cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1115
Views
0
Helpful
3
Replies

Ping Internal LAN via IPSec Client VPN

Ramakrishnan R
Level 1
Level 1

This is my scenario.

Software Version 7.2(1)

I have enabled VPN in the outside Interface. The IPSec Client Pool is in the range 192.168.98.150-192.168.98.175.

  • Enabled "icmp any any" access in both Outside Interface and Inside Interface.
  • ICMP & ICMP Error inspection is enabled.
  • Nat-Control is disabled.

The Clients are unable to ping any IP in the "inside" LAN but at the same time they are able to access the devices in the Local LAN using HTTP,HTTPS,SSH & TELNET.

CASE 1:

access-list NONAT extended permit ip any 192.168.98.0 255.255.255.0

NAT(inside) 0 access-list NONAT

I get the following log "portmap translation creation failed for icmp src outside"

CASE 2:

If I add a static (outside,inside) 192.168.98.0 192.168.98.0 netmask 255.255.255.0

I am able to Ping and the Problem is resolved.

Could anyone please explain me this behaviour?


  1. Why ICMP alone needs a NAT when TCP & UDP Traffic works just fine.
  2. Why a portmap translation error? Why not dynamic Identity NAT?

1 Accepted Solution

Accepted Solutions

Hi,

So it was matching a "nat" configurations on the "outside" interface which had no matching "global" configuration for the destination interface (probably inside) that caused the problems and produced the "portmap" error.

Please  do remember to mark a reply as the correct answer if it answered your question or rate helpfull answers

- Jouni

View solution in original post

3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Can you share your output of

show run nat

and you could also take a "packet-tracer" output while the VPN Client connetion is logged in and use the clients IP in the below command

packet-tracer input outside icmp 8 0

- Jouni

Just figured there was an "icmp any any" in the nat(outside) 1 access-list INTACC.

I removed this entry along with the static NAT entry. Things just started pinging!!!!

Hi,

So it was matching a "nat" configurations on the "outside" interface which had no matching "global" configuration for the destination interface (probably inside) that caused the problems and produced the "portmap" error.

Please  do remember to mark a reply as the correct answer if it answered your question or rate helpfull answers

- Jouni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: