02-25-2009 06:26 AM - edited 03-11-2019 07:56 AM
I have a client VPN setup on ASA 5520 code 8.0, which connects okay and I am able to ping VPN devices from my local LAN.
However I cannot ping the local LAN from the VPN devices themselves. The ASA reports that No translation group can be found in the direction of VPN subnet on outside to LAN subnet on inside.
But what I don't understand is I have configured a NAT exemption group in both directions.
Packet tracer suggests it is matching my exemption rule from outside to inside but then moving on to regular NAT and trying to translate using the outbound PAT pool as well!!
My setup is as follows;
outside
VPN subnet 172.20.0.0 / 29
inside
LAN 10.101.1.0 / 24
The VPN is on the outside and NAT exempt exists for VPN subnet to LAN subnet on outside interface and LAN subnet to VPN subnet on inside interface.
Like I say the ping works fine from LAN to VPN!
Help!
02-25-2009 07:24 AM
Mike, you don't need 2 nat exempt statements. You only need one as it applies in both directions.
access-list nat0 extended permit ip 10.101.1.0 255.255.255.0 172.20.0.0 255.255.255.248
nat (inside) 0 access-list nat0
02-26-2009 05:27 AM
Thanks for your help. It worked ok.
Just a general question tho on thisl
In the case of 2 interfaces of equal security level (say inside1 and inside2) on which interface should the NAT exempt statement be?
And which way round should it be inbound or outbound? I still don't fully understand the inbound outbound part within ASDM.
Thanks again.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: