cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8653
Views
0
Helpful
10
Replies
Highlighted
Beginner

regular translation creation failed for icmp

Hi guys,

I have site-to-site VPN and IPsec VPN installed on ASA 5505. VPNs work OK except few stranges:

I can't ping 192.168.17.104 from remote ip 192.168.17.138 - 305006 192.168.17.138 regular translation creation failed for icmp src OLD-Private:192.168.17.104 dst OLD-Private:192.168.17.138 (type 0, code 0)

in the same time I able to ping 192.168.17.104 from my network 192.168.10.0 and can ping from ASA

No firewall at 192.168.17.104

How to fix it?

There is my config:

ASA Version 8.2(2)

!
hostname ASA5505
domain-name domain
enable password password  encrypted
passwd password  encrypted
names
!
interface Vlan1
description INTERNET
mac-address 0000.0000.0001
nameif WAN
security-level 0
ip address a.a.a.a 255.255.255.248 standby a1.a1.a1.a1
ospf cost 10
!
interface Vlan2
description OLD-PRIVATE
mac-address 0000.0000.0102
nameif OLD-Private
security-level 100
ip address 192.168.17.2 255.255.255.0 standby 192.168.17.3
ospf cost 10
!
interface Vlan6
description MANAGEMENT
mac-address 0000.0000.0106
nameif Management
security-level 100
ip address 192.168.1.2 255.255.255.0 standby 192.168.1.3
ospf cost 10
!
interface Vlan100
description LAN Failover Interface
!
interface Ethernet0/0
!
interface Ethernet0/1
shutdown
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
switchport access vlan 100
!
interface Ethernet0/6
switchport trunk allowed vlan 2,6
switchport mode trunk
!
interface Ethernet0/7
shutdown
!
boot system disk0:/asa822-k8.bin
ftp mode passive
dns domain-lookup WAN
dns server-group DefaultDNS
name-server dns.dns.dns.dns
domain-name domain
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service RDP tcp
description RDP
port-object eq 3389
access-list LAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list LAN_IP standard permit 192.168.17.0 255.255.255.0
access-list WAN_access_in extended permit ip any any log debugging
access-list WAN_access_in extended permit tcp any object-group RDP any object-group RDP log debugging
access-list MANAGEMENT_access_in extended permit ip any any log debugging
access-list OLD-PRIVATE_access_in extended permit ip 192.168.17.0 255.255.255.0 any log debugging
access-list 101 extended permit tcp host 192.168.10.7 any eq 3389 log debugging
access-list WAN_1_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list WAN_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list WAN_cryptomap_2 extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list capin extended permit ip host 192.18.17.155 host 192.168.10.7
access-list capin extended permit ip host 192.168.10.7 host 192.168.17.155
access-list LAN_access_in extended permit ip any any log debugging
access-list WAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list WAN_nat0_outbound extended permit ip any 192.168.17.240 255.255.255.252
access-list WAN_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.2.0 255.255.255.248
access-list WAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.248
access-list WAN_nat0_outbound extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list WAN_2_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.17.0 255.255.255.0
access-list LAN_IP_inbound standard permit 192.168.10.0 255.255.255.0
access-list IPSec_VPN_splitTunnelAcl standard permit any
access-list vpnusers_splitTunnelAcl extended permit ip 192.168.17.0 255.255.255.0 any
access-list nonat-in extended permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list vpn_ipsec_splitTunnelAcl standard permit 192.168.17.0 255.255.255.0
pager lines 24
logging enable
logging trap informational
logging asdm informational
logging debug-trace
mtu WAN 1500
mtu OLD-Private 1500
mtu Management 1500
ip local pool VPN_Admin_IP 192.168.1.150-192.168.1.199 mask 255.255.255.0
ip local pool vpnclient 192.168.2.1-192.168.2.5 mask 255.255.255.0
failover
failover lan unit primary
failover lan interface failover Vlan100
failover polltime interface 15 holdtime 75
failover key *****
failover interface ip failover 192.168.100.1 255.255.255.0 standby 192.168.100.2
icmp unreachable rate-limit 1 burst-size 1
icmp permit host c.c.c.c WAN
icmp permit 192.168.10.0 255.255.255.0 WAN
icmp permit 192.168.17.0 255.255.255.0 WAN
icmp deny any WAN
icmp permit host c.c.c.c OLD-Private
icmp permit 192.168.10.0 255.255.255.0 OLD-Private
icmp permit 192.168.17.0 255.255.255.0 OLD-Private
icmp permit host c.c.c.c Management
icmp permit host 192.168.10.0 Management
icmp permit host 192.168.17.138 Management
icmp permit 192.168.1.0 255.255.255.0 Management
icmp permit host 192.168.1.26 Management
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
global (WAN) 1 interface
global (OLD-Private) 1 interface
global (Management) 1 interface
nat (OLD-Private) 0 access-list WAN_nat0_outbound
nat (OLD-Private) 1 0.0.0.0 0.0.0.0
access-group WAN_access_in in interface WAN
access-group OLD-PRIVATE_access_in in interface OLD-Private
access-group MANAGEMENT_access_in in interface Management
route WAN 0.0.0.0 0.0.0.0 d.d.d.d 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa local authentication attempts max-fail 10
http server enable
http 192.168.1.0 255.255.255.0 WAN
http 0.0.0.0 0.0.0.0 WAN
http a.a.a.a 255.255.255.255 WAN
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto  dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set  ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5  ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA  ESP-DES-MD5
crypto dynamic-map dynmap 10 set transform-set ESP-3DES-SHA
crypto map WAN_map 1 match address WAN_1_cryptomap
crypto map WAN_map 1 set peer c.c.c.c
crypto map WAN_map 1 set transform-set ESP-DES-SHA
crypto map WAN_map 65000 ipsec-isakmp dynamic dynmap
crypto map WAN_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map WAN_map interface WAN
crypto isakmp enable WAN
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
telnet timeout 5
ssh c.c.c.c 255.255.255.255 WAN
ssh timeout 30
ssh version 2
console timeout 0
management-access OLD-Private
dhcpd auto_config OLD-Private
!

threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 129.6.15.28 source WAN prefer
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec svc webvpn
group-policy admin internal
group-policy admin attributes
dns-server value dns.dns.dns.dns
vpn-tunnel-protocol IPSec
group-policy vpn_ipsec internal
group-policy vpn_ipsec attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_ipsec_splitTunnelAcl
username user password password  encrypted privilege 15
tunnel-group admin type remote-access
tunnel-group admin general-attributes
address-pool IPSec_VPN_pool
address-pool vpnclient
authorization-server-group LOCAL
default-group-policy admin
tunnel-group admin ipsec-attributes
pre-shared-key *
tunnel-group c.c.c.c type ipsec-l2l
tunnel-group c.c.c.c general-attributes
default-group-policy admin
tunnel-group c.c.c.c ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
tunnel-group vpn_ipsec type remote-access
tunnel-group vpn_ipsec general-attributes
address-pool vpnclient
default-group-policy vpn_ipsec
tunnel-group vpn_ipsec ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp

Thanks for you time and help!

10 REPLIES 10
Highlighted

Hi,

You say:

''I can't ping 192.168.17.104 from remote ip 192.168.17.138''

Is this PING through the VPN tunnel?

If so, are you using separate subnet masks or there's an overlapping problem?

You can use packet-tracer to point out the exact reason of the problem, for example:

packet-tracer input outside icmp 192.168.17.138 0 0 192.168.17.104

Hope it helps.


Federico.

Highlighted

Thanks Federico.

When I ping from 192.168.17.138 to 192.168.17.104 - it's local ping, without VPN. Both IP in the same VLAN.

Result of packet-tracer input OLD-private icmp 192.168.17.138 0 0 192.168.17.104:


Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype:
Result: DROP
Config:
nat (OLD-Private) 1 0.0.0.0 0.0.0.0
  match ip OLD-Private any OLD-Private any
    dynamic translation to pool 1 (192.168.17.2 [Interface PAT])
    translate_hits = 22014, untranslate_hits = 0
Additional Information:

Result:
input-interface: OLD-Private
input-status: up
input-line-status: up
output-interface: OLD-Private
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

How I can solve it?

Highlighted

Nick,

When you try to PING from 192.168.17.138 to 192.168.17.104, then the PING stays local (both IPs on the same subnet).

That means that the above PING should never reach the ASA correct?

Look at it in this way....

If host 192.168.17.138 wants to talk to anything else on the 192.168.17.0/24 subnet, the traffic is never going to be sent through the ASA.

Since the ASA is the default gateway, the host 192.168.17.138 will send traffic to the ASA only when the destination IP is outside the local network.

That's why you get the above error from the ASA.

The ASA is not configured to reroute traffic from the same network back to the same network.

If you cannot PING between two hosts on the same internal interface of the ASA, the problem should reside internally.

My question will be...

Why is this traffic going to the ASA in your case?


Federico.

Highlighted

On both machines ASA is default gateway - maybe that why.

Highlighted

Even if both machines have as default gateway the ASA, they won't send the packet to the ASA.

That's not the reason.

The only reason could be that one machine (or both) has a wrong subnet mask and thinks that the other one is on a

different subnet.

If both computers have a /24 mask (even with GW ASA), the ASA should never receive that packet.

Please check the subnet mask on both machines.

Federico.

Highlighted

Hi,

"I can't ping 192.168.17.104 from remote ip 192.168.17.138"

I can't help myself, but I'm a little confused.

Can you provide diagram, where is which subnet?

And also Frederico si right - if hosts are on one subnet behind the same ASA, they won't need ASA to communicate each other - even ASA could be shutdown and they would be albe to communicate over the same VLAN on switch - this must work.

Or maybe even Frederico understand your topology wrong as I do.

Please provide topology.

BR

Pavel

Highlighted

I believe that mask and subnet are ok. 192.168.17.0/24. But I have 2 subnet on remote site: 192.168.17.0/24 for default VLAN, where currently most of VMs and 192.168.17.0/24 for VLAN2, where soon will all private interfases of all VMs. Maybe problem is there?

192.168.17.138 in VLAN2.

ASA in VLAN2.

Highlighted

You might have an IP problem.

You have more than one location with the same IP addressing scheme.

When this happens you either change one LAN to a different subnet, or NAT the traffic to avoid the overlapping problems.

Federico.

Highlighted

Hi,

Does your topology look similar this one (with your 192.168.17.0/24 instead of 192.168.1.100 mentioned there) : http://4.bp.blogspot.com/_Q9oO1o_aT2s/Subt6_9QEuI/AAAAAAAAAH4/m9V4hk7I9BQ/s1600-h/PIX_ASA_DupSubnet.jpg

If yes, so your can try to follow this solution, to have functioning l2l between two locations, even subnets on locations are the same:

http://roggyblog.blogspot.com/2009/10/pixasa-site-to-site-l2l-vpn-with_27.html

Let me ask you one question. 192.168.17.0/24 is in your topology (2 sites) two times or three times?

HTH

Pavel

Highlighted

Thanks Pavel for advice.

I believe this error come from Linux\Debian. Same configuration on Windows PC works as magic. We've already solved it via add another interface to linux, so currently it has 3 interfaces (1 public, 2x private). With few routing tricks 1 private linux interface accessible from office (192.168.10.0), but not accessible from remote network (192.168.17.0) and second private interface vice-versa. With Windows machine I need just 1 interface for these 2 purposes.

Cheers,

Nick