Showing results for 
Search instead for 
Did you mean: 

regular translation creation failed for icmp

Hi guys,

I have site-to-site VPN and IPsec VPN installed on ASA 5505. VPNs work OK except few stranges:

I can't ping from remote ip - 305006 regular translation creation failed for icmp src OLD-Private: dst OLD-Private: (type 0, code 0)

in the same time I able to ping from my network and can ping from ASA

No firewall at

How to fix it?

There is my config:

ASA Version 8.2(2)

hostname ASA5505
domain-name domain
enable password password  encrypted
passwd password  encrypted
interface Vlan1
description INTERNET
mac-address 0000.0000.0001
nameif WAN
security-level 0
ip address a.a.a.a standby a1.a1.a1.a1
ospf cost 10
interface Vlan2
description OLD-PRIVATE
mac-address 0000.0000.0102
nameif OLD-Private
security-level 100
ip address standby
ospf cost 10
interface Vlan6
description MANAGEMENT
mac-address 0000.0000.0106
nameif Management
security-level 100
ip address standby
ospf cost 10
interface Vlan100
description LAN Failover Interface
interface Ethernet0/0
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 100
interface Ethernet0/6
switchport trunk allowed vlan 2,6
switchport mode trunk
interface Ethernet0/7
boot system disk0:/asa822-k8.bin
ftp mode passive
dns domain-lookup WAN
dns server-group DefaultDNS
name-server dns.dns.dns.dns
domain-name domain
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service RDP tcp
description RDP
port-object eq 3389
access-list LAN_nat0_outbound extended permit ip
access-list LAN_IP standard permit
access-list WAN_access_in extended permit ip any any log debugging
access-list WAN_access_in extended permit tcp any object-group RDP any object-group RDP log debugging
access-list MANAGEMENT_access_in extended permit ip any any log debugging
access-list OLD-PRIVATE_access_in extended permit ip any log debugging
access-list 101 extended permit tcp host any eq 3389 log debugging
access-list WAN_1_cryptomap extended permit ip
access-list WAN_1_cryptomap extended permit ip
access-list WAN_cryptomap_2 extended permit ip
access-list capin extended permit ip host host
access-list capin extended permit ip host host
access-list LAN_access_in extended permit ip any any log debugging
access-list WAN_nat0_outbound extended permit ip
access-list WAN_nat0_outbound extended permit ip any
access-list WAN_nat0_outbound extended permit ip
access-list WAN_nat0_outbound extended permit ip
access-list WAN_nat0_outbound extended permit ip
access-list WAN_2_cryptomap extended permit ip
access-list inside_nat0_outbound extended permit ip
access-list LAN_IP_inbound standard permit
access-list IPSec_VPN_splitTunnelAcl standard permit any
access-list vpnusers_splitTunnelAcl extended permit ip any
access-list nonat-in extended permit ip
access-list vpn_ipsec_splitTunnelAcl standard permit
pager lines 24
logging enable
logging trap informational
logging asdm informational
logging debug-trace
mtu WAN 1500
mtu OLD-Private 1500
mtu Management 1500
ip local pool VPN_Admin_IP mask
ip local pool vpnclient mask
failover lan unit primary
failover lan interface failover Vlan100
failover polltime interface 15 holdtime 75
failover key *****
failover interface ip failover standby
icmp unreachable rate-limit 1 burst-size 1
icmp permit host c.c.c.c WAN
icmp permit WAN
icmp permit WAN
icmp deny any WAN
icmp permit host c.c.c.c OLD-Private
icmp permit OLD-Private
icmp permit OLD-Private
icmp permit host c.c.c.c Management
icmp permit host Management
icmp permit host Management
icmp permit Management
icmp permit host Management
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
global (WAN) 1 interface
global (OLD-Private) 1 interface
global (Management) 1 interface
nat (OLD-Private) 0 access-list WAN_nat0_outbound
nat (OLD-Private) 1
access-group WAN_access_in in interface WAN
access-group OLD-PRIVATE_access_in in interface OLD-Private
access-group MANAGEMENT_access_in in interface Management
route WAN d.d.d.d 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa local authentication attempts max-fail 10
http server enable
http WAN
http WAN
http a.a.a.a WAN
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto  dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set  ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5  ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA  ESP-DES-MD5
crypto dynamic-map dynmap 10 set transform-set ESP-3DES-SHA
crypto map WAN_map 1 match address WAN_1_cryptomap
crypto map WAN_map 1 set peer c.c.c.c
crypto map WAN_map 1 set transform-set ESP-DES-SHA
crypto map WAN_map 65000 ipsec-isakmp dynamic dynmap
crypto map WAN_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map WAN_map interface WAN
crypto isakmp enable WAN
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
telnet timeout 5
ssh c.c.c.c WAN
ssh timeout 30
ssh version 2
console timeout 0
management-access OLD-Private
dhcpd auto_config OLD-Private

threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server source WAN prefer
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec svc webvpn
group-policy admin internal
group-policy admin attributes
dns-server value dns.dns.dns.dns
vpn-tunnel-protocol IPSec
group-policy vpn_ipsec internal
group-policy vpn_ipsec attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_ipsec_splitTunnelAcl
username user password password  encrypted privilege 15
tunnel-group admin type remote-access
tunnel-group admin general-attributes
address-pool IPSec_VPN_pool
address-pool vpnclient
authorization-server-group LOCAL
default-group-policy admin
tunnel-group admin ipsec-attributes
pre-shared-key *
tunnel-group c.c.c.c type ipsec-l2l
tunnel-group c.c.c.c general-attributes
default-group-policy admin
tunnel-group c.c.c.c ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
tunnel-group vpn_ipsec type remote-access
tunnel-group vpn_ipsec general-attributes
address-pool vpnclient
default-group-policy vpn_ipsec
tunnel-group vpn_ipsec ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp

Thanks for you time and help!



You say:

''I can't ping from remote ip''

Is this PING through the VPN tunnel?

If so, are you using separate subnet masks or there's an overlapping problem?

You can use packet-tracer to point out the exact reason of the problem, for example:

packet-tracer input outside icmp 0 0

Hope it helps.



Thanks Federico.

When I ping from to - it's local ping, without VPN. Both IP in the same VLAN.

Result of packet-tracer input OLD-private icmp 0 0

Phase: 6
Subtype: np-inspect
Result: ALLOW
Additional Information:

Phase: 7
Type: NAT
Result: DROP
nat (OLD-Private) 1
  match ip OLD-Private any OLD-Private any
    dynamic translation to pool 1 ( [Interface PAT])
    translate_hits = 22014, untranslate_hits = 0
Additional Information:

input-interface: OLD-Private
input-status: up
input-line-status: up
output-interface: OLD-Private
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

How I can solve it?



When you try to PING from to, then the PING stays local (both IPs on the same subnet).

That means that the above PING should never reach the ASA correct?

Look at it in this way....

If host wants to talk to anything else on the subnet, the traffic is never going to be sent through the ASA.

Since the ASA is the default gateway, the host will send traffic to the ASA only when the destination IP is outside the local network.

That's why you get the above error from the ASA.

The ASA is not configured to reroute traffic from the same network back to the same network.

If you cannot PING between two hosts on the same internal interface of the ASA, the problem should reside internally.

My question will be...

Why is this traffic going to the ASA in your case?



On both machines ASA is default gateway - maybe that why.


Even if both machines have as default gateway the ASA, they won't send the packet to the ASA.

That's not the reason.

The only reason could be that one machine (or both) has a wrong subnet mask and thinks that the other one is on a

different subnet.

If both computers have a /24 mask (even with GW ASA), the ASA should never receive that packet.

Please check the subnet mask on both machines.




"I can't ping from remote ip"

I can't help myself, but I'm a little confused.

Can you provide diagram, where is which subnet?

And also Frederico si right - if hosts are on one subnet behind the same ASA, they won't need ASA to communicate each other - even ASA could be shutdown and they would be albe to communicate over the same VLAN on switch - this must work.

Or maybe even Frederico understand your topology wrong as I do.

Please provide topology.




I believe that mask and subnet are ok. But I have 2 subnet on remote site: for default VLAN, where currently most of VMs and for VLAN2, where soon will all private interfases of all VMs. Maybe problem is there? in VLAN2.



You might have an IP problem.

You have more than one location with the same IP addressing scheme.

When this happens you either change one LAN to a different subnet, or NAT the traffic to avoid the overlapping problems.




Does your topology look similar this one (with your instead of mentioned there) :

If yes, so your can try to follow this solution, to have functioning l2l between two locations, even subnets on locations are the same:

Let me ask you one question. is in your topology (2 sites) two times or three times?




Thanks Pavel for advice.

I believe this error come from Linux\Debian. Same configuration on Windows PC works as magic. We've already solved it via add another interface to linux, so currently it has 3 interfaces (1 public, 2x private). With few routing tricks 1 private linux interface accessible from office (, but not accessible from remote network ( and second private interface vice-versa. With Windows machine I need just 1 interface for these 2 purposes.