Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN issue single IP

HI,

we have a site to site VPN with branch office and head office in that we are able to access all nodes in the head office except 2 or 3 IP's

these 2 or 3 IP's are already static nated for outside web access on the same PIX firewall

the VPN config as follows

NO nat - access-list 110 extended permit ip 10.210.0.0 255.255.0.0 192.168.148.0 255.255.255.252

Encryption domain : access-list VPN-Office extended permit ip 10.210.0.0 255.255.0.0 192.168.148.0 255.255.255.252

static (DMZ,outside) tcp XX.XX.2.15 5050 10.210.12.25 5050 netmask 255.255.255.255

access-list NAT-Cluster extended permit tcp any host XX.XX.2.15 eq 5050

access-group NAT-Cluster in interface outside

global (outside) 1 interface
nat (inside) 0 access-list 110
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 0 access-list 110
nat (DMZ) 1 access-list DMZtoInternet

we enable sysopt connection permit IPsec

but when try ping from 192.168.148.0 255.255.255.252 subnet to all ip's on the 10.210.0.0/16 we are getting successfull ping reply but not for the  10.210.12.25

when i check the log it says

%PIX-3-305005: No translation group found for icmp src outside:192.168.150.231 dst DMZ:10.210.12.25 (type 8, code 0)

kindly let me know why this issue

thanks

Vinu

2 REPLIES

Re: VPN issue single IP

but when try ping from 192.168.148.0 255.255.255.252 subnet to all ip's on the 10.210.0.0/16 we are getting successfull ping reply but not for the  10.210.12.25


when i check the log it says

%PIX-3-305005: No translation group found for icmp src outside:192.168.150.231 dst DMZ:10.210.12.25 (type 8, code 0)

Are you sure you are pinging from 192.168.148.0 network? the firewall message is saying you are pinging from 192.168.150.x for which there is no reference in your nonat acl rule. One would expect to see in your nonat exempt rule in addition to what you already have for 192.168.148.0/30 soomething as:

access-list 110 extended permit ip 10.210.0.0 255.255.0.0 192.168.150.X


Check that ,if no joy could you post a brief topology description  of what networks from the other side of the tunnel is to have access your DZM network.


Regards

Bronze

Re: VPN issue single IP

I agree about making sure your source IP falls within the encryption domain and nonat acl. Looking over your config, if your source IP comes from 192.168.148.0/30 there's no reason it shouldn't work. You may want to make sure there isn't some sort of policy NAT or PAT configured to use 192.168.150.231 on the other end when sending traffic to 10.210.12.25. Check out the no-nat ACL's on the other end as well.

Good luck!

James

490
Views
0
Helpful
2
Replies
CreatePlease to create content