This is my scenario.
Software Version 7.2(1)
I have enabled VPN in the outside Interface. The IPSec Client Pool is in the range 192.168.98.150-192.168.98.175.
- Enabled "icmp any any" access in both Outside Interface and Inside Interface.
- ICMP & ICMP Error inspection is enabled.
- Nat-Control is disabled.
The Clients are unable to ping any IP in the "inside" LAN but at the same time they are able to access the devices in the Local LAN using HTTP,HTTPS,SSH & TELNET.
access-list NONAT extended permit ip any 192.168.98.0 255.255.255.0
NAT(inside) 0 access-list NONAT
I get the following log "portmap translation creation failed for icmp src outside"
If I add a static (outside,inside) 192.168.98.0 192.168.98.0 netmask 255.255.255.0
I am able to Ping and the Problem is resolved.
Could anyone please explain me this behaviour?
- Why ICMP alone needs a NAT when TCP & UDP Traffic works just fine.
- Why a portmap translation error? Why not dynamic Identity NAT?
So it was matching a "nat" configurations on the "outside" interface which had no matching "global" configuration for the destination interface (probably inside) that caused the problems and produced the "portmap" error.
Please do remember to mark a reply as the correct answer if it answered your question or rate helpfull answers