I have two sites Site A: MNMCDEL and Site B: NNMCCNI. See the attached Diagrams of both the sites.
Both the sites are connected using MPLS. I have one interface called MPLS in both the Firewall and I am able to ping each other (192.168.1.114 in SiteA is pining to 192.168.2.114 in SiteB).
The customer requirement is, from SiteA firewall he should be able to ping SiteB DCNMS interface IP address (192.168.2.190) from SiteA and do SNMP polling.Similarly he should be able to ping SiteA DCNMS interface IP address (192.168.1.190) from SiteB and do SNMP polling.
To do this I configured site-site VPN between Site A and Site B and configured "management-access DCNMS" in both the firewall. But even though the IPSEC tunnel is formed I am not able to ping 192.168.1.190 from SiteB and 192.168.2.190 from SiteA. I am getting the following error message.
You need to make sure those addresses you are trying to ping are encapsulated over the tunnel or else you will get translation failures.
Can you provide your tunnel traffic ACLs?
The error you describe has the following description:
Explanation A protocol (UDP, TCP, or ICMP) failed to create a translation through the firewall. The firewall provides this checking for addresses that are explicitly identified with static command statements. With the change, for inbound traffic, the firewall denies translations for a destined IP address identified as a network or broadcast address.
The firewall does not apply PAT to all ICMP message types; it only applies PAT ICMP echo and echo-reply packets (types 8 and 0). Specifically, only ICMP echo or echo-reply packets create a PAT xlate. So, when the other ICMP messages types are dropped, this message is generated.
Not a terribly helpful message without more information on your config.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...