VPN ip flow in only one direction

Answered Question
Jul 3rd, 2008

Hi,

I have a Site-to-Site VPN that works finein one direction, remote to center, i.e. it goes up, using VNC to connect from remote to central or viceversa works, on the reverse side (central to remote) doesn't and ping doesn't in both ways.

IMHO, there should be something missing on central site, because if I ping from central lan to remote lan, or viceversa central asa says:

No translation group found for icmp src inside:IP_ON_CENTRAL_LAN dst inside:IP_ON_REMOTE_LAN (type 8, code 0)

Remote is on nat0, i.e. I have

access-list inside_nat0_outbound extended permit ip LocalLAN 255.255.255.0 RemoteLAN 255.255.255.0

access-list inside_nat0_outbound extended permit icmp LocalLAN 255.255.255.0 RemoteLAN 255.255.255.0

access-list outside_1_cryptomap extended permit ip LocalLAN 255.255.255.0 RemoteLAN 255.255.255.0

access-list outside_1_cryptomap extended permit icmp LocalLAN 255.255.255.0 RemoteLAN 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 0 access-list inside_nat0_outbound outside

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer REMOTE_PUBLIC_IP

On the remote (a pix 501), I have:

access-list inside_outbound_nat0_acl permit ip LanRemote 255.255.255.0 LanCentral 255.255.255.0

access-list inside_outbound_nat0_acl permit icmp LanRemote 255.255.255.0 LanCentral 255.255.255.0

access-list outside_cryptomap_20 permit ip LanRemote 255.255.255.0 LanCentral 255.255.255.0

access-list outside_cryptomap_20 permit icmp LanRemote 255.255.255.0 LanCentral 255.255.255.0

nat (inside) 0 access-list inside_outbound_nat0_acl

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer CENTRAL_PUBLIC_IP

crypto map outside_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map interface outside

What am I doing wrong?

Thanks

Correct Answer by a.alekseev about 8 years 7 months ago

No translation group found for icmp src inside:IP_ON_CENTRAL_LAN dst inside:IP_ON_REMOTE_LAN (type 8, code 0)

something is wrong with routing on central

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
a.alekseev Thu, 07/03/2008 - 11:37

No translation group found for icmp src inside:IP_ON_CENTRAL_LAN dst inside:IP_ON_REMOTE_LAN (type 8, code 0)

something is wrong with routing on central

sandman42 Fri, 07/04/2008 - 01:28

What's wrong is that I'm a chump!!!!

I forgot to include a reverse route command, i.e. before it was

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer REMOTE_PUBLIC_IP

crypto map outside_map 1 set transform-set ESP-3DES-MD5

crypto map outside_map 1 set reverse-route

now it's

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer REMOTE_PUBLIC_IP

crypto map outside_map 1 set transform-set ESP-3DES-MD5

crypto map outside_map 1 set reverse-route

I know it's obvious for you, but I've replied just to help somebody else not forgetting this one.

Thanks for your collaboration

Actions

This Discussion