Urgent help require on Remote VPN Issue

Answered Question
Jun 2nd, 2008

Hi

I am configuring Remote VPN on ASA running ASA Version 8.0(3), its giving an error

[ERROR] access-list NoNAT line 2 extended permit ip 0.0.0.0 0.0.0.0 192.168.150.0 255.255.255.240

Unable to download NAT policy for ACE

I am able to login , getting the IP from the Pool through Remote VPN Client but unable to reach any network device.

Rgds

I have this problem too.
0 votes
Correct Answer by Fernando_Meza about 8 years 7 months ago

Hi,

I have heard of that issue before .. try removing and adding the nat0 translation again ...

no nat (inside) 0 access-list NoNAT

nat (inside) 0 access-list NoNAT

then you might need to clear the translation table by typing clear xlate .. (this will drop all connections momentarily )

You might need to upgrade the Image in order to get this completely fixed. There was a bug CSCsl46310 ASA error: Unable to download NAT policy for ACE with nat 0 ACL which was resolved on newer versions

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsl46310

I hope it helps .. please rate helpful posts !!!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
asfar.zaidi Mon, 06/02/2008 - 03:46

Config is as follow

interface Ethernet0/0

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.248

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.10.2 255.255.255.252

dns server-group DefaultDNS

name-server 80.227.2.2

name-server 80.227.2.3

object-group network Dubai-Subnets

description Dubai subnets to be accessed via VPN

network-object 192.168.20.0 255.255.255.0

network-object 192.168.50.0 255.255.255.0

network-object 192.168.10.0 255.255.255.0

object-group network Q8-LAN

description Kuwait Subnet to be accessed via VPN

network-object 172.16.16.0 255.255.255.0

network-object 192.168.110.0 255.255.255.0

network-object 192.168.120.0 255.255.255.0

access-list NoNAT extended permit ip object-group Dubai-Subnets object-group Q8-LAN

access-list NoNAT extended permit ip any 192.168.150.0 255.255.255.240

access-list VPN-2-q8 extended permit ip object-group Dubai-Subnets object-group Q8-LAN

access-list Outside_access_in extended permit icmp any any

access-list AdminGrp_splitTunnelAcl standard permit any

access-list AdminGrp_splitTunnelAcl_1 standard permit any

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool RVPNPool 192.168.150.1-192.168.150.14 mask 255.255.255.240

global (outside) 1 interface

nat (inside) 0 access-list NoNAT

nat (inside) 1 0.0.0.0 0.0.0.0

access-group Outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 91.74.105.161 1

route inside 192.168.20.0 255.255.255.0 192.168.10.1 1

route inside 192.168.30.0 255.255.255.0 192.168.10.1 1

route inside 192.168.40.0 255.255.255.0 192.168.10.1 1

route inside 192.168.50.0 255.255.255.0 192.168.10.1 1

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 match address VPN-2-q8

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer y.y.y.y

crypto map outside_map 1 set transform-set ESP-AES-256-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

management-access inside

group-policy AdminGrp internal

group-policy AdminGrp attributes

dns-server value 192.168.20.111

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value AdminGrp_splitTunnelAcl_1

username rami password xxx encrypted privilege 0

username rami attributes

vpn-group-policy AdminGrp

username admin password xxx encrypted privilege 15

tunnel-group AdminGrp type remote-access

tunnel-group AdminGrp general-attributes

address-pool RVPNPool

default-group-policy AdminGrp

tunnel-group AdminGrp ipsec-attributes

pre-shared-key *

asfar.zaidi Mon, 06/02/2008 - 04:00

Hi, can anyone respond as I need to make it working on priority basis.

Thanks

Correct Answer
Fernando_Meza Mon, 06/02/2008 - 04:04

Hi,

I have heard of that issue before .. try removing and adding the nat0 translation again ...

no nat (inside) 0 access-list NoNAT

nat (inside) 0 access-list NoNAT

then you might need to clear the translation table by typing clear xlate .. (this will drop all connections momentarily )

You might need to upgrade the Image in order to get this completely fixed. There was a bug CSCsl46310 ASA error: Unable to download NAT policy for ACE with nat 0 ACL which was resolved on newer versions

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsl46310

I hope it helps .. please rate helpful posts !!!

asfar.zaidi Mon, 06/02/2008 - 04:15

ok now i can ping all the servers which have static ip but not the pcs which have dhcp assigned ip

Actions

This Discussion