Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX VPN access-list translation

I have a PIX 6.3 that I am trying to establish a tunnel to a remote site.

I am getting the following error:

106011: Deny inbound (No xlate) tcp src inside: dst inside:

A couple of questions about the config pieces below:

Shouldn't there be a NAT 0 statement for the global 0 statements?

Shouln't the route outside prevent the traffic from trying to re-enter the inside interface?

access-list translation2 permit ip host

route outside 1

access-list die permit ip

global (outside) 1 interface

global (inside) 3

global (B) 1

global (C) 1

global (ftp) 1

nat (outside) 0 access-list nonatoutside outside

nat (outside) 3 access-list p outside 0 0

nat (inside) 0 access-list NO_NAT

nat (inside) 1 0 0

nat (B) 1 0 0

static (inside,outside) access-list translation2 0 0

route inside 1

route inside 1

route inside 1

route inside 1

route outside 1

crypto map p 30 ipsec-isakmp

crypto map p 30 match address die

crypto map p 30 set peer

crypto map p 30 set transform-set 3dessha

isakmp enable outside

isakmp enable inside

Cisco Employee

Re: PIX VPN access-list translation

You really dont need a route outside statemetn for the remote internal network.

You just need a default route statement on the PIX.

Once the PIX has a default route, the route table on the PIX will forward to the next hop and get to the peer IP. The peer will do its job. If you are going to be specific on the routes, then add a route for the remote peer.