Hi,

I get the following error message when I try to connect over a site-to-site VPN:

No translation group found for tcp src outside:10.10.10.2/1038 dst inside:192.168.1.22/80

How do I set up the asa so that all traffic coming from 10.10.10.2 gets properly translated and can travel the inside hosts on 192.168.1.0?

thanx

My config:

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 10.10.10.1 255.0.0.0

!

interface Vlan3

nameif dmz

security-level 50

ip address 192.168.200.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

switchport access vlan 3

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd xxx

ftp mode passive

dns server-group DefaultDNS

domain-name *

access-list http_access_in extended permit tcp any any eq www

access-list dmz_access_in extended permit icmp 192.168.200.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list dmz_access_in remark Specify what kind of trafic should be allowed to travle to the inside network

access-list dmz_access_in extended permit tcp host 192.168.200.2 192.168.1.0 255.255.255.0 eq www

access-list NO-NAT extended permit ip any 192.168.200.0 255.255.255.0

access-list ftp_access_in extended permit tcp any any eq ftp

access-list 8080_access_in remark Specify what kind of trafic should be allowed in. Don't forget the NAT

access-list 8080_access_in extended permit tcp any any eq www

access-list l2l_list extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-603.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list NO-NAT

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 1 0.0.0.0 0.0.0.0

static (dmz,outside) tcp interface ftp 192.168.200.2 ftp netmask 255.255.255.255

static (dmz,outside) tcp interface 8080 192.168.200.2 8080 netmask 255.255.255.255

static (dmz,outside) tcp interface www 192.168.200.2 www netmask 255.255.255.255

access-group 8080_access_in in interface outside

access-group dmz_access_in in interface dmz

route outside 192.168.100.0 255.255.255.0 10.10.10.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac

crypto map abcmap 1 match address l2l_list

crypto map abcmap 1 set peer 10.10.10.2

crypto map abcmap 1 set transform-set FirstSet

crypto map abcmap interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 43200

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.20-192.168.1.99 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

tunnel-group 10.10.10.2 type ipsec-l2l

tunnel-group 10.10.10.2 ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy