ASA Client VPN no translation group problem

mikedelafield · ‎02-25-2009

I have a client VPN setup on ASA 5520 code 8.0, which connects okay and I am able to ping VPN devices from my local LAN.

However I cannot ping the local LAN from the VPN devices themselves. The ASA reports that No translation group can be found in the direction of VPN subnet on outside to LAN subnet on inside.

But what I don't understand is I have configured a NAT exemption group in both directions.

Packet tracer suggests it is matching my exemption rule from outside to inside but then moving on to regular NAT and trying to translate using the outbound PAT pool as well!!

My setup is as follows;

outside

VPN subnet 172.20.0.0 / 29

inside

LAN 10.101.1.0 / 24

The VPN is on the outside and NAT exempt exists for VPN subnet to LAN subnet on outside interface and LAN subnet to VPN subnet on inside interface.

Like I say the ping works fine from LAN to VPN!

Help!

acomiskey · ‎02-25-2009

Mike, you don't need 2 nat exempt statements. You only need one as it applies in both directions.

access-list nat0 extended permit ip 10.101.1.0 255.255.255.0 172.20.0.0 255.255.255.248

nat (inside) 0 access-list nat0

mikedelafield · ‎02-26-2009

Thanks for your help. It worked ok.

Just a general question tho on thisl

In the case of 2 interfaces of equal security level (say inside1 and inside2) on which interface should the NAT exempt statement be?

And which way round should it be inbound or outbound? I still don't fully understand the inbound outbound part within ASDM.

Thanks again.