07-14-2012 07:45 AM - edited 02-21-2020 06:11 PM
Hi all,
i configured a Vpn Remote Access on ASA5510.
When client connect receive ip address from pool (192.168.55.X) but not generate traffic.
If i type ipconfig on pc i have only IP and Mask but no Gateway is assigned, is this normal?
If i ping an host from pc to any hosts on Lan 192.168.0.X in logs i have:
"3 Jul 14 2012 16:15:50 305005 192.168.0.10 No translation group found for icmp src FASTWEB:192.168.55.1 dst LAN:192.168.0.10 (type 8, code 0)"
Nat could be a problem but I do not understand how to do it.
This is my piece of config:
access-list test_splitTunnelAcl standard permit Net_R_Dmz 255.255.255.224
access-list test_splitTunnelAcl standard permit Net_R_Server 255.255.255.0
access-list test_splitTunnelAcl standard permit Net_R_Client 255.255.255.0
access-list test_splitTunnelAcl standard permit Net_V_VoIP 255.255.255.0
access-list test_splitTunnelAcl standard permit Net_V_Lan 255.255.255.0
access-list test_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list Lan_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 Net_R 255.255.255.0
access-list Lan_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 object-group Network_V
access-list Lan_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 Net_R_Client 255.255.255.0
access-list Lan_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 Net_R_Server 255.255.255.0
access-list Lan_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 Net_R_Dmz 255.255.255.224
access-list Lan_nat0_outbound extended permit ip Net_VpnClient 255.255.255.0 any
access-list Fastweb_access_in extended permit ip Net_R_Client 255.255.255.0 any
access-list Fastweb_access_in extended permit ip Net_R_Server 255.255.255.0 any
access-list Fastweb_access_in extended permit ip Net_R 255.255.255.0 any
access-list Fastweb_access_in extended permit ip Net_VpnClient 255.255.255.240 any
access-list Lan_access_in extended permit ip 192.168.0.0 255.255.255.0 any
ip local pool Vpn_Pool 192.168.55.1-192.168.55.10 mask 255.255.255.240
global (FASTWEB) 1 interface
nat (LAN) 0 access-list Lan_nat0_outbound
nat (LAN) 1 192.168.0.0 255.255.255.0
access-group Fastweb_access_in in interface FASTWEB
access-group Lan_access_in in interface LAN
route FASTWEB 0.0.0.0 0.0.0.0 93.x.x.x 1
group-policy R10M internal
group-policy R10M attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value test_splitTunnelAcl
tunnel-group R10M type remote-access
tunnel-group R10M general-attributes
address-pool Vpn_Pool
default-group-policy R10M
tunnel-group R10M ipsec-attributes
pre-shared-key *
Thanks.
M.
Solved! Go to Solution.
07-14-2012 10:37 AM
Hi Marco ,
see this :
Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (LAN) 1 192.168.0.0 255.255.255.0
match ip LAN 192.168.0.0 255.255.255.0 FASTWEB any
dynamic translation to pool 1 (93.x.x.x.x [Interface PAT])
translate_hits = 267145, untranslate_hits = 18832
Additional Information:
Dynamic translate 192.168.0.10/0 to 93.x.x.x.x/18070 using netmask 255.255.255.255
not hitting the exemption Rule ,
please add this to your nat 0 acess-list :
Lan_nat0_outbound line 1 extended permit ip any 192.168.55.0 255.255.255.0
and let me know how it goes .
Good Luck .
Mohammad.
07-14-2012 09:34 AM
HI Marco ,
thanks for posting this here :
"
3 Jul 14 2012 16:15:50 305005 192.168.0.10 No translation group found for icmp src FASTWEB:192.168.55.1 dst LAN:192.168.0.10 (type 8, code 0)"
you should not see this message here , can you attach a full show run fro m the ASA , also the following :
packet-tracer input
thanks .
Mohammad.
07-14-2012 09:46 AM
07-14-2012 10:21 AM
Hi Mate ,
looking at your packet tracer :
Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (LAN) 1 192.168.0.0 255.255.255.0
match ip LAN 192.168.0.0 255.255.255.0 FASTWEB any
dynamic translation to pool 1 (93.x.x.x.x [Interface PAT])
translate_hits = 266962, untranslate_hits = 18829
Additional Information:
Dynamic translate 192.168.0.10/0 to 93.x.x.x.x/18393 using netmask 255.255.255.255
this should be hitting the nat exemption rule .
from the config :
name 192.168.55.0 Net_VpnClient
but you did the packet tracer to 192.168.50.1:
packet-tracer input LAN icmp 192.168.0.10 8 8 192.168.50.1
i'm i missing you here ?
cheers.
Mohammad.
07-14-2012 10:34 AM
07-14-2012 10:37 AM
Hi Marco ,
see this :
Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (LAN) 1 192.168.0.0 255.255.255.0
match ip LAN 192.168.0.0 255.255.255.0 FASTWEB any
dynamic translation to pool 1 (93.x.x.x.x [Interface PAT])
translate_hits = 267145, untranslate_hits = 18832
Additional Information:
Dynamic translate 192.168.0.10/0 to 93.x.x.x.x/18070 using netmask 255.255.255.255
not hitting the exemption Rule ,
please add this to your nat 0 acess-list :
Lan_nat0_outbound line 1 extended permit ip any 192.168.55.0 255.255.255.0
and let me know how it goes .
Good Luck .
Mohammad.
07-14-2012 11:03 AM
Thankss Mohammad, now it works, i can ping 192.168.0.x. p.s. it is normal that when i connect it takes the address(192.168.55.x) but no gateway? Thanks.
07-14-2012 11:57 AM
HI Marco ,
ya thats normal .
please rate helpful posts .
thanks .
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: