asa 5505 no translation group

Unanswered Question
Jul 31st, 2008

Hi,

I have two asa 5505 that are failing to communicate with each other.

When i try to communicate (http) with a host on the other network, the asa on that side replies:

No translation group found for tcp src outside:192.168.100.20/44710 dst inside:192.168.1.4/80

I guess the error is with the second asa but I'm not sure.

192.168.100.12 -> 192.168.100.1 -> 213.136.41.180 -> internet -> 79.136.112.50 -> 192.168.1.5

The first asa

access-list l2l_list extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 79.136.112.49 1

route outside 192.168.100.0 255.255.255.0 213.136.41.180 1

crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac

crypto map abcmap 1 match address l2l_list

crypto map abcmap 1 set peer 213.136.41.180

crypto map abcmap 1 set transform-set FirstSet

crypto map abcmap interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 43200

tunnel-group 213.136.41.180 type ipsec-l2l

tunnel-group 213.136.41.180 ipsec-attributes

pre-shared-key *

*************************************************

the second asa

access-list l2l_list extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list outside_access_in extended permit icmp any any

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 213.136.41.182 1

route outside 192.168.1.0 255.255.255.0 79.136.112.50 1

route outside 192.168.200.0 255.255.255.0 79.136.112.50 1

crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac

crypto map abcmap 1 match address l2l_list

crypto map abcmap 1 set peer 79.136.112.50

crypto map abcmap 1 set transform-set FirstSet

crypto map abcmap interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 43200

tunnel-group 79.136.112.50 type ipsec-l2l

tunnel-group 79.136.112.50 ipsec-attributes

pre-shared-key *

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Thu, 07/31/2008 - 05:17

First ASA

no access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

Second ASA

access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

olivier.jessel Thu, 07/31/2008 - 05:17

Hi,

Regarding you config, on the first asa I think the ACL

access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0

is wrong...

Should be :

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

NO ?

More on the second ASA, I can't see any ACL for the "no nat"...

Hope it helps..

Actions

This Discussion