Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
662
Views
0
Helpful
2
Replies

VPN issue single IP

vinoth.kumar
Level 1
Level 1

‎12-02-2009 11:11 PM

HI,

we have a site to site VPN with branch office and head office in that we are able to access all nodes in the head office except 2 or 3 IP's

these 2 or 3 IP's are already static nated for outside web access on the same PIX firewall

the VPN config as follows

NO nat - access-list 110 extended permit ip 10.210.0.0 255.255.0.0 192.168.148.0 255.255.255.252

Encryption domain : access-list VPN-Office extended permit ip 10.210.0.0 255.255.0.0 192.168.148.0 255.255.255.252

static (DMZ,outside) tcp XX.XX.2.15 5050 10.210.12.25 5050 netmask 255.255.255.255

access-list NAT-Cluster extended permit tcp any host XX.XX.2.15 eq 5050

access-group NAT-Cluster in interface outside

global (outside) 1 interface
nat (inside) 0 access-list 110
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 0 access-list 110
nat (DMZ) 1 access-list DMZtoInternet

we enable sysopt connection permit IPsec

but when try ping from 192.168.148.0 255.255.255.252 subnet to all ip's on the 10.210.0.0/16 we are getting successfull ping reply but not for the  10.210.12.25

when i check the log it says

%PIX-3-305005: No translation group found for icmp src outside:192.168.150.231 dst DMZ:10.210.12.25 (type 8, code 0)

kindly let me know why this issue

thanks

Vinu

Labels:
0 Helpful
2 Replies 2

JORGE RODRIGUEZ
Level 10
Level 10

‎12-06-2009 11:16 AM 

but when try ping from 192.168.148.0 255.255.255.252 subnet to all ip's on the 10.210.0.0/16 we are getting successfull ping reply but not for the  10.210.12.25
 
when i check the log it says
 
%PIX-3-305005: No translation group found for icmp src outside:192.168.150.231 dst DMZ:10.210.12.25 (type 8, code 0)

Are you sure you are pinging from 192.168.148.0 network? the firewall message is saying you are pinging from 192.168.150.x for which there is no reference in your nonat acl rule. One would expect to see in your nonat exempt rule in addition to what you already have for 192.168.148.0/30 soomething as:

access-list 110 extended permit ip 10.210.0.0 255.255.0.0 192.168.150.X


Check that ,if no joy could you post a brief topology description  of what networks from the other side of the tunnel is to have access your DZM network.


Regards

Jorge Rodriguez
0 Helpful

busterswt
Level 1
Level 1

‎12-06-2009 02:54 PM

I agree about making sure your source IP falls within the encryption domain and nonat acl. Looking over your config, if your source IP comes from 192.168.148.0/30 there's no reason it shouldn't work. You may want to make sure there isn't some sort of policy NAT or PAT configured to use 192.168.150.231 on the other end when sending traffic to 10.210.12.25. Check out the no-nat ACL's on the other end as well.

Good luck!

James

0 Helpful
Customers Also Viewed These Support Documents