Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
437
Views
0
Helpful
2
Replies

ASA 7.2.2 No translation group found for

Sriharshaa Prabhakar
Level 1
Level 1

‎10-21-2007 11:57 AM - last edited on ‎03-25-2019 05:38 PM by Community Manager

Hi,

We have a Cisco ASA Setup that is configured for VPN for Remote Access to our Internal Network.

Without any configuration change on the firewall, we have observed that even though the VPN gets connected, no active traffic passes through the VPN Tunnel.

We have observed from the logs that the firewall throws 3 Oct 21 2007 22:50:54 305005 10.30.50.1 No translation group found for icmp src Outside:10.60.60.50 dst inside:10.30.50.1 (type 8, code 0).

We also tried configuring the NAT Exempt Rule which has not helped us in resolving this scenario.

Attached is the configuration of the firwall. Any help in this regard is highly appreciated.

Regards,

Sriharshaa Prabhakar

Labels:
Preview file
5 KB
0 Helpful
2 Replies 2

yuri_slobodyanyuk
Level 1
Level 1

‎10-21-2007 02:03 PM

few things that seem to get mixed up:

1) To your VPN clients you are assigning IPs that belong to internal LAN

Pool:

ip local pool vpn-add 10.30.50.200-10.30.50.225 mask 255.255.255.0

Assignment:

tunnel-group itmohesr general-attributes

address-pool vpn-add

That won't work, you probably intend to:

tunnel-group itmohesr general-attributes

address-pool mohesrpool

2) Split tunnel ACL that was done in ASDM looks a bit awkward to me:

split-tunnel-network-list value cisco_splitTunnelAcl

!

access-list cisco_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0

It is not a problem of course as I guess you

want to disable VPN users from connecting to

anything else when connected to VPN but it will look a bit more clear if you do usual extended ACL and just put ANY as destination,

and why not to put netmask as it is configured on interface /24 ?

3) In current status it is still missing nat-exempt:

nat (inside) 0 access-list NONAT

access-list NONAT permit ip 10.30.50.0 255.255.255.0 10.60.60.0 255.255.255.0

Hope this helps,

Yuri

0 Helpful

Sriharshaa Prabhakar
Level 1
Level 1
In response to yuri_slobodyanyuk

‎10-21-2007 02:11 PM

Hi Yuri,

Thanks for the reply, I have sat ad debuued the problem, I have also done the same changem instead of standard ACL, I have configured extended ACL and the NAT0 is in place now with correct configuration. Looks like someone has tried to change the config that has affected the VPN Services.

Now its working fine, again thanks for your reply.

Regards,

Sriharshaa Prabhakar

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card