I have two networks behind my ASA 5505 inside interface -- 192.168.1.0/24 is directly connected, but 192.168.200.0/24 is connected via router. I added a route to 192.168.200.0/24 in the ASA, and I can browse web sites and initiate PPTP sessions to an internet-connected PPTP server.
But if I try to get from 192.168.200.0/24 to 192.168.1.0/24, my outbound packets get to 192.168.1.0/24 (I did a packet capture), but my replies from 192.168.1.0/24 to 192.168.200.0/24 never get there and the ASA logs "regular translation creation failed for icmp src inside:192.168.1.x dst inside:192.168.200.1".
I've tried a NAT exemption, but all that does is change the error to "no translation group found".
Is there any way to allow the ASA to route packets off its internal interface without translation?
Hello. This sounds like a common problem that I see. It sounds like the router you are mentioning has an interface on the 192.168.1.0/24 network, correct? Also, you have a route in the ASA to the 192.168.200.0/24 network through the IP address of the router that is on the 192.168.1.0/24 network. It sounds like the traffic from the 200.x net is getting to the router, the router has a directly connected interface to 1.x and sends the traffic out on the wire. The 1.x host then tries to respond, but doesn't have it's own route to the 200.x net so it send it to its default gateway (the ASA on the 1.x) net. The problem is, the ASA will not support ICMP redirect. ICMP redirect is what allows a host to 're-learn' the route to a subnet through another path. If the ASA were a router in this instance, it would send a 'redirect' to the 1.x host telling it that the 200.x host was actually reachable through the router and not the ASA. All subsequent traffic would go through the router. Since the ASA does not support this (security reasons), the host can't actually reach the 200.x subnet. The best way to fix this is to put a default route on the router that points to the ASA (Internet hosts, etc...) and point your 1.x hosts to the router as their default gateway. All Internet traffic will be ICMP redirected to the ASA and all 200.x traffic will go to the appropriate interface of the router. Anyway, if you have any other questions, please ask.
I thought about that, as well as the idea of just adding a static route to the 192.168.200.0/24 network on the 3-4 hosts affected (very small network).
The former solution, making the inside router the default router, unfortunately won't work. I lied to simplify the situation -- the 192.168.200.0/24 network is actually assigned to PPTP clients from another firewall, and the route to .200 is actually via this other firewall. Since this firewall is *also* connected to the internet, making it the default router effectively eliminates the ASA (also a solution itself, but not one I want).
I think there may be some other NAT issue. Attached is the packet-trace output.
I looked into this some more. It looks like I was wrong and the ASA/PIX will allow this traffic after 7.2x something. Anyway, sorry about that. Just been stuck in how it 'used' to work. How did you do your NAT exemption?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :