03-11-2008 03:46 PM - edited 02-21-2020 03:37 PM
Hi, I just migrated my remote users off of the VPN Concentrator and onto the VPN. Everything works but I just notice that the remote VPN can't ping each other. Did I do something wrong with my NAT statement:
nat (outside) 10 172.20.141.8 255.255.255.248
nat (outside) 10 172.20.141.16 255.255.255.248
nat (outside) 10 172.20.141.24 255.255.255.248
nat (outside) 10 172.20.141.32 255.255.255.248
nat (outside) 10 172.20.141.40 255.255.255.248
nat (outside) 10 172.20.141.48 255.255.255.248
nat (outside) 10 172.20.141.56 255.255.255.248
nat (outside) 10 172.20.141.64 255.255.255.248
nat (outside) 10 172.20.141.72 255.255.255.248
nat (outside) 10 172.20.142.0 255.255.255.248
nat (outside) 10 172.20.144.0 255.255.255.248
nat (outside) 10 172.20.146.0 255.255.255.248
nat (outside) 10 172.20.146.8 255.255.255.248
do I need to add this statement?
nat (outside) 0 access-list inside_nat0_outbound
03-11-2008 05:23 PM
If your remote networks are defined correctly in the access list inside_nat0_outbound, then you will need the following:
nat (inside) 0 access-list inside_nat0_outbound
Note the interface specified in brackets is the interface closest to your internal network and not the remote networks as your example shows.
Also, the other nat statements you had will not work in your requirement.
Good Luck!
03-11-2008 06:43 PM
Thanks I'll give it a try. I don't understand why nat (outside) 0 access-list inside_nat0_ won't work.
03-11-2008 06:47 PM
Brett,
I tried nat (inside) 0 access-list inside_nat0_outbound and it still didn't work.
03-11-2008 08:09 PM
Here's how access-list inside_nat0_outbound looks like:
access list inside_nat0_outbound extended permit ip any 172.20.19.64 255.255.255.192
access list inside_nat0_outbound extended permit ip any 172.25.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 172.20.146.0 255.255.255.248
access-list inside_nat0_outbound extended permit ip any 172.20.144.0 255.255.255.248
access-list inside_nat0_outbound extended permit ip any 172.20.142.0 255.255.255.248
access-list inside_nat0_outbound extended permit ip any 172.20.141.16 255.255.255.248
access-list inside_nat0_outbound extended permit ip any 172.20.141.24 255.255.255.248
access-list inside_nat0_outbound extended permit ip any 172.20.146.8 255.255.255.248
access-list inside_nat0_outbound extended permit ip any 172.20.141.8 255.255.255.248
access-list inside_nat0_outbound extended permit ip any 172.20.141.32 255.255.255.248
access-list inside_nat0_outbound extended permit ip any 172.20.141.40 255.255.255.248
access-list inside_nat0_outbound extended permit ip any 172.20.141.48 255.255.255.248
access-list inside_nat0_outbound extended permit ip any 172.20.141.56 255.255.255.248
access-list inside_nat0_outbound extended permit ip any 172.20.141.64 255.255.255.248
access-list inside_nat0_outbound extended permit ip any 172.20.141.72 255.255.255.248
I applied this: nat (inside) 0 access-list inside_nat0_outbound
and it still doesn't work. From the syslog i get the following:
07:25 PM isi-950-dc-fw01 Error No translation group found for icmp src outside:172.25.1.19 dst outside:172.20.144.1 (type 8, code 0)
07:24 PM isi-950-dc-fw01 Error No translation group found for icmp src outside:172.25.1.19 dst outside:172.20.144.1 (type 8, code 0)
07:24 PM isi-950-dc-fw01 Error No translation group found for icmp src outside:172.25.1.19 dst outside:172.20.144.1 (type 8, code 0)
03-12-2008 01:10 AM
Can you post a sanitized copy of your config?
Thanks
03-12-2008 07:48 AM
Thanks, here it is. Just remember, we have all of our VPN sites coming to us and we don't allow split tunneling.
nat (outside) 10 172.x.141.8 255.255.255.248
nat (outside) 10 172.x.141.16 255.255.255.248
nat (outside) 10 172.x.141.24 255.255.255.248
nat (outside) 10 172.x.141.32 255.255.255.248
nat (outside) 10 172.x.141.40 255.255.255.248
nat (outside) 10 172.x.141.48 255.255.255.248
nat (outside) 10 172.x.141.56 255.255.255.248
nat (outside) 10 172.x.141.64 255.255.255.248
nat (outside) 10 172.x.141.72 255.255.255.248
nat (outside) 10 172.x.142.0 255.255.255.248
nat (outside) 10 172.x.144.0 255.255.255.248
nat (outside) 10 172.x.146.0 255.255.255.248
nat (outside) 10 172.x.146.8 255.255.255.248
nat (outside) 10 172.x.19.0 255.255.255.0
nat (outside) 10 172.x.1.0 255.255.255.0
03-12-2008 08:41 AM
you access-list inside_nat0_outbound does not cover the destination ip you are pinging:
172.20.144.1
try adding a new line to your access-list in order to cover that host.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: