NAT Issue on ASA with VPN Clients

Unanswered Question
Jan 21st, 2010
User Badges:

I am connecting with ANYconnect SSL VPN Client from the Internet and it connects fine.


When I try to ping or connect to an internal server -


Here is the message that I am getting:


%ASA-3-305005: No translation group found for tcp src outside:192.168.3.1/1338 dst inside:192.168.10.35/80


3.1 is the VPN client connection, 10.35 is the www server.


When I tried to connect externally, back out to the INnternet I got a similar message and it would not connect.


However, when I added :
nat (outside) 1 SSLVPN 255.255.255.0


I was able to connect to google.com and others.  Still not to any internal addresses however.


I have tried every other nat config statement I could come up with to get connectivity to the inside addresses: 1.0


Any ideas, seems like it should be pretty easy but I can't seem to come up with the right combo tonight.


Many thanks,



Config Snip::


same-security-traffic permit intra-interface
access-list cisco_splitTunnelAcl standard permit any
access-list inside_access_in extended permit ip any any
access-list inside_access_in_1 extended permit ip any any


ip local pool SSLVPN-Pool 192.168.3.1-192.168.3.254 mask 255.255.255.0


nat-control
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
nat (outside) 1 SSLVPN 255.255.255.0


access-group inside_access_in_1 in interface inside


route inside 192.168.10.0 255.255.255.0 192.168.1.8 1

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Dileep Sivadas ... Thu, 01/21/2010 - 23:54
User Badges:

Hi,


Create a NAT exemption rule for your VPN traffic.


access-list non-nat-inside extended permit ip 192.168.10.0 255.255.255.0 192.168.3.0 255.255.255.0

nat (inside) 0 access-list non-nat-inside



Dileep

Actions

This Discussion