ASA 5505 VPN Issue

Answered Question
Jul 20th, 2010

Getting "No translation group found for icmp src outside: x.x.x.x dst inside: x.x.x.x (type 8, code0).

Researched showed there needs to be a NAT exempt rule, tried setting up one of those, does not resolve.  Need assistance, as we are novice Cisco users.

THANK YOU!

I have this problem too.
0 votes
Correct Answer by Nagaraja Thanthry about 6 years 6 months ago

Hello,

Can you please make sure that the following are there on both ends:

On local firewall:

Access-list nonat permit ip mask

Nat (inside) access-list nonat

For example: If your local subnet is 10.1.1.0/24 and remote subnet is

192.168.1.0/24, then,

On local firewall:

Access-list nonat permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

Nat (inside) 0 access-list nonat

On the remote firewall:

Access-list nonat permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

Nat (inside) access-list nonat

Hope this helps.

Regards,

NT

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Nagaraja Thanthry Tue, 07/20/2010 - 13:41

Hello,

ICMP type 8 code 0 corresponds to Echo Reply. Are you getting these through

VPN tunnels? Or is it a regular reply for Echo requests from inside hosts?

You could try "icmp permit any echo-reply outside" and see if that fixes the

issue.

Hope this helps.

Regards,

NT

bradkenn75 Tue, 07/20/2010 - 13:45

The message is in regards to a terminal ping coming from the other side of the new VPN.  We have an "outside" icmp any to any permit policy, using the ASDM by the way.

We're confused as the message seems to indicate that there is no nat for the other side of the new VPN to the internal LAN on our side.                     

Correct Answer
Nagaraja Thanthry Tue, 07/20/2010 - 13:57

Hello,

Can you please make sure that the following are there on both ends:

On local firewall:

Access-list nonat permit ip mask

Nat (inside) access-list nonat

For example: If your local subnet is 10.1.1.0/24 and remote subnet is

192.168.1.0/24, then,

On local firewall:

Access-list nonat permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

Nat (inside) 0 access-list nonat

On the remote firewall:

Access-list nonat permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

Nat (inside) access-list nonat

Hope this helps.

Regards,

NT

bradkenn75 Tue, 07/20/2010 - 14:09

MAN!  You Rock!  Thanks!  What's odd, is we saw that solution in another post and tried setting that up from the

ASDM, but it wouldn't work; put it in the CLI, and walla! Sweet!  Appreciate that.              

bradkenn75 Wed, 08/04/2010 - 08:34

we are having another issue with this, are you available to assist?  Another site to site VPN is down, getting same error in logs.                   

Actions

This Discussion

Related Content