02-01-2013 11:07 AM
here is the setup
site 2 site ipsec
pix 515 as the server (static ip)
cisco 1841 (dhcp client)
ezvpn client works fine for normal users that want to just authenticate with the cisco vpn client.
i have a site 2 site setup from the pix to my house, the connection is "up" on both ends, i see phase2 initiate under the pix logs
try to ping nothing happens, even drop down the byte size and the DF bit (aka ping xxx.xxx.xxx.xxx -l 100 -f )
ping to the next routed interface hop and i get "no translation group found for icmp src outside: xxx.xxx.xxx.xxx <--- my internal network dst inside xxx.xxx.xxx.xxx <---- pix internal network
am i missing a NAT rule on the pix or the 1841?
i'll post configs if you want me too.
02-01-2013 12:10 PM
The "no translation group found" is usually pointing to a NAT configuration issue. You typically need to NAT exempt the traffic destined for the site-site VPN.
02-04-2013 07:38 AM
so there needs to be an exempt rule in the nat config.
i'll check on that when i can. is this also the reason i can only access certian subnets from the cisco client as well?
02-04-2013 07:55 AM
IPsec VPN client access is most commonly governed by an ACL applied in the group policy.
Define the object for both your client and what networks you allow them to talk to, make an access-list allowing them to talk and then call it out in the group-policy. Something like:
group-policy
vpn-filter value
You'll also need the NAT exemptions in place to make sure traffic from the private network outbound to the VPN clients (who appear to be on the outside network) is not NATted.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide