ā01-20-2016 06:48 AM - edited ā02-21-2020 08:38 PM
Hi guys,
I am wondering if someone can help me.
I am seems to be having an issue with the NAT on the VPN for one of our third party companies. Site-2Site VPN is established, tunnel is also up but they are not able to access the content.
I checked the logs and got the following message
"%PIX-3-305005: No translation group found for icmp src inside:CCSSM01_NEW dst outside:194.xxx.xxx.xxx (type 8, code 0)
NAT Statement is as follows
static (outside,inside) CCSSM01_NEW 194.xxx.xxx.xxx netmask 255.255.255.255
When i check the NAT table and shows as follows
match ip inside host CCSSM01_NEW outside host 194.xxx.xxx.xxx
static translation to 62.x.x.x
translate_hits = 451, untranslate_hits = 1669
I tried to configure the reverse NAT/outside NAT but that didnt help either.
Wondering if something can advise me on this please.
Thanks
ā01-20-2016 10:07 AM
your static NAT statement says 'anything coming from the inside with an IP of CCSSM01_NEW going to the outside interface will be translated to a source address of 194.xxx.xxx.xxx'. Is this what you want to happen?
ā01-20-2016 11:00 AM
What i want to achieve is when CCSSM01_NEW goes out it gets the public IP 62.x.x.x. And our third party should be able to get to CCSSM01_NEW from 194.x.x.x
Apologies i think i put the wrong NAT statement.
static (inside,outside) 62.x.x.x access-list HIDE-SAPROUTER
access-list HIDE-SAPROUTER extended permit ip host CCSSM01_NEW 194.x.x.x 255.255.255.252
Additional config which might help.
access-list SAP-AG-VPN-ACL extended permit ip host 62.x.x.x 194.x.x.x 255.255.255.252
crypto map MAP1 40 match address SAP-AG-VPN-ACL
crypto map MAP1 40 set peer 194.x.x.x
crypto map MAP1 40 set transform-set TRANS2
crypto map MAP1 40 set security-association lifetime seconds 7200
Hope it helps.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide