24.185.136.252
network-object host 69.10.67.16
object-group network www
network-object host 38.96.132.42
network-object host 38.96.132.43
network-object host 38.96.132.44
access-list outside_access_in extended permit icmp any any echo
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any traceroute
access-list outside_access_in extended permit ip object-group alexus any
access-list outside_access_in extended permit udp interface outside interface inside eq sip
access-list outside_access_in extended permit tcp any object-group www eq www
access-list tgn_splitTunnelAcl extended permit ip 192.168.1.0 255.255.255.0 172.31.255.240 255.255.255.240
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 172.31.255.240 255.255.255.240
pager lines 24
logging enable
logging asdm notifications
logging host inside 192.168.1.251
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool ipp 172.31.255.241-172.31.255.254 mask 255.255.255.240
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-pix-522.bin
asdm history enable
arp timeout 14400
global (outside) 101 interface
global (dmz) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) 38.96.132.42 192.168.1.251 netmask 255.255.255.255
static (inside,outside) 38.96.132.43 192.168.1.250 netmask 255.255.255.255
static (inside,outside) 38.96.132.44 192.168.1.234 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 38.99.194.173 1 track 1
route dmz 0.0.0.0 0.0.0.0 216.112.241.25 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server aaasg-ntd protocol nt
aaa-server aaasg-ntd host 192.168.1.234
nt-auth-domain-controller ACIES
02-15-2008 04:08 PM
group-policy tgn internal
group-policy tgn attributes
dns-server value 192.168.1.234
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
username alexus password ********** encrypted privilege 15
http server enable
http 192.168.1.251 255.255.255.255 inside
http 24.185.136.252 255.255.255.255 outside
http 192.168.1.129 255.255.255.255 inside
http 69.10.67.16 255.255.255.255 outside
snmp-server host inside 192.168.1.251 community public
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 1
type echo protocol ipIcmpEcho 38.99.194.173 interface outside
sla monitor schedule 1 life forever start-time now
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
!
track 1 rtr 1 reachability
tunnel-group tgn type ipsec-ra
tunnel-group tgn general-attributes
address-pool ipp
default-group-policy tgn
tunnel-group tgn ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh scopy enable
ssh 64.237.55.82 255.255.255.255 outside
ssh 192.168.1.251 255.255.255.255 inside
ssh timeout 5
console timeout 0
management-access inside
!
class-map class_sip_udp
match port udp eq sip
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
class class_sip_udp
inspect sip
!
service-policy global_policy global
ntp server 207.46.232.182 source outside prefer
tftp-server inside 192.168.1.251 /
smtp-server 192.168.1.234
prompt hostname context
Cryptochecksum:f916a44904763c9c160e223db1a917d5
: end
[OK]
pix(config)#
02-15-2008 04:24 PM
"and if its possible to be able to have my users to authenticate against my windows 2003 active directory server"
We would handle it after we resolve internet issue.
In client, when VPN connected, issue the following commands in command line and paste here the outputs
nslookup
and
tracert 64.156.132.140
and finally
route print
Make sure you get the outputs of commands above while connecte to VPN
02-15-2008 04:28 PM
Microsoft Windows [Version 6.0.6000]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.
D:\Users\a1exus>nslookup www.google.com
Server: UnKnown
Address: 192.168.1.234:53
Non-authoritative answer:
Name: www.l.google.com
Addresses: 64.233.169.104, 64.233.169.99, 64.233.169.103, 64.233.169.147
Aliases: www.google.com
D:\Users\a1exus>tracert 64.156.132.140
Tracing route to www-level3.experts-exchange.com [64.156.132.140]
over a maximum of 30 hops:
1 * * * Request timed out.
2 * * * Request timed out.
3 * * * Request timed out.
4 ^C
D:\Users\a1exus>
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide