VPN ip flow in only one direction

Answered Question
Jul 3rd, 2008
User Badges:

Hi,


I have a Site-to-Site VPN that works finein one direction, remote to center, i.e. it goes up, using VNC to connect from remote to central or viceversa works, on the reverse side (central to remote) doesn't and ping doesn't in both ways.


IMHO, there should be something missing on central site, because if I ping from central lan to remote lan, or viceversa central asa says:


No translation group found for icmp src inside:IP_ON_CENTRAL_LAN dst inside:IP_ON_REMOTE_LAN (type 8, code 0)


Remote is on nat0, i.e. I have


access-list inside_nat0_outbound extended permit ip LocalLAN 255.255.255.0 RemoteLAN 255.255.255.0

access-list inside_nat0_outbound extended permit icmp LocalLAN 255.255.255.0 RemoteLAN 255.255.255.0


access-list outside_1_cryptomap extended permit ip LocalLAN 255.255.255.0 RemoteLAN 255.255.255.0

access-list outside_1_cryptomap extended permit icmp LocalLAN 255.255.255.0 RemoteLAN 255.255.255.0


nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 0 access-list inside_nat0_outbound outside


crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer REMOTE_PUBLIC_IP


On the remote (a pix 501), I have:


access-list inside_outbound_nat0_acl permit ip LanRemote 255.255.255.0 LanCentral 255.255.255.0

access-list inside_outbound_nat0_acl permit icmp LanRemote 255.255.255.0 LanCentral 255.255.255.0

access-list outside_cryptomap_20 permit ip LanRemote 255.255.255.0 LanCentral 255.255.255.0

access-list outside_cryptomap_20 permit icmp LanRemote 255.255.255.0 LanCentral 255.255.255.0

nat (inside) 0 access-list inside_outbound_nat0_acl

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer CENTRAL_PUBLIC_IP

crypto map outside_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map interface outside


What am I doing wrong?


Thanks


Correct Answer by a.alekseev about 8 years 11 months ago

No translation group found for icmp src inside:IP_ON_CENTRAL_LAN dst inside:IP_ON_REMOTE_LAN (type 8, code 0)


something is wrong with routing on central



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
a.alekseev Thu, 07/03/2008 - 11:37
User Badges:
  • Gold, 750 points or more

No translation group found for icmp src inside:IP_ON_CENTRAL_LAN dst inside:IP_ON_REMOTE_LAN (type 8, code 0)


something is wrong with routing on central



sandman42 Fri, 07/04/2008 - 01:28
User Badges:

What's wrong is that I'm a chump!!!!


I forgot to include a reverse route command, i.e. before it was


crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer REMOTE_PUBLIC_IP

crypto map outside_map 1 set transform-set ESP-3DES-MD5

crypto map outside_map 1 set reverse-route


now it's


crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer REMOTE_PUBLIC_IP

crypto map outside_map 1 set transform-set ESP-3DES-MD5

crypto map outside_map 1 set reverse-route


I know it's obvious for you, but I've replied just to help somebody else not forgetting this one.


Thanks for your collaboration

Actions

This Discussion