cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1421
Views
0
Helpful
5
Replies

ASA 5505 VPN Issue

bradkenn75
Level 1
Level 1

Getting "No translation group found for icmp src outside: x.x.x.x dst inside: x.x.x.x (type 8, code0).

Researched showed there needs to be a NAT exempt rule, tried setting up one of those, does not resolve.  Need assistance, as we are novice Cisco users.

THANK YOU!

1 Accepted Solution

Accepted Solutions

Hello,

Can you please make sure that the following are there on both ends:

On local firewall:

Access-list nonat permit ip mask

Nat (inside) access-list nonat

For example: If your local subnet is 10.1.1.0/24 and remote subnet is

192.168.1.0/24, then,

On local firewall:

Access-list nonat permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

Nat (inside) 0 access-list nonat

On the remote firewall:

Access-list nonat permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

Nat (inside) access-list nonat

Hope this helps.

Regards,

NT

View solution in original post

5 Replies 5

Nagaraja Thanthry
Cisco Employee
Cisco Employee

Hello,

ICMP type 8 code 0 corresponds to Echo Reply. Are you getting these through

VPN tunnels? Or is it a regular reply for Echo requests from inside hosts?

You could try "icmp permit any echo-reply outside" and see if that fixes the

issue.

Hope this helps.

Regards,

NT

The message is in regards to a terminal ping coming from the other side of the new VPN.  We have an "outside" icmp any to any permit policy, using the ASDM by the way.

We're confused as the message seems to indicate that there is no nat for the other side of the new VPN to the internal LAN on our side.                     

Hello,

Can you please make sure that the following are there on both ends:

On local firewall:

Access-list nonat permit ip mask

Nat (inside) access-list nonat

For example: If your local subnet is 10.1.1.0/24 and remote subnet is

192.168.1.0/24, then,

On local firewall:

Access-list nonat permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

Nat (inside) 0 access-list nonat

On the remote firewall:

Access-list nonat permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

Nat (inside) access-list nonat

Hope this helps.

Regards,

NT

MAN!  You Rock!  Thanks!  What's odd, is we saw that solution in another post and tried setting that up from the

ASDM, but it wouldn't work; put it in the CLI, and walla! Sweet!  Appreciate that.              

we are having another issue with this, are you available to assist?  Another site to site VPN is down, getting same error in logs.                   

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: