06-10-2009 07:21 PM - edited 02-21-2020 03:30 AM
We currently have a site-to-site VPN set up over a private line between our two datacenters. Hosts at site A can talk to hosts at site B, and hosts at site B can talk to hosts at site A.
I recently set up a remote access VPN at site A. VPN clients can access all of the resources behind the ASA at site A without an issue. However, strange things happen when they try to contact site B.
I've set up matching NAT exemptions on each side of the connection. The remote site is not reporting any anomalies. When attempting to connect to a remote VPN client from site B, the only errors that show up are on the ASA at site A. When a remote client tries to connect to a host at site B, the following errors show up in the log:
%ASA-3-305005: No translation group found for tcp src outside:10.3.0.1/60851 dst ds3:10.0.1.42/22
I have the following NAT exemption set up at site A:
access-list nonat; 3 elements
access-list nonat line 1 extended permit ip 10.1.0.0 255.255.0.0 10.0.0.0 255.255.0.0 (hitcnt=0)
access-list nonat line 2 extended permit ip 10.1.0.0 255.255.0.0 10.3.0.0 255.255.255.0 (hitcnt=0)
access-list nonat line 3 extended permit ip 10.3.0.0 255.255.255.0 10.0.0.0 255.255.0.0 (hitcnt=0)
I've been working on this for a few days now, and am hesitant to open up a TAC ticket. I've seen a few similar issues on the forums, but have found none with a working solution. I attempted to follow the tech notes on the Cisco Web site for a similar configuration, but had no luck.
By the way, I have enabled same-security-traffic on both intra-interface and inter-interface.
Any help would be much appreciated.
Solved! Go to Solution.
06-11-2009 08:32 AM
ASA HUB, is this your topology? if so try bellow suggestions.
Inside Net 10.1.1.0/16
ds3 net 172.16.0.0/28 - far end net through L2L Tunnel 10.0.0.0/16
VPN RA Net 10.3.0.0/24
For RA to gain access to far end hosts of L2L tunnel you will need nonat exempt rule applied to ds3 interface.
based on log
%ASA-3-305005: No translation group found for tcp src outside:10.3.0.1/60851 dst ds3:10.0.1.42/22
Try this
no access-list test extended permit ip 10.3.0.0 255.255.255.0 10.0.0.0 255.255.0.0
access-list test extended permit ip 10.0.0.0 255.255.0.0 10.3.0.0 255.255.255.0
nat (ds3) 0 access-list test
on the far end of the tunnel (Spoke) you have to permit the RA network comming from the ASA HUB in the interesting traffic.
Let us know how it works out
Regards
06-10-2009 08:39 PM
Matthew, follow this example links within bellow post.. look carefully at your RA VPN pool network and where you apply your nat exepmt rules usually would bee applied not only in (inside) but (outside) as well. Thread bellow should get you in the right track.. if you still have issues then provide us with sanatized config for the hub asa where the RA VPN and L2L terminates.
06-11-2009 06:01 AM
06-11-2009 08:32 AM
ASA HUB, is this your topology? if so try bellow suggestions.
Inside Net 10.1.1.0/16
ds3 net 172.16.0.0/28 - far end net through L2L Tunnel 10.0.0.0/16
VPN RA Net 10.3.0.0/24
For RA to gain access to far end hosts of L2L tunnel you will need nonat exempt rule applied to ds3 interface.
based on log
%ASA-3-305005: No translation group found for tcp src outside:10.3.0.1/60851 dst ds3:10.0.1.42/22
Try this
no access-list test extended permit ip 10.3.0.0 255.255.255.0 10.0.0.0 255.255.0.0
access-list test extended permit ip 10.0.0.0 255.255.0.0 10.3.0.0 255.255.255.0
nat (ds3) 0 access-list test
on the far end of the tunnel (Spoke) you have to permit the RA network comming from the ASA HUB in the interesting traffic.
Let us know how it works out
Regards
06-11-2009 09:42 AM
That did it! Thanks a lot.
06-11-2009 10:36 AM
Glad is resolved, and thanks for the rating, was a pleasure to assist someone over in Berklee, I used to have lots of friends at Berklee Colledge of music.I graduated from Boston Conservatory of music years ago which is down the road from you.
regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide