Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Ping Internal LAN via IPSec Client VPN

This is my scenario.

Software Version 7.2(1)

I have enabled VPN in the outside Interface. The IPSec Client Pool is in the range 192.168.98.150-192.168.98.175.

  • Enabled "icmp any any" access in both Outside Interface and Inside Interface.
  • ICMP & ICMP Error inspection is enabled.
  • Nat-Control is disabled.

The Clients are unable to ping any IP in the "inside" LAN but at the same time they are able to access the devices in the Local LAN using HTTP,HTTPS,SSH & TELNET.

CASE 1:

access-list NONAT extended permit ip any 192.168.98.0 255.255.255.0

NAT(inside) 0 access-list NONAT

I get the following log "portmap translation creation failed for icmp src outside"

CASE 2:

If I add a static (outside,inside) 192.168.98.0 192.168.98.0 netmask 255.255.255.0

I am able to Ping and the Problem is resolved.

Could anyone please explain me this behaviour?


  1. Why ICMP alone needs a NAT when TCP & UDP Traffic works just fine.
  2. Why a portmap translation error? Why not dynamic Identity NAT?

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Re: Ping Internal LAN via IPSec Client VPN

Hi,

So it was matching a "nat" configurations on the "outside" interface which had no matching "global" configuration for the destination interface (probably inside) that caused the problems and produced the "portmap" error.

Please  do remember to mark a reply as the correct answer if it answered your question or rate helpfull answers

- Jouni

3 REPLIES
Super Bronze

Re: Ping Internal LAN via IPSec Client VPN

Hi,

Can you share your output of

show run nat

and you could also take a "packet-tracer" output while the VPN Client connetion is logged in and use the clients IP in the below command

packet-tracer input outside icmp 8 0

- Jouni

Community Member

Ping Internal LAN via IPSec Client VPN

Just figured there was an "icmp any any" in the nat(outside) 1 access-list INTACC.

I removed this entry along with the static NAT entry. Things just started pinging!!!!

Super Bronze

Re: Ping Internal LAN via IPSec Client VPN

Hi,

So it was matching a "nat" configurations on the "outside" interface which had no matching "global" configuration for the destination interface (probably inside) that caused the problems and produced the "portmap" error.

Please  do remember to mark a reply as the correct answer if it answered your question or rate helpfull answers

- Jouni

189
Views
0
Helpful
3
Replies
CreatePlease to create content