03-12-2008 09:32 AM - edited 02-21-2020 03:37 PM
Hi,
I wondered if anyone could help me. I have basically a site to site VPN (between a ASA 5505 and a Pix 501).
The tunnel is up and seems to be working but they can't access any resources on our side.
I'm getting the following error:
Syslog ID: 305005
Source IP: 172.x.x.x (Internal IP)
Error:
No translation group found for icmp src 10.20.x.x (there IP) dst inside 172.x.x.x (type 8, code 0)
Any ideas on how to fix this?
Thanks.
M.
Solved! Go to Solution.
03-13-2008 07:11 AM
Your nat exemption should be...
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 10.2
0.0.0 255.255.0.0
nat (inside) 0 access-list inside_nat0_outbound
Also get rid of...
no nat (outside) 0 access-list outside_nat0_outbound
no access-list outside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 10.2
0.0.0 255.255.0.0
03-12-2008 01:17 PM
Can you post a copy of your nat, global and static statements and also if any of these reference acl's, then please post those too.
03-13-2008 12:59 AM
Will my sh run do?
: Saved
:
ASA Version 7.2(2)
!
hostname ASA
domain-name bah.co.uk
enable password xxx
names
!
interface Vlan1
nameif inside
security-level 100
ip address 172.16.5.254 255.255.0.0
!
interface Vlan2
nameif outside
security-level 0
ip address 82.x.x.x 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
passwd xxx
ftp mode passive
dns server-group DefaultDNS
domain-name bah.co.uk
access-list outside_20_cryptomap extended permit ip 172.16.0.0 255.255.0.0 10.20
.0.0 255.255.0.0
access-list outside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 10.2
0.0.0 255.255.0.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit 172.16.0.0 255.255.0.0 inside
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 172.16.0.0 255.255.0.0
nat (outside) 0 access-list outside_nat0_outbound
route outside 0.0.0.0 0.0.0.0 82.x.x.x
!
router rip
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username Admin password T7lnvpxyyj6WAzfD encrypted privilege 15
http server enable
http 172.16.0.0 255.255.0.0 inside
snmp-server location Mars
snmp-server contact Mr Spoon
snmp-server community Bah
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 62.x.x.x
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group 62.x.x.x type ipsec-l2l
tunnel-group 62.x.x.x ipsec-attributes
pre-shared-key *
telnet 172.16.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:xxx
: end
Any ideas?
M.
03-13-2008 07:11 AM
Your nat exemption should be...
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 10.2
0.0.0 255.255.0.0
nat (inside) 0 access-list inside_nat0_outbound
Also get rid of...
no nat (outside) 0 access-list outside_nat0_outbound
no access-list outside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 10.2
0.0.0 255.255.0.0
03-13-2008 08:32 AM
Thanks for that. It certainly helped. The only problem I have now is that they can not access any resources.
When I traced the packet it said that it was not allowed due to ipsec spoof.
Any ideas?
M.
03-13-2008 04:34 PM
Can you post the packet-trace output?
Thanks
03-14-2008 12:57 AM
This is a link to the screenshot.
I've been doing it via the GUI:
http://img150.imageshack.us/img150/3891/spoofsgz7.jpg
As you can see everything seems to be okay except for the end result.
M.
03-14-2008 01:34 AM
Actually for some reason something I've changed now allows ICMP to function however I still can't SSH - log below:
ASA# packet-tracer input outside tcp 10.20.15.73 ssh 172.16.4.60 ssh
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.16.0.0 255.255.0.0 inside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp host 10.20.15.73 host 172.16.4
.60
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside) 0 access-list outside_nat0_outbound
nat (inside) 1 172.16.0.0 255.255.0.0
match ip inside 172.16.0.0 255.255.0.0 outside any
dynamic translation to pool 1 (82.x.x.x [Interface PAT])
translate_hits = 0, untranslate_hits = 0
Additional Information:
Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 0 access-list outside_nat0_outbound
nat (inside) 1 172.16.0.0 255.255.0.0
match ip inside 172.16.0.0 255.255.0.0 inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
Additional Information:
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
03-15-2008 01:32 AM
I also found out that if I changed the tunnel to do not protect then when I did the packet tracing it seemed to work (obviously also adding in an ACL to allow the packet as well).
I'll try this on Monday when I have access to both sites.
M.
M.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: