Remote VPN can't ping each other

Unanswered Question
Mar 11th, 2008
User Badges:

Hi, I just migrated my remote users off of the VPN Concentrator and onto the VPN. Everything works but I just notice that the remote VPN can't ping each other. Did I do something wrong with my NAT statement:

nat (outside) 10 172.20.141.8 255.255.255.248

nat (outside) 10 172.20.141.16 255.255.255.248

nat (outside) 10 172.20.141.24 255.255.255.248

nat (outside) 10 172.20.141.32 255.255.255.248

nat (outside) 10 172.20.141.40 255.255.255.248

nat (outside) 10 172.20.141.48 255.255.255.248

nat (outside) 10 172.20.141.56 255.255.255.248

nat (outside) 10 172.20.141.64 255.255.255.248

nat (outside) 10 172.20.141.72 255.255.255.248

nat (outside) 10 172.20.142.0 255.255.255.248

nat (outside) 10 172.20.144.0 255.255.255.248

nat (outside) 10 172.20.146.0 255.255.255.248

nat (outside) 10 172.20.146.8 255.255.255.248


do I need to add this statement?

nat (outside) 0 access-list inside_nat0_outbound


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
brettmilborrow Tue, 03/11/2008 - 17:23
User Badges:

If your remote networks are defined correctly in the access list inside_nat0_outbound, then you will need the following:


nat (inside) 0 access-list inside_nat0_outbound


Note the interface specified in brackets is the interface closest to your internal network and not the remote networks as your example shows.


Also, the other nat statements you had will not work in your requirement.


Good Luck!

siskoboy2007 Tue, 03/11/2008 - 18:43
User Badges:

Thanks I'll give it a try. I don't understand why nat (outside) 0 access-list inside_nat0_ won't work.

siskoboy2007 Tue, 03/11/2008 - 18:47
User Badges:

Brett,

I tried nat (inside) 0 access-list inside_nat0_outbound and it still didn't work.

siskoboy2007 Tue, 03/11/2008 - 20:09
User Badges:

Here's how access-list inside_nat0_outbound looks like:

access list inside_nat0_outbound extended permit ip any 172.20.19.64 255.255.255.192

access list inside_nat0_outbound extended permit ip any 172.25.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 172.20.146.0 255.255.255.248

access-list inside_nat0_outbound extended permit ip any 172.20.144.0 255.255.255.248

access-list inside_nat0_outbound extended permit ip any 172.20.142.0 255.255.255.248

access-list inside_nat0_outbound extended permit ip any 172.20.141.16 255.255.255.248

access-list inside_nat0_outbound extended permit ip any 172.20.141.24 255.255.255.248

access-list inside_nat0_outbound extended permit ip any 172.20.146.8 255.255.255.248

access-list inside_nat0_outbound extended permit ip any 172.20.141.8 255.255.255.248

access-list inside_nat0_outbound extended permit ip any 172.20.141.32 255.255.255.248

access-list inside_nat0_outbound extended permit ip any 172.20.141.40 255.255.255.248

access-list inside_nat0_outbound extended permit ip any 172.20.141.48 255.255.255.248

access-list inside_nat0_outbound extended permit ip any 172.20.141.56 255.255.255.248

access-list inside_nat0_outbound extended permit ip any 172.20.141.64 255.255.255.248

access-list inside_nat0_outbound extended permit ip any 172.20.141.72 255.255.255.248


I applied this: nat (inside) 0 access-list inside_nat0_outbound

and it still doesn't work. From the syslog i get the following:


07:25 PM isi-950-dc-fw01 Error No translation group found for icmp src outside:172.25.1.19 dst outside:172.20.144.1 (type 8, code 0)

07:24 PM isi-950-dc-fw01 Error No translation group found for icmp src outside:172.25.1.19 dst outside:172.20.144.1 (type 8, code 0)

07:24 PM isi-950-dc-fw01 Error No translation group found for icmp src outside:172.25.1.19 dst outside:172.20.144.1 (type 8, code 0)

siskoboy2007 Wed, 03/12/2008 - 07:48
User Badges:

Thanks, here it is. Just remember, we have all of our VPN sites coming to us and we don't allow split tunneling.


nat (outside) 10 172.x.141.8 255.255.255.248

nat (outside) 10 172.x.141.16 255.255.255.248

nat (outside) 10 172.x.141.24 255.255.255.248

nat (outside) 10 172.x.141.32 255.255.255.248

nat (outside) 10 172.x.141.40 255.255.255.248

nat (outside) 10 172.x.141.48 255.255.255.248

nat (outside) 10 172.x.141.56 255.255.255.248

nat (outside) 10 172.x.141.64 255.255.255.248

nat (outside) 10 172.x.141.72 255.255.255.248

nat (outside) 10 172.x.142.0 255.255.255.248

nat (outside) 10 172.x.144.0 255.255.255.248

nat (outside) 10 172.x.146.0 255.255.255.248

nat (outside) 10 172.x.146.8 255.255.255.248

nat (outside) 10 172.x.19.0 255.255.255.0

nat (outside) 10 172.x.1.0 255.255.255.0



Attachment: 
brettmilborrow Wed, 03/12/2008 - 08:41
User Badges:

you access-list inside_nat0_outbound does not cover the destination ip you are pinging:


172.20.144.1


try adding a new line to your access-list in order to cover that host.

Actions

This Discussion