Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX/ASA V7 without NAT - Are NAT 0 rules necessary for VPN traffic?

I have an ASA ruuning OS 7.04, configured to allow traffic to pass through without NAT. I've used ASDM to set up some site-to-site VPN tunnels, and it has added NAT 0 rules to the configuration.

When I try and PING through the VPN tunnel, the ASA generate the follwoing log messages:

"No translation group found for protocol 4 src outside:Y.Y.Y.Y dst inside:X.X.X.X"

I can fix this by adding a STATIC NAT for incoming VPN traffic, but I'm confused as to why I should be doing this, as I have allowed traffic through without NAT.

TIA for any help,

Chris Dixon, Voyager Networks, UK

2 REPLIES
New Member

Re: PIX/ASA V7 without NAT - Are NAT 0 rules necessary for VPN t

Hi Chris,

If I understand your setup correctly, you're already doing "nat 0" for everything. If this is the case, you should only need to use a separate access list define the traffic that should be encrypted. ASDM will put a LOT of stuff in for you, some of which you may already be doing.

New Member

Re: PIX/ASA V7 without NAT - Are NAT 0 rules necessary for VPN t

Yes - I do not have the 'nat control' statement in the ASA config, but ASDM puts NAT 0 in for the VPN tunnels regardless, which I think are causing

these error messages:

"No translation group found for protocol 4 src outside:A.A.A.A dst inside:B.B.B.B". I can fix this by putting in static NATs that let the VPN traffic through.

However, when I remove the NAT 0's and the Statics, the tunnels fail!

I think I'll try creating a VPN tunnel on a different ASA manually (i.e. w/o ASDM) and see what happens.

Thanks,

-Chris

143
Views
0
Helpful
2
Replies
CreatePlease to create content