cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2290
Views
0
Helpful
19
Replies

No translation group found for tcp src outside:

alexus
Level 1
Level 1

Hi

I can't seem to figure it out, I have VPN client, i'm able to "dialin" to my PIX 515E 7.2(2) w/ ASDM 5.2(2), yet I can't access anything on the network, I'm getting one of these famouse "No translation group found for tcp src outside:192.168.1.129/49175 dst inside:192.168.1.251/65535", no matter what I do...

can someone help me here please?

thanks

1 Accepted Solution

Accepted Solutions

You are welcome dmitry. May I ask you to start a new conversation for Windows auth and finalize this question by rating+choosing the "resolved my issue" post?

Regards

View solution in original post

19 Replies 19

a1exus
Level 1
Level 1

someone please help me

Hi Alexus

You dont have an exempt nat rule defnition for this traffic. Please post your config and let me suggest the necessary change

Regards

*Please do not forget to rate helpful posts and choose "accept as answer" for post which solved your issue

Regards

: Saved

:

PIX Version 7.2(2)

!

hostname pix

domain-name default.domain.invalid

enable password ********** encrypted

names

!

interface Ethernet0

speed 100

duplex full

nameif outside

security-level 0

ip address 38.99.194.174 255.255.255.248

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Ethernet2

nameif dmz

security-level 10

ip address 216.112.241.29 255.255.255.248

!

passwd ********** encrypted

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group network alexus

description 24.185.136.252

network-object host 64.237.55.82

network-object host 24.185.136.252

network-object host 69.10.67.16

object-group network www

network-object host 38.96.132.42

network-object host 38.96.132.43

network-object host 38.96.132.44

access-list outside_access_in extended permit icmp any any echo

access-list outside_access_in extended permit icmp any any echo-reply

access-list outside_access_in extended permit icmp any any time-exceeded

access-list outside_access_in extended permit icmp any any traceroute

access-list outside_access_in extended permit ip object-group alexus any

access-list outside_access_in extended permit udp interface outside interface inside eq sip

access-list outside_access_in extended permit tcp any object-group www eq www

access-list tgn_splitTunnelAcl standard permit any

access-list inside_nat0_outbound extended permit ip any 192.168.1.128 255.255.255.248

pager lines 24

logging enable

logging asdm notifications

logging host inside 192.168.1.251

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip local pool ipp 192.168.1.129-192.168.1.134 mask 255.255.255.248

ip verify reverse-path interface outside

icmp unreachable rate-limit 1 burst-size 1

asdm image flash:/asdm-pix-522.bin

asdm history enable

arp timeout 14400

global (outside) 101 interface

global (dmz) 101 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 101 0.0.0.0 0.0.0.0

static (inside,outside) 38.96.132.42 192.168.1.251 netmask 255.255.255.255

static (inside,outside) 38.96.132.43 192.168.1.250 netmask 255.255.255.255

static (inside,outside) 38.96.132.44 192.168.1.234 netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 38.99.194.173 1 track 1

route dmz 0.0.0.0 0.0.0.0 216.112.241.25 254

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

aaa-server aaasg-ntd protocol nt

aaa-server aaasg-ntd host 192.168.1.234

nt-auth-domain-controller ACIES

group-policy tgn internal

group-policy tgn attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value tgn_splitTunnelAcl

username alexus password ********** encrypted privilege 15

http server enable

http 192.168.1.251 255.255.255.255 inside

http 24.185.136.252 255.255.255.255 outside

http 192.168.1.129 255.255.255.255 inside

http 69.10.67.16 255.255.255.255 outside

snmp-server host inside 192.168.1.251 community public

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sla monitor 1

type echo protocol ipIcmpEcho 38.99.194.173 interface outside

sla monitor schedule 1 life forever start-time now

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

!

track 1 rtr 1 reachability

tunnel-group tgn type ipsec-ra

tunnel-group tgn general-attributes

address-pool ipp

default-group-policy tgn

tunnel-group tgn ipsec-attributes

pre-shared-key *

telnet timeout 5

ssh scopy enable

ssh 64.237.55.82 255.255.255.255 outside

ssh 192.168.1.251 255.255.255.255 inside

ssh timeout 5

console timeout 0

management-access inside

!

class-map class_sip_udp

match port udp eq sip

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

class class_sip_udp

inspect sip

!

service-policy global_policy global

ntp server 207.46.232.182 source outside prefer

tftp-server inside 192.168.1.251 /

smtp-server 192.168.1.234

prompt hostname context

Cryptochecksum:de5bd8bcc1ac9210e21e3bd28c779b1e

: end

[OK]

Alexus

1)Do not use a VPN pool which is covered by an interface of firewall. VPN pool is in same subnet with Inside interface.

2)Do not use "any" in NAT or split tunnel ACLs. Specify the networks

Do the following modifications

ip local pool vpnpool 172.16.100.1-172.16.100.254 netmask 255.255.255.0

no access-list tgn_splitTunnelAcl standard permit any

access-list tgn_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 172.16.100.0 255.255.255.0

no access-list inside_nat0_outbound extended permit ip any 192.168.1.128 255.255.255.248

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 172.16.100.0 255.255.255.0

crypto isakmp nat-traversal 20

tunnel-group tgn general-attributes

no address-pool ipp

address-pool vpnpool

Recommendation: 192.168.1.0 is the network of most out of the box internet modem/routers' IP range, this will cause trouble if PC acquired IP address from one of them. You should change your inside interface ip range.

Regards

*Please do not forget to rate helpful posts and choose "resolved my issue" for the post that resolved your issue

ok, now it works, but i'm not able to "surf" at the same time whenever i'm vpnin

You dont have a DNS server specified for VPN clients. Do you have a DNS server or DC with ad integrated DNS at main office? If you have, then...

group-policy tgn attributes

dns-server value DNSserverIPatmainoffice

If you dont have, then...

group-policy tgn attributes

dns-server value 4.2.2.2

seems like after specifying dns it's able to resolve domains into IPs, yet looks like NAT isn't working for me

Please describe what you cant do and what you want to do right now and attach your current running-config

i would like to be able to surf internet while i'm vpn in, and if its possible to be able to have my users to authenticate against my windows 2003 active directory server (thats only if possible, if not then i'm ok without it) but browsing internet is important.

thanks in advance

pix(config)# wr t

: Saved

:

PIX Version 7.2(2)

!

hostname pix

domain-name default.domain.invalid

enable password ********** encrypted

names

!

interface Ethernet0

speed 100

duplex full

nameif outside

security-level 0

ip address 38.99.194.174 255.255.255.248

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Ethernet2

nameif dmz

security-level 10

ip address 216.112.241.29 255.255.255.248

!

passwd ********** encrypted

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group network alexus

description 24.185.136.252

network-object host 64.237.55.82

network-object host 24.185.136.252

network-object host 69.10.67.16

object-group network www

network-object host 38.96.132.42

network-object host 38.96.132.43

network-object host 38.96.132.44

access-list outside_access_in extended permit icmp any any echo

access-list outside_access_in extended permit icmp any any echo-reply

access-list outside_access_in extended permit icmp any any time-exceeded

access-list outside_access_in extended permit icmp any any traceroute

access-list outside_access_in extended permit ip object-group alexus any

access-list outside_access_in extended permit udp interface outside interface inside eq sip

access-list outside_access_in extended permit tcp any object-group www eq www

access-list tgn_splitTunnelAcl extended permit ip 192.168.1.0 255.255.255.0 172.31.255.240 255.255.255.240

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 172.31.255.240 255.255.255.240

pager lines 24

logging enable

logging asdm notifications

logging host inside 192.168.1.251

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip local pool ipp 172.31.255.241-172.31.255.254 mask 255.255.255.240

ip verify reverse-path interface outside

icmp unreachable rate-limit 1 burst-size 1

asdm image flash:/asdm-pix-522.bin

asdm history enable

arp timeout 14400

global (outside) 101 interface

global (dmz) 101 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 101 0.0.0.0 0.0.0.0

static (inside,outside) 38.96.132.42 192.168.1.251 netmask 255.255.255.255

static (inside,outside) 38.96.132.43 192.168.1.250 netmask 255.255.255.255

static (inside,outside) 38.96.132.44 192.168.1.234 netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 38.99.194.173 1 track 1

route dmz 0.0.0.0 0.0.0.0 216.112.241.25 254

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

aaa-server aaasg-ntd protocol nt

aaa-server aaasg-ntd host 192.168.1.234

nt-auth-domain-controller ACIES

group-policy tgn internal

group-policy tgn attributes

dns-server value 192.168.1.234

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

username alexus password ********** encrypted privilege 15

http server enable

http 192.168.1.251 255.255.255.255 inside

http 24.185.136.252 255.255.255.255 outside

http 192.168.1.129 255.255.255.255 inside

http 69.10.67.16 255.255.255.255 outside

snmp-server host inside 192.168.1.251 community public

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sla monitor 1

type echo protocol ipIcmpEcho 38.99.194.173 interface outside

sla monitor schedule 1 life forever start-time now

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 20

!

track 1 rtr 1 reachability

tunnel-group tgn type ipsec-ra

tunnel-group tgn general-attributes

address-pool ipp

default-group-policy tgn

tunnel-group tgn ipsec-attributes

pre-shared-key *

telnet timeout 5

ssh scopy enable

ssh 64.237.55.82 255.255.255.255 outside

ssh 192.168.1.251 255.255.255.255 inside

ssh timeout 5

console timeout 0

management-access inside

!

class-map class_sip_udp

match port udp eq sip

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

class class_sip_udp

inspect sip

!

service-policy global_policy global

ntp server 207.46.232.182 source outside prefer

tftp-server inside 192.168.1.251 /

smtp-server 192.168.1.234

prompt hostname context

Cryptochecksum:f916a44904763c9c160e223db1a917d5

: end

[OK]

pix(config)#

"and if its possible to be able to have my users to authenticate against my windows 2003 active directory server"

We would handle it after we resolve internet issue.

In client, when VPN connected, issue the following commands in command line and paste here the outputs

nslookup

www.google.com

and

tracert 64.156.132.140

and finally

route print

Make sure you get the outputs of commands above while connecte to VPN

Microsoft Windows [Version 6.0.6000]

Copyright (c) 2006 Microsoft Corporation. All rights reserved.

D:\Users\a1exus>nslookup www.google.com

Server: UnKnown

Address: 192.168.1.234:53

Non-authoritative answer:

Name: www.l.google.com

Addresses: 64.233.169.104, 64.233.169.99, 64.233.169.103, 64.233.169.147

Aliases: www.google.com

D:\Users\a1exus>tracert 64.156.132.140

Tracing route to www-level3.experts-exchange.com [64.156.132.140]

over a maximum of 30 hops:

1 * * * Request timed out.

2 * * * Request timed out.

3 * * * Request timed out.

4 ^C

D:\Users\a1exus>

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: