Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Remote VPN can't ping each other

Hi, I just migrated my remote users off of the VPN Concentrator and onto the VPN. Everything works but I just notice that the remote VPN can't ping each other. Did I do something wrong with my NAT statement:

nat (outside) 10 172.20.141.8 255.255.255.248

nat (outside) 10 172.20.141.16 255.255.255.248

nat (outside) 10 172.20.141.24 255.255.255.248

nat (outside) 10 172.20.141.32 255.255.255.248

nat (outside) 10 172.20.141.40 255.255.255.248

nat (outside) 10 172.20.141.48 255.255.255.248

nat (outside) 10 172.20.141.56 255.255.255.248

nat (outside) 10 172.20.141.64 255.255.255.248

nat (outside) 10 172.20.141.72 255.255.255.248

nat (outside) 10 172.20.142.0 255.255.255.248

nat (outside) 10 172.20.144.0 255.255.255.248

nat (outside) 10 172.20.146.0 255.255.255.248

nat (outside) 10 172.20.146.8 255.255.255.248

do I need to add this statement?

nat (outside) 0 access-list inside_nat0_outbound

7 REPLIES
New Member

Re: Remote VPN can't ping each other

If your remote networks are defined correctly in the access list inside_nat0_outbound, then you will need the following:

nat (inside) 0 access-list inside_nat0_outbound

Note the interface specified in brackets is the interface closest to your internal network and not the remote networks as your example shows.

Also, the other nat statements you had will not work in your requirement.

Good Luck!

New Member

Re: Remote VPN can't ping each other

Thanks I'll give it a try. I don't understand why nat (outside) 0 access-list inside_nat0_ won't work.

New Member

Re: Remote VPN can't ping each other

Brett,

I tried nat (inside) 0 access-list inside_nat0_outbound and it still didn't work.

New Member

Re: Remote VPN can't ping each other

Here's how access-list inside_nat0_outbound looks like:

access list inside_nat0_outbound extended permit ip any 172.20.19.64 255.255.255.192

access list inside_nat0_outbound extended permit ip any 172.25.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 172.20.146.0 255.255.255.248

access-list inside_nat0_outbound extended permit ip any 172.20.144.0 255.255.255.248

access-list inside_nat0_outbound extended permit ip any 172.20.142.0 255.255.255.248

access-list inside_nat0_outbound extended permit ip any 172.20.141.16 255.255.255.248

access-list inside_nat0_outbound extended permit ip any 172.20.141.24 255.255.255.248

access-list inside_nat0_outbound extended permit ip any 172.20.146.8 255.255.255.248

access-list inside_nat0_outbound extended permit ip any 172.20.141.8 255.255.255.248

access-list inside_nat0_outbound extended permit ip any 172.20.141.32 255.255.255.248

access-list inside_nat0_outbound extended permit ip any 172.20.141.40 255.255.255.248

access-list inside_nat0_outbound extended permit ip any 172.20.141.48 255.255.255.248

access-list inside_nat0_outbound extended permit ip any 172.20.141.56 255.255.255.248

access-list inside_nat0_outbound extended permit ip any 172.20.141.64 255.255.255.248

access-list inside_nat0_outbound extended permit ip any 172.20.141.72 255.255.255.248

I applied this: nat (inside) 0 access-list inside_nat0_outbound

and it still doesn't work. From the syslog i get the following:

07:25 PM isi-950-dc-fw01 Error No translation group found for icmp src outside:172.25.1.19 dst outside:172.20.144.1 (type 8, code 0)

07:24 PM isi-950-dc-fw01 Error No translation group found for icmp src outside:172.25.1.19 dst outside:172.20.144.1 (type 8, code 0)

07:24 PM isi-950-dc-fw01 Error No translation group found for icmp src outside:172.25.1.19 dst outside:172.20.144.1 (type 8, code 0)

New Member

Re: Remote VPN can't ping each other

Can you post a sanitized copy of your config?

Thanks

New Member

Re: Remote VPN can't ping each other

Thanks, here it is. Just remember, we have all of our VPN sites coming to us and we don't allow split tunneling.

nat (outside) 10 172.x.141.8 255.255.255.248

nat (outside) 10 172.x.141.16 255.255.255.248

nat (outside) 10 172.x.141.24 255.255.255.248

nat (outside) 10 172.x.141.32 255.255.255.248

nat (outside) 10 172.x.141.40 255.255.255.248

nat (outside) 10 172.x.141.48 255.255.255.248

nat (outside) 10 172.x.141.56 255.255.255.248

nat (outside) 10 172.x.141.64 255.255.255.248

nat (outside) 10 172.x.141.72 255.255.255.248

nat (outside) 10 172.x.142.0 255.255.255.248

nat (outside) 10 172.x.144.0 255.255.255.248

nat (outside) 10 172.x.146.0 255.255.255.248

nat (outside) 10 172.x.146.8 255.255.255.248

nat (outside) 10 172.x.19.0 255.255.255.0

nat (outside) 10 172.x.1.0 255.255.255.0

New Member

Re: Remote VPN can't ping each other

you access-list inside_nat0_outbound does not cover the destination ip you are pinging:

172.20.144.1

try adding a new line to your access-list in order to cover that host.

180
Views
0
Helpful
7
Replies