Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site-to-Site VPN with PIX

I am a little bit confused about the way to configure a Site-to-Site VPN:

The local net 10.10.1.0/24 is connected to PIX-A and local net 172.16.1.0/24 is connected to PIX-B. PIX-A and PIX-B are connected via a VPN tunnel. There will be no NAT for traffic passing the tunnel (nat 0).

When I telnet from 10.10.1.12 to 172.16.1.123 ISAKMP SA and IPSec SA gets in place, but telnet do not work.

PIX is logging <no translation group found for source: 10.10.1.12 destination 172.16.1.123>.

Therefore, I have configured <static (inside, outside) 172.16.0.0 172.16.0.0 netmask 255.255.0.0>. Now I am able to connect to 172.16.1.123.

This configuration is driving me mad. I thought there is no need for static nat and access-lists with VPN tunnels.

Thanks in advance

Edgar

7 REPLIES
New Member

Re: Site-to-Site VPN with PIX

hope this link helps. and if you need additional help after reading though...please post again.

take care.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800a2cce.shtml#diag

New Member

Re: Site-to-Site VPN with PIX

Think I need help again:

There is only one line which differs from my configuration: I am using nat (inside) 0 0 0 instead of nat (inside) 0 access-list 100. But this should not be a problem anyway.

Nevertheless, my PIX-B is not able to forward traffic coming in through the vpn tunnel. It is missing a translation group (syslog message).

Entering a static nat for the remote private network gets the job done. But there is no static in your example.

Any idea?

Thanks

Edgar

New Member

Re: Site-to-Site VPN with PIX

is it possible to paste both A & B's configs in here. please x-out all of your sensitive information. this will help out a lot. specifically the all the statics and the acls....but the entire config will do.

thanks.

New Member

Re: Site-to-Site VPN with PIX

sorry, make sure all the nat and global information is here as well.

thanks.

New Member

Re: Site-to-Site VPN with PIX

could be helpful before you paste.

% PIX-3-305005: No translation group found for protocol src interface_name:dest_address/dest_port dst interface_name:source_address/source_port

Explanation A packet does not match any of the outbound nat rules.

Action This message signals a configuration error. If dynamic NAT is desired for the source host, ensure that the nat command matches the source IP address. If static NAT is desired for the source host, ensure that the local IP address of the static command matches. If no NAT is desired for the source host, check the access-list bound to the nat 0 access-list.

New Member

Re: Site-to-Site VPN with PIX

The way I do it is exclude the remote IP range from NAT translation and remember you need to allow the tranffic from your lan to access the remote machines in your ACL applied to the internal interface..

Hope this helps

Richard

New Member

Re: Site-to-Site VPN with PIX

HI.

Using a GUI tool can help you eliminating some common misconfiguration problems.

If you have new pix devices (ver 6.2x+, PDM 2.xx), try with PDM.

Or you can use pixcript for all 6.x versions:

http://teachers.sivan.co.il/yizhar#pixcript

Yizhar

138
Views
0
Helpful
7
Replies
CreatePlease login to create content