No translation group found error on site to site VPN.

Answered Question
Mar 12th, 2008

Hi,

I wondered if anyone could help me. I have basically a site to site VPN (between a ASA 5505 and a Pix 501).

The tunnel is up and seems to be working but they can't access any resources on our side.

I'm getting the following error:

Syslog ID: 305005

Source IP: 172.x.x.x (Internal IP)

Error:

No translation group found for icmp src 10.20.x.x (there IP) dst inside 172.x.x.x (type 8, code 0)

Any ideas on how to fix this?

Thanks.

M.

I have this problem too.
0 votes
Correct Answer by acomiskey about 8 years 8 months ago

Your nat exemption should be...

access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 10.2

0.0.0 255.255.0.0

nat (inside) 0 access-list inside_nat0_outbound

Also get rid of...

no nat (outside) 0 access-list outside_nat0_outbound

no access-list outside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 10.2

0.0.0 255.255.0.0

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
brettmilborrow Wed, 03/12/2008 - 13:17

Can you post a copy of your nat, global and static statements and also if any of these reference acl's, then please post those too.

Maccatron Thu, 03/13/2008 - 00:59

Will my sh run do?

: Saved

:

ASA Version 7.2(2)

!

hostname ASA

domain-name bah.co.uk

enable password xxx

names

!

interface Vlan1

nameif inside

security-level 100

ip address 172.16.5.254 255.255.0.0

!

interface Vlan2

nameif outside

security-level 0

ip address 82.x.x.x 255.255.255.240

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

passwd xxx

ftp mode passive

dns server-group DefaultDNS

domain-name bah.co.uk

access-list outside_20_cryptomap extended permit ip 172.16.0.0 255.255.0.0 10.20

.0.0 255.255.0.0

access-list outside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 10.2

0.0.0 255.255.0.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit 172.16.0.0 255.255.0.0 inside

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 1 172.16.0.0 255.255.0.0

nat (outside) 0 access-list outside_nat0_outbound

route outside 0.0.0.0 0.0.0.0 82.x.x.x

!

router rip

!

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

username Admin password T7lnvpxyyj6WAzfD encrypted privilege 15

http server enable

http 172.16.0.0 255.255.0.0 inside

snmp-server location Mars

snmp-server contact Mr Spoon

snmp-server community Bah

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map outside_map 20 match address outside_20_cryptomap

crypto map outside_map 20 set pfs

crypto map outside_map 20 set peer 62.x.x.x

crypto map outside_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

tunnel-group 62.x.x.x type ipsec-l2l

tunnel-group 62.x.x.x ipsec-attributes

pre-shared-key *

telnet 172.16.0.0 255.255.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxx

: end

Any ideas?

M.

Correct Answer
acomiskey Thu, 03/13/2008 - 07:11

Your nat exemption should be...

access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 10.2

0.0.0 255.255.0.0

nat (inside) 0 access-list inside_nat0_outbound

Also get rid of...

no nat (outside) 0 access-list outside_nat0_outbound

no access-list outside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 10.2

0.0.0 255.255.0.0

Maccatron Thu, 03/13/2008 - 08:32

Thanks for that. It certainly helped. The only problem I have now is that they can not access any resources.

When I traced the packet it said that it was not allowed due to ipsec spoof.

Any ideas?

M.

Maccatron Fri, 03/14/2008 - 01:34

Actually for some reason something I've changed now allows ICMP to function however I still can't SSH - log below:

ASA# packet-tracer input outside tcp 10.20.15.73 ssh 172.16.4.60 ssh

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 172.16.0.0 255.255.0.0 inside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_access_in in interface outside

access-list outside_access_in extended permit tcp host 10.20.15.73 host 172.16.4

.60

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT-EXEMPT

Subtype: rpf-check

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (inside) 0 access-list outside_nat0_outbound

nat (inside) 1 172.16.0.0 255.255.0.0

match ip inside 172.16.0.0 255.255.0.0 outside any

dynamic translation to pool 1 (82.x.x.x [Interface PAT])

translate_hits = 0, untranslate_hits = 0

Additional Information:

Phase: 8

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 0 access-list outside_nat0_outbound

nat (inside) 1 172.16.0.0 255.255.0.0

match ip inside 172.16.0.0 255.255.0.0 inside any

dynamic translation to pool 1 (No matching global)

translate_hits = 0, untranslate_hits = 0

Additional Information:

Phase: 9

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 10

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Maccatron Sat, 03/15/2008 - 01:32

I also found out that if I changed the tunnel to do not protect then when I did the packet tracing it seemed to work (obviously also adding in an ACL to allow the packet as well).

I'll try this on Monday when I have access to both sites.

M.

M.

Actions

This Discussion