07-20-2010 01:28 PM - edited 03-11-2019 11:13 AM
Getting "No translation group found for icmp src outside: x.x.x.x dst inside: x.x.x.x (type 8, code0).
Researched showed there needs to be a NAT exempt rule, tried setting up one of those, does not resolve. Need assistance, as we are novice Cisco users.
THANK YOU!
Solved! Go to Solution.
07-20-2010 01:57 PM
Hello,
Can you please make sure that the following are there on both ends:
On local firewall:
Access-list nonat permit ip mask
Nat (inside) access-list nonat
For example: If your local subnet is 10.1.1.0/24 and remote subnet is
192.168.1.0/24, then,
On local firewall:
Access-list nonat permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
Nat (inside) 0 access-list nonat
On the remote firewall:
Access-list nonat permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
Nat (inside) access-list nonat
Hope this helps.
Regards,
NT
07-20-2010 01:41 PM
Hello,
ICMP type 8 code 0 corresponds to Echo Reply. Are you getting these through
VPN tunnels? Or is it a regular reply for Echo requests from inside hosts?
You could try "icmp permit any echo-reply outside" and see if that fixes the
issue.
Hope this helps.
Regards,
NT
07-20-2010 01:45 PM
The message is in regards to a terminal ping coming from the other side of the new VPN. We have an "outside" icmp any to any permit policy, using the ASDM by the way.
We're confused as the message seems to indicate that there is no nat for the other side of the new VPN to the internal LAN on our side.
07-20-2010 01:57 PM
Hello,
Can you please make sure that the following are there on both ends:
On local firewall:
Access-list nonat permit ip mask
Nat (inside) access-list nonat
For example: If your local subnet is 10.1.1.0/24 and remote subnet is
192.168.1.0/24, then,
On local firewall:
Access-list nonat permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
Nat (inside) 0 access-list nonat
On the remote firewall:
Access-list nonat permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
Nat (inside) access-list nonat
Hope this helps.
Regards,
NT
07-20-2010 02:09 PM
MAN! You Rock! Thanks! What's odd, is we saw that solution in another post and tried setting that up from the
ASDM, but it wouldn't work; put it in the CLI, and walla! Sweet! Appreciate that.
08-04-2010 08:34 AM
we are having another issue with this, are you available to assist? Another site to site VPN is down, getting same error in logs.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide