Problem with NAT on IPSEC Site-2-Site VPN

errrrnv85 · ‎01-20-2016

Hi guys,

I am wondering if someone can help me.

I am seems to be having an issue with the NAT on the VPN for one of our third party companies. Site-2Site VPN is established, tunnel is also up but they are not able to access the content.

I checked the logs and got the following message

"%PIX-3-305005: No translation group found for icmp src inside:CCSSM01_NEW dst outside:194.xxx.xxx.xxx (type 8, code 0)

NAT Statement is as follows

static (outside,inside) CCSSM01_NEW 194.xxx.xxx.xxx netmask 255.255.255.255

When i check the NAT table and shows as follows

match ip inside host CCSSM01_NEW outside host 194.xxx.xxx.xxx
static translation to 62.x.x.x
translate_hits = 451, untranslate_hits = 1669

I tried to configure the reverse NAT/outside NAT but that didnt help either.

Wondering if something can advise me on this please.

Thanks

gaowen · ‎01-20-2016

your static NAT statement says 'anything coming from the inside with an IP of CCSSM01_NEW going to the outside interface will be translated to a source address of 194.xxx.xxx.xxx'. Is this what you want to happen?

errrrnv85 · ‎01-20-2016

What i want to achieve is when CCSSM01_NEW goes out it gets the public IP 62.x.x.x. And our third party should be able to get to CCSSM01_NEW from 194.x.x.x

Apologies i think i put the wrong NAT statement.

static (inside,outside) 62.x.x.x access-list HIDE-SAPROUTER

access-list HIDE-SAPROUTER extended permit ip host CCSSM01_NEW 194.x.x.x 255.255.255.252

Additional config which might help.

access-list SAP-AG-VPN-ACL extended permit ip host 62.x.x.x 194.x.x.x 255.255.255.252

crypto map MAP1 40 match address SAP-AG-VPN-ACL
crypto map MAP1 40 set peer 194.x.x.x
crypto map MAP1 40 set transform-set TRANS2
crypto map MAP1 40 set security-association lifetime seconds 7200

Hope it helps.

Thanks