07-18-2008 02:03 AM - edited 03-09-2019 09:06 PM
Hi,
I get the following error message when I try to connect over a site-to-site VPN:
No translation group found for tcp src outside:10.10.10.2/1038 dst inside:192.168.1.22/80
How do I set up the asa so that all traffic coming from 10.10.10.2 gets properly translated and can travel the inside hosts on 192.168.1.0?
thanx
My config:
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.10.10.1 255.0.0.0
!
interface Vlan3
nameif dmz
security-level 50
ip address 192.168.200.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxx
ftp mode passive
dns server-group DefaultDNS
domain-name *
access-list http_access_in extended permit tcp any any eq www
access-list dmz_access_in extended permit icmp 192.168.200.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list dmz_access_in remark Specify what kind of trafic should be allowed to travle to the inside network
access-list dmz_access_in extended permit tcp host 192.168.200.2 192.168.1.0 255.255.255.0 eq www
access-list NO-NAT extended permit ip any 192.168.200.0 255.255.255.0
access-list ftp_access_in extended permit tcp any any eq ftp
access-list 8080_access_in remark Specify what kind of trafic should be allowed in. Don't forget the NAT
access-list 8080_access_in extended permit tcp any any eq www
access-list l2l_list extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NO-NAT
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (dmz,outside) tcp interface ftp 192.168.200.2 ftp netmask 255.255.255.255
static (dmz,outside) tcp interface 8080 192.168.200.2 8080 netmask 255.255.255.255
static (dmz,outside) tcp interface www 192.168.200.2 www netmask 255.255.255.255
access-group 8080_access_in in interface outside
access-group dmz_access_in in interface dmz
route outside 192.168.100.0 255.255.255.0 10.10.10.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
crypto map abcmap 1 match address l2l_list
crypto map abcmap 1 set peer 10.10.10.2
crypto map abcmap 1 set transform-set FirstSet
crypto map abcmap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.20-192.168.1.99 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
tunnel-group 10.10.10.2 type ipsec-l2l
tunnel-group 10.10.10.2 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
Solved! Go to Solution.
07-18-2008 04:31 AM
ASA1
access-list NO-NAT extended permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0
nat (inside) 0 access-list NO-NAT
ASA2
access-list NO-NAT extended permit ip 192.168.200.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list NO-NAT
07-18-2008 02:36 AM
What is 10.10.10.2?
07-18-2008 02:54 AM
Oh! maybe I wasn't clear enough.
10.10.10.2 is the outside interface of the other asa whos computers on its inside network needs to communicate with inside clients on this asa.
07-18-2008 03:12 AM
check "nat (inside) 0" on another ASA.
07-18-2008 03:14 AM
I have nat (inside) 1 0.0.0.0 0.0.0.0
on both my asa's. Is this correct?
07-18-2008 04:31 AM
ASA1
access-list NO-NAT extended permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0
nat (inside) 0 access-list NO-NAT
ASA2
access-list NO-NAT extended permit ip 192.168.200.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list NO-NAT
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide