ASA 5505 VPN Issue

Answered Question
Jul 20th, 2010
User Badges:

Getting "No translation group found for icmp src outside: x.x.x.x dst inside: x.x.x.x (type 8, code0).


Researched showed there needs to be a NAT exempt rule, tried setting up one of those, does not resolve.  Need assistance, as we are novice Cisco users.


THANK YOU!

Correct Answer by Nagaraja Thanthry about 6 years 10 months ago

Hello,


Can you please make sure that the following are there on both ends:


On local firewall:


Access-list nonat permit ip mask


Nat (inside) access-list nonat


For example: If your local subnet is 10.1.1.0/24 and remote subnet is

192.168.1.0/24, then,


On local firewall:


Access-list nonat permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0


Nat (inside) 0 access-list nonat


On the remote firewall:


Access-list nonat permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0


Nat (inside) access-list nonat


Hope this helps.


Regards,


NT

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Nagaraja Thanthry Tue, 07/20/2010 - 13:41
User Badges:
  • Cisco Employee,

Hello,


ICMP type 8 code 0 corresponds to Echo Reply. Are you getting these through

VPN tunnels? Or is it a regular reply for Echo requests from inside hosts?

You could try "icmp permit any echo-reply outside" and see if that fixes the

issue.


Hope this helps.


Regards,


NT

bradkenn75 Tue, 07/20/2010 - 13:45
User Badges:

The message is in regards to a terminal ping coming from the other side of the new VPN.  We have an "outside" icmp any to any permit policy, using the ASDM by the way.


We're confused as the message seems to indicate that there is no nat for the other side of the new VPN to the internal LAN on our side.                     

Correct Answer
Nagaraja Thanthry Tue, 07/20/2010 - 13:57
User Badges:
  • Cisco Employee,

Hello,


Can you please make sure that the following are there on both ends:


On local firewall:


Access-list nonat permit ip mask


Nat (inside) access-list nonat


For example: If your local subnet is 10.1.1.0/24 and remote subnet is

192.168.1.0/24, then,


On local firewall:


Access-list nonat permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0


Nat (inside) 0 access-list nonat


On the remote firewall:


Access-list nonat permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0


Nat (inside) access-list nonat


Hope this helps.


Regards,


NT

bradkenn75 Tue, 07/20/2010 - 14:09
User Badges:

MAN!  You Rock!  Thanks!  What's odd, is we saw that solution in another post and tried setting that up from the

ASDM, but it wouldn't work; put it in the CLI, and walla! Sweet!  Appreciate that.              

bradkenn75 Wed, 08/04/2010 - 08:34
User Badges:

we are having another issue with this, are you available to assist?  Another site to site VPN is down, getting same error in logs.                   

Actions

This Discussion

Related Content