12-02-2009 11:11 PM
HI,
we have a site to site VPN with branch office and head office in that we are able to access all nodes in the head office except 2 or 3 IP's
these 2 or 3 IP's are already static nated for outside web access on the same PIX firewall
the VPN config as follows
NO nat - access-list 110 extended permit ip 10.210.0.0 255.255.0.0 192.168.148.0 255.255.255.252
Encryption domain : access-list VPN-Office extended permit ip 10.210.0.0 255.255.0.0 192.168.148.0 255.255.255.252
static (DMZ,outside) tcp XX.XX.2.15 5050 10.210.12.25 5050 netmask 255.255.255.255
access-list NAT-Cluster extended permit tcp any host XX.XX.2.15 eq 5050
access-group NAT-Cluster in interface outside
global (outside) 1 interface
nat (inside) 0 access-list 110
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 0 access-list 110
nat (DMZ) 1 access-list DMZtoInternet
we enable sysopt connection permit IPsec
but when try ping from 192.168.148.0 255.255.255.252 subnet to all ip's on the 10.210.0.0/16 we are getting successfull ping reply but not for the 10.210.12.25
when i check the log it says
%PIX-3-305005: No translation group found for icmp src outside:192.168.150.231 dst DMZ:10.210.12.25 (type 8, code 0)
kindly let me know why this issue
thanks
Vinu
12-06-2009 11:16 AM
but when try ping from 192.168.148.0 255.255.255.252 subnet to all ip's on the 10.210.0.0/16 we are getting successfull ping reply but not for the 10.210.12.25
when i check the log it says
%PIX-3-305005: No translation group found for icmp src outside:192.168.150.231 dst DMZ:10.210.12.25 (type 8, code 0)
Are you sure you are pinging from 192.168.148.0 network? the firewall message is saying you are pinging from 192.168.150.x for which there is no reference in your nonat acl rule. One would expect to see in your nonat exempt rule in addition to what you already have for 192.168.148.0/30 soomething as:
access-list 110 extended permit ip 10.210.0.0 255.255.0.0 192.168.150.X
Check that ,if no joy could you post a brief topology description of what networks from the other side of the tunnel is to have access your DZM network.
Regards
12-06-2009 02:54 PM
I agree about making sure your source IP falls within the encryption domain and nonat acl. Looking over your config, if your source IP comes from 192.168.148.0/30 there's no reason it shouldn't work. You may want to make sure there isn't some sort of policy NAT or PAT configured to use 192.168.150.231 on the other end when sending traffic to 10.210.12.25. Check out the no-nat ACL's on the other end as well.
Good luck!
James
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide