Solved: Re: Vpn Asa Remote Access No Traffic

MarcoM · ‎07-14-2012

Hi all,

i configured a Vpn Remote Access on ASA5510.

When client connect receive ip address from pool (192.168.55.X) but not generate traffic.

If i type ipconfig on pc i have only IP and Mask but no Gateway is assigned, is this normal?

If i ping an host from pc to any hosts on Lan 192.168.0.X in logs i have:

"3 Jul 14 2012 16:15:50 305005 192.168.0.10 No translation group found for icmp src FASTWEB:192.168.55.1 dst LAN:192.168.0.10 (type 8, code 0)"

Nat could be a problem but I do not understand how to do it.

This is my piece of config:

access-list test_splitTunnelAcl standard permit Net_R_Dmz 255.255.255.224

access-list test_splitTunnelAcl standard permit Net_R_Server 255.255.255.0

access-list test_splitTunnelAcl standard permit Net_R_Client 255.255.255.0

access-list test_splitTunnelAcl standard permit Net_V_VoIP 255.255.255.0

access-list test_splitTunnelAcl standard permit Net_V_Lan 255.255.255.0

access-list test_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0

access-list Lan_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 Net_R 255.255.255.0

access-list Lan_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 object-group Network_V

access-list Lan_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 Net_R_Client 255.255.255.0

access-list Lan_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 Net_R_Server 255.255.255.0

access-list Lan_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 Net_R_Dmz 255.255.255.224

access-list Lan_nat0_outbound extended permit ip Net_VpnClient 255.255.255.0 any

access-list Fastweb_access_in extended permit ip Net_R_Client 255.255.255.0 any

access-list Fastweb_access_in extended permit ip Net_R_Server 255.255.255.0 any

access-list Fastweb_access_in extended permit ip Net_R 255.255.255.0 any

access-list Fastweb_access_in extended permit ip Net_VpnClient 255.255.255.240 any

access-list Lan_access_in extended permit ip 192.168.0.0 255.255.255.0 any

ip local pool Vpn_Pool 192.168.55.1-192.168.55.10 mask 255.255.255.240

global (FASTWEB) 1 interface

nat (LAN) 0 access-list Lan_nat0_outbound

nat (LAN) 1 192.168.0.0 255.255.255.0

access-group Fastweb_access_in in interface FASTWEB

access-group Lan_access_in in interface LAN

route FASTWEB 0.0.0.0 0.0.0.0 93.x.x.x 1

group-policy R10M internal

group-policy R10M attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value test_splitTunnelAcl

tunnel-group R10M type remote-access

tunnel-group R10M general-attributes

address-pool Vpn_Pool

default-group-policy R10M

tunnel-group R10M ipsec-attributes

pre-shared-key *

Thanks.

M.

Mohammad Alhyari · ‎07-14-2012

Hi Marco ,

see this :

Phase: 7

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (LAN) 1 192.168.0.0 255.255.255.0

match ip LAN 192.168.0.0 255.255.255.0 FASTWEB any

dynamic translation to pool 1 (93.x.x.x.x [Interface PAT])

translate_hits = 267145, untranslate_hits = 18832

Additional Information:

Dynamic translate 192.168.0.10/0 to 93.x.x.x.x/18070 using netmask 255.255.255.255

not hitting the exemption Rule ,

please add this to your nat 0 acess-list :

Lan_nat0_outbound line 1 extended permit ip any 192.168.55.0 255.255.255.0

and let me know how it goes .

Good Luck .

Mohammad.

View solution in original post

Mohammad Alhyari · ‎07-14-2012

HI Marco ,

thanks for posting this here :

"

3 Jul 14 2012 16:15:50 305005 192.168.0.10 No translation group found for icmp src FASTWEB:192.168.55.1 dst LAN:192.168.0.10 (type 8, code 0)"

you should not see this message here , can you attach a full show run fro m the ASA , also the following :

packet-tracer input icmp 8 8

thanks .

Mohammad.

MarcoM · ‎07-14-2012

Hi Alhari, thanks for reply. I have attached 'sh run' and 'packet-tracer'. Thanks. M.

Mohammad Alhyari · ‎07-14-2012

Hi Mate ,

looking at your packet tracer :

Phase: 7

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (LAN) 1 192.168.0.0 255.255.255.0

match ip LAN 192.168.0.0 255.255.255.0 FASTWEB any

dynamic translation to pool 1 (93.x.x.x.x [Interface PAT])

translate_hits = 266962, untranslate_hits = 18829

Additional Information:

Dynamic translate 192.168.0.10/0 to 93.x.x.x.x/18393 using netmask 255.255.255.255

this should be hitting the nat exemption rule .

from the config :

name 192.168.55.0 Net_VpnClient

but you did the packet tracer to 192.168.50.1:

packet-tracer input LAN icmp 192.168.0.10 8 8 192.168.50.1

i'm i missing you here ?

cheers.

Mohammad.

MarcoM · ‎07-14-2012

Sorry,

my mistake in the command packet-tracer.

In attach new command.

Mohammad Alhyari · ‎07-14-2012

Hi Marco ,

see this :

Phase: 7

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (LAN) 1 192.168.0.0 255.255.255.0

match ip LAN 192.168.0.0 255.255.255.0 FASTWEB any

dynamic translation to pool 1 (93.x.x.x.x [Interface PAT])

translate_hits = 267145, untranslate_hits = 18832

Additional Information:

Dynamic translate 192.168.0.10/0 to 93.x.x.x.x/18070 using netmask 255.255.255.255

not hitting the exemption Rule ,

please add this to your nat 0 acess-list :

Lan_nat0_outbound line 1 extended permit ip any 192.168.55.0 255.255.255.0

and let me know how it goes .

Good Luck .

Mohammad.

MarcoM · ‎07-14-2012

Thankss Mohammad, now it works, i can ping 192.168.0.x. p.s. it is normal that when i connect it takes the address(192.168.55.x) but no gateway? Thanks.

Mohammad Alhyari · ‎07-14-2012

HI Marco ,

ya thats normal .

please rate helpful posts .

thanks .