Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5505 VPN Issue

Getting "No translation group found for icmp src outside: x.x.x.x dst inside: x.x.x.x (type 8, code0).

Researched showed there needs to be a NAT exempt rule, tried setting up one of those, does not resolve.  Need assistance, as we are novice Cisco users.

THANK YOU!

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ASA 5505 VPN Issue

Hello,

Can you please make sure that the following are there on both ends:

On local firewall:

Access-list nonat permit ip mask

Nat (inside) access-list nonat

For example: If your local subnet is 10.1.1.0/24 and remote subnet is

192.168.1.0/24, then,

On local firewall:

Access-list nonat permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

Nat (inside) 0 access-list nonat

On the remote firewall:

Access-list nonat permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

Nat (inside) access-list nonat

Hope this helps.

Regards,

NT

5 REPLIES
Cisco Employee

Re: ASA 5505 VPN Issue

Hello,

ICMP type 8 code 0 corresponds to Echo Reply. Are you getting these through

VPN tunnels? Or is it a regular reply for Echo requests from inside hosts?

You could try "icmp permit any echo-reply outside" and see if that fixes the

issue.

Hope this helps.

Regards,

NT

New Member

Re: ASA 5505 VPN Issue

The message is in regards to a terminal ping coming from the other side of the new VPN.  We have an "outside" icmp any to any permit policy, using the ASDM by the way.

We're confused as the message seems to indicate that there is no nat for the other side of the new VPN to the internal LAN on our side.                     

Cisco Employee

Re: ASA 5505 VPN Issue

Hello,

Can you please make sure that the following are there on both ends:

On local firewall:

Access-list nonat permit ip mask

Nat (inside) access-list nonat

For example: If your local subnet is 10.1.1.0/24 and remote subnet is

192.168.1.0/24, then,

On local firewall:

Access-list nonat permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

Nat (inside) 0 access-list nonat

On the remote firewall:

Access-list nonat permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

Nat (inside) access-list nonat

Hope this helps.

Regards,

NT

New Member

Re: ASA 5505 VPN Issue

MAN!  You Rock!  Thanks!  What's odd, is we saw that solution in another post and tried setting that up from the

ASDM, but it wouldn't work; put it in the CLI, and walla! Sweet!  Appreciate that.              

New Member

Re: ASA 5505 VPN Issue

we are having another issue with this, are you available to assist?  Another site to site VPN is down, getting same error in logs.                   

1044
Views
0
Helpful
5
Replies
CreatePlease login to create content