07-31-2008 04:19 AM - edited 02-21-2020 03:52 PM
Hi,
I have two asa 5505 that are failing to communicate with each other.
When i try to communicate (http) with a host on the other network, the asa on that side replies:
No translation group found for tcp src outside:192.168.100.20/44710 dst inside:192.168.1.4/80
I guess the error is with the second asa but I'm not sure.
192.168.100.12 -> 192.168.100.1 -> 213.136.41.180 -> internet -> 79.136.112.50 -> 192.168.1.5
The first asa
access-list l2l_list extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 79.136.112.49 1
route outside 192.168.100.0 255.255.255.0 213.136.41.180 1
crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
crypto map abcmap 1 match address l2l_list
crypto map abcmap 1 set peer 213.136.41.180
crypto map abcmap 1 set transform-set FirstSet
crypto map abcmap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
tunnel-group 213.136.41.180 type ipsec-l2l
tunnel-group 213.136.41.180 ipsec-attributes
pre-shared-key *
*************************************************
the second asa
access-list l2l_list extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_access_in extended permit icmp any any
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 213.136.41.182 1
route outside 192.168.1.0 255.255.255.0 79.136.112.50 1
route outside 192.168.200.0 255.255.255.0 79.136.112.50 1
crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
crypto map abcmap 1 match address l2l_list
crypto map abcmap 1 set peer 79.136.112.50
crypto map abcmap 1 set transform-set FirstSet
crypto map abcmap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
tunnel-group 79.136.112.50 type ipsec-l2l
tunnel-group 79.136.112.50 ipsec-attributes
pre-shared-key *
Solved! Go to Solution.
07-31-2008 05:18 AM
First ASA
no access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
Second ASA
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
07-31-2008 05:18 AM
First ASA
no access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
Second ASA
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide