ASA Client VPN no translation group problem

Unanswered Question
Feb 25th, 2009
User Badges:

I have a client VPN setup on ASA 5520 code 8.0, which connects okay and I am able to ping VPN devices from my local LAN.

However I cannot ping the local LAN from the VPN devices themselves. The ASA reports that No translation group can be found in the direction of VPN subnet on outside to LAN subnet on inside.

But what I don't understand is I have configured a NAT exemption group in both directions.

Packet tracer suggests it is matching my exemption rule from outside to inside but then moving on to regular NAT and trying to translate using the outbound PAT pool as well!!

My setup is as follows;


VPN subnet / 29


LAN / 24

The VPN is on the outside and NAT exempt exists for VPN subnet to LAN subnet on outside interface and LAN subnet to VPN subnet on inside interface.

Like I say the ping works fine from LAN to VPN!


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Wed, 02/25/2009 - 07:24
User Badges:
  • Green, 3000 points or more

Mike, you don't need 2 nat exempt statements. You only need one as it applies in both directions.

access-list nat0 extended permit ip

nat (inside) 0 access-list nat0

mikedelafield Thu, 02/26/2009 - 05:27
User Badges:

Thanks for your help. It worked ok.

Just a general question tho on thisl

In the case of 2 interfaces of equal security level (say inside1 and inside2) on which interface should the NAT exempt statement be?

And which way round should it be inbound or outbound? I still don't fully understand the inbound outbound part within ASDM.

Thanks again.


This Discussion