vpn initiates phase 2, traffic with "no translation group found"

Mark Graham · ‎02-01-2013

here is the setup

site 2 site ipsec

pix 515 as the server (static ip)

cisco 1841 (dhcp client)

ezvpn client works fine for normal users that want to just authenticate with the cisco vpn client.

i have a site 2 site setup from the pix to my house, the connection is "up" on both ends, i see phase2 initiate under the pix logs

try to ping nothing happens, even drop down the byte size and the DF bit (aka ping xxx.xxx.xxx.xxx -l 100 -f )

ping to the next routed interface hop and i get "no translation group found for icmp src outside: xxx.xxx.xxx.xxx <--- my internal network dst inside xxx.xxx.xxx.xxx <---- pix internal network

am i missing a NAT rule on the pix or the 1841?

i'll post configs if you want me too.

Marvin Rhoads · ‎02-01-2013

The "no translation group found" is usually pointing to a NAT configuration issue. You typically need to NAT exempt the traffic destined for the site-site VPN.

Mark Graham · ‎02-04-2013

so there needs to be an exempt rule in the nat config.

i'll check on that when i can. is this also the reason i can only access certian subnets from the cisco client as well?

Marvin Rhoads · ‎02-04-2013

IPsec VPN client access is most commonly governed by an ACL applied in the group policy.

Define the object for both your client and what networks you allow them to talk to, make an access-list allowing them to talk and then call it out in the group-policy. Something like:

group-policy attributes

vpn-filter value

You'll also need the NAT exemptions in place to make sure traffic from the private network outbound to the VPN clients (who appear to be on the outside network) is not NATted.