Nat Translation

Discussion in 'Cisco' started by jtrooney@gmail.com, Jun 2, 2006.

  1. Guest

    I have a pix 515-e, running 6.3(5), and have been trying to get a basic
    vpn up and running, but can't finish for the life of me. I have the vpn
    connection working just fine, I get an ip from a local pool that I
    specify, but whenever I try to access the network behind the inside
    interface of the pix from the vpn I get an error:
    Jun 2 12:46:07 172.16.1.1 %PIX-3-305005: No translation group found
    for icmp src outside:172.16.3.11 dst inside:172.16.1.1 (type 8, code 0)

    I am pulling out my hair trying to get this damn thing working but just
    don't know what else to try. Below is my config. Any help would be
    greatly appreciated:

    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet1 vlan2 logical
    interface ethernet2 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 intf2 security4
    nameif vlan2 vlan security50
    enable password 2KFQnbNIdI.2KYOU encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname pix0
    domain-name domain.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list inbound permit icmp any any
    access-list inbound permit tcp any any
    access-list inbound permit udp any any
    access-list inbound permit ip any any
    access-list vpn_acl permit ip 172.16.3.0 255.255.255.0 172.16.1.0
    255.255.255.0
    access-list vpn_acl permit icmp 172.16.3.0 255.255.255.0 172.16.1.0
    255.255.255.0
    access-list vpn_acl permit udp 172.16.3.0 255.255.255.0 172.16.1.0
    255.255.255.0
    pager lines 24
    logging on
    logging timestamp
    logging standby
    logging trap debugging
    logging facility 19
    logging host inside 172.16.1.15
    mtu outside 1500
    mtu inside 1500
    mtu intf2 1500
    ip address outside 63.x.x.80 255.255.255.0
    ip address inside 172.16.1.1 255.255.255.0
    no ip address intf2
    ip address vlan 172.16.2.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool vpn 172.16.3.1-172.16.3.254
    pdm history enable
    arp timeout 60
    global (outside) 1 interface
    nat (inside) 0 access-list vpn_acl
    nat (inside) 1 172.16.1.0 255.255.255.0 0 0
    static (inside,outside) 63.x.x.82 172.16.1.4 netmask 255.255.255.255 0
    0
    access-group inbound in interface outside
    route outside 0.0.0.0 0.0.0.0 63.122.61.1 1
    timeout xlate 0:05:00
    timeout conn 0:30:00 half-closed 0:05:00 udp 0:01:00 rpc 0:10:00 h225
    0:30:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server RADIUS (inside) host 172.16.1.15 cisco timeout 5
    aaa-server LOCAL protocol local
    aaa-server radius protocol radius
    aaa-server radius max-failed-attempts 3
    aaa-server radius deadtime 10
    aaa-server partnerauth protocol radius
    aaa-server partnerauth max-failed-attempts 3
    aaa-server partnerauth deadtime 10
    aaa-server partnerauth (inside) host 172.16.1.15 abcdef timeout 5
    http server enable
    http 172.16.1.3 255.255.255.255 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    sysopt connection permit-l2tp
    crypto ipsec transform-set myset esp-des esp-md5-hmac
    crypto dynamic-map dyna 20 set security-association lifetime seconds
    3600 kilobytes 4608000
    crypto dynamic-map dynmap 10 set transform-set myset
    crypto map mymap 10 ipsec-isakmp dynamic dynmap
    crypto map mymap client configuration address initiate
    crypto map mymap client configuration address respond
    crypto map mymap interface outside
    isakmp enable outside
    isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
    isakmp identity address
    isakmp client configuration address-pool local vpn outside
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 1
    isakmp policy 10 lifetime 86400
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    vpngroup vpn3000-all address-pool vpn
    vpngroup vpn3000-all dns-server 63.x.x.10
    vpngroup vpn3000-all wins-server 63.x.x.10
    vpngroup vpn3000-all default-domain domain.com
    vpngroup vpn3000-all idle-time 1800
    vpngroup vpn3000-all password ********
    telnet 172.16.1.0 255.255.255.0 inside
    telnet timeout 30
    ssh 0.0.0.0 0.0.0.0 outside
    ssh 172.16.1.0 255.255.255.0 inside
    ssh timeout 60
    console timeout 0
    vpdn group 1 accept dialin pptp
    vpdn group 1 ppp authentication pap
    vpdn group 1 ppp authentication chap
    vpdn group 1 ppp authentication mschap
    vpdn group 1 ppp encryption mppe 40
    vpdn group 1 client configuration address local vpn
    vpdn group 1 pptp echo 60
    vpdn group 1 client authentication local
    vpdn username jtrooney password *********
    vpdn enable outside
    terminal width 80
     
    , Jun 2, 2006
    #1
    1. Advertising

  2. mcaissie Guest

    You have to nonat the traffic from inside to outside , but you are
    nonating the traffic from
    outside to inside

    > nat (inside) 0 access-list vpn_acl


    > access-list vpn_acl permit ip 172.16.3.0 255.255.255.0 172.16.1.0
    > 255.255.255.0
    > access-list vpn_acl permit icmp 172.16.3.0 255.255.255.0 172.16.1.0
    > 255.255.255.0
    > access-list vpn_acl permit udp 172.16.3.0 255.255.255.0 172.16.1.0
    > 255.255.255.0


    try replacing vpn_acl with

    access-list vpn_acl permit ip 172.16.1.0 255.255.255.0 172.16.3.0
    255.255.255.0
    access-list vpn_acl permit icmp 172.16.1.0 255.255.255.0 172.16.3.0
    255.255.255.0
    access-list vpn_acl permit udp 172.16.1.0 255.255.255.0 172.16.3.0
    255.255.255.0



    <> wrote in message
    news:...
    >I have a pix 515-e, running 6.3(5), and have been trying to get a basic
    > vpn up and running, but can't finish for the life of me. I have the vpn
    > connection working just fine, I get an ip from a local pool that I
    > specify, but whenever I try to access the network behind the inside
    > interface of the pix from the vpn I get an error:
    > Jun 2 12:46:07 172.16.1.1 %PIX-3-305005: No translation group found
    > for icmp src outside:172.16.3.11 dst inside:172.16.1.1 (type 8, code 0)
    >
    > I am pulling out my hair trying to get this damn thing working but just
    > don't know what else to try. Below is my config. Any help would be
    > greatly appreciated:
    >
    > interface ethernet0 auto
    > interface ethernet1 auto
    > interface ethernet1 vlan2 logical
    > interface ethernet2 auto
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > nameif ethernet2 intf2 security4
    > nameif vlan2 vlan security50
    > enable password 2KFQnbNIdI.2KYOU encrypted
    > passwd 2KFQnbNIdI.2KYOU encrypted
    > hostname pix0
    > domain-name domain.com
    > fixup protocol dns maximum-length 512
    > fixup protocol ftp 21
    > fixup protocol h323 h225 1720
    > fixup protocol h323 ras 1718-1719
    > fixup protocol http 80
    > fixup protocol ils 389
    > fixup protocol rsh 514
    > fixup protocol rtsp 554
    > fixup protocol sip 5060
    > fixup protocol sip udp 5060
    > fixup protocol skinny 2000
    > fixup protocol smtp 25
    > fixup protocol sqlnet 1521
    > fixup protocol tftp 69
    > names
    > access-list inbound permit icmp any any
    > access-list inbound permit tcp any any
    > access-list inbound permit udp any any
    > access-list inbound permit ip any any
    > access-list vpn_acl permit ip 172.16.3.0 255.255.255.0 172.16.1.0
    > 255.255.255.0
    > access-list vpn_acl permit icmp 172.16.3.0 255.255.255.0 172.16.1.0
    > 255.255.255.0
    > access-list vpn_acl permit udp 172.16.3.0 255.255.255.0 172.16.1.0
    > 255.255.255.0
    > pager lines 24
    > logging on
    > logging timestamp
    > logging standby
    > logging trap debugging
    > logging facility 19
    > logging host inside 172.16.1.15
    > mtu outside 1500
    > mtu inside 1500
    > mtu intf2 1500
    > ip address outside 63.x.x.80 255.255.255.0
    > ip address inside 172.16.1.1 255.255.255.0
    > no ip address intf2
    > ip address vlan 172.16.2.1 255.255.255.0
    > ip audit info action alarm
    > ip audit attack action alarm
    > ip local pool vpn 172.16.3.1-172.16.3.254
    > pdm history enable
    > arp timeout 60
    > global (outside) 1 interface
    > nat (inside) 0 access-list vpn_acl
    > nat (inside) 1 172.16.1.0 255.255.255.0 0 0
    > static (inside,outside) 63.x.x.82 172.16.1.4 netmask 255.255.255.255 0
    > 0
    > access-group inbound in interface outside
    > route outside 0.0.0.0 0.0.0.0 63.122.61.1 1
    > timeout xlate 0:05:00
    > timeout conn 0:30:00 half-closed 0:05:00 udp 0:01:00 rpc 0:10:00 h225
    > 0:30:00
    > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    > timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    > timeout uauth 0:05:00 absolute
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server TACACS+ max-failed-attempts 3
    > aaa-server TACACS+ deadtime 10
    > aaa-server RADIUS protocol radius
    > aaa-server RADIUS max-failed-attempts 3
    > aaa-server RADIUS deadtime 10
    > aaa-server RADIUS (inside) host 172.16.1.15 cisco timeout 5
    > aaa-server LOCAL protocol local
    > aaa-server radius protocol radius
    > aaa-server radius max-failed-attempts 3
    > aaa-server radius deadtime 10
    > aaa-server partnerauth protocol radius
    > aaa-server partnerauth max-failed-attempts 3
    > aaa-server partnerauth deadtime 10
    > aaa-server partnerauth (inside) host 172.16.1.15 abcdef timeout 5
    > http server enable
    > http 172.16.1.3 255.255.255.255 inside
    > no snmp-server location
    > no snmp-server contact
    > snmp-server community public
    > no snmp-server enable traps
    > floodguard enable
    > sysopt connection permit-ipsec
    > sysopt connection permit-pptp
    > sysopt connection permit-l2tp
    > crypto ipsec transform-set myset esp-des esp-md5-hmac
    > crypto dynamic-map dyna 20 set security-association lifetime seconds
    > 3600 kilobytes 4608000
    > crypto dynamic-map dynmap 10 set transform-set myset
    > crypto map mymap 10 ipsec-isakmp dynamic dynmap
    > crypto map mymap client configuration address initiate
    > crypto map mymap client configuration address respond
    > crypto map mymap interface outside
    > isakmp enable outside
    > isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
    > isakmp identity address
    > isakmp client configuration address-pool local vpn outside
    > isakmp policy 10 authentication pre-share
    > isakmp policy 10 encryption des
    > isakmp policy 10 hash md5
    > isakmp policy 10 group 1
    > isakmp policy 10 lifetime 86400
    > isakmp policy 20 authentication pre-share
    > isakmp policy 20 encryption des
    > isakmp policy 20 hash md5
    > isakmp policy 20 group 2
    > isakmp policy 20 lifetime 86400
    > vpngroup vpn3000-all address-pool vpn
    > vpngroup vpn3000-all dns-server 63.x.x.10
    > vpngroup vpn3000-all wins-server 63.x.x.10
    > vpngroup vpn3000-all default-domain domain.com
    > vpngroup vpn3000-all idle-time 1800
    > vpngroup vpn3000-all password ********
    > telnet 172.16.1.0 255.255.255.0 inside
    > telnet timeout 30
    > ssh 0.0.0.0 0.0.0.0 outside
    > ssh 172.16.1.0 255.255.255.0 inside
    > ssh timeout 60
    > console timeout 0
    > vpdn group 1 accept dialin pptp
    > vpdn group 1 ppp authentication pap
    > vpdn group 1 ppp authentication chap
    > vpdn group 1 ppp authentication mschap
    > vpdn group 1 ppp encryption mppe 40
    > vpdn group 1 client configuration address local vpn
    > vpdn group 1 pptp echo 60
    > vpdn group 1 client authentication local
    > vpdn username jtrooney password *********
    > vpdn enable outside
    > terminal width 80
    >
     
    mcaissie, Jun 2, 2006
    #2
    1. Advertising

  3. Guest

    Getting closser, I can actually see the icmp traffic hitting the
    access-lists now =) Now the error that I'm getting is:

    Jun 2 14:29:16 172.16.1.1 %PIX-6-302013: Built inbound TCP connection
    2211258 for outside:172.16.3.11/1078 (172.16.3.11/1078) to
    inside:172.16.1.10/22 (172
    ..16.1.10/22)
    Jun 2 14:31:18 172.16.1.1 %PIX-6-302014: Teardown TCP connection
    2211258 for outside:172.16.3.11/1078 to inside:172.16.1.10/22 duration
    0:02:01 bytes 0 SYN
    Timeout

    or if i turn on the debug icmp i get:
    2420: ICMP echo-request from outside:172.16.3.11 to 172.16.1.1 ID=768
    seq=40960 length=40
    2421: ICMP echo-request from outside:172.16.3.11 to 172.16.1.1 ID=768
    seq=41216 length=40
    2422: ICMP echo-request from outside:172.16.3.11 to 172.16.1.1 ID=768
    seq=41472 length=40
    2423: ICMP echo-request from outside:172.16.3.11 to 172.16.1.1 ID=768
    seq=41728 length=40
    2424: ICMP echo-request from outside:172.16.3.11 to 172.16.1.1 ID=768
    seq=41984 length=40



    Any Ideas? Thanks for your help so far =)

    mcaissie wrote:
    > You have to nonat the traffic from inside to outside , but you are
    > nonating the traffic from
    > outside to inside
    >
    > > nat (inside) 0 access-list vpn_acl

    >
    > > access-list vpn_acl permit ip 172.16.3.0 255.255.255.0 172.16.1.0
    > > 255.255.255.0
    > > access-list vpn_acl permit icmp 172.16.3.0 255.255.255.0 172.16.1.0
    > > 255.255.255.0
    > > access-list vpn_acl permit udp 172.16.3.0 255.255.255.0 172.16.1.0
    > > 255.255.255.0

    >
    > try replacing vpn_acl with
    >
    > access-list vpn_acl permit ip 172.16.1.0 255.255.255.0 172.16.3.0
    > 255.255.255.0
    > access-list vpn_acl permit icmp 172.16.1.0 255.255.255.0 172.16.3.0
    > 255.255.255.0
    > access-list vpn_acl permit udp 172.16.1.0 255.255.255.0 172.16.3.0
    > 255.255.255.0
    >
    >
    >
    > <> wrote in message
    > news:...
    > >I have a pix 515-e, running 6.3(5), and have been trying to get a basic
    > > vpn up and running, but can't finish for the life of me. I have the vpn
    > > connection working just fine, I get an ip from a local pool that I
    > > specify, but whenever I try to access the network behind the inside
    > > interface of the pix from the vpn I get an error:
    > > Jun 2 12:46:07 172.16.1.1 %PIX-3-305005: No translation group found
    > > for icmp src outside:172.16.3.11 dst inside:172.16.1.1 (type 8, code 0)
    > >
    > > I am pulling out my hair trying to get this damn thing working but just
    > > don't know what else to try. Below is my config. Any help would be
    > > greatly appreciated:
    > >
    > > interface ethernet0 auto
    > > interface ethernet1 auto
    > > interface ethernet1 vlan2 logical
    > > interface ethernet2 auto
    > > nameif ethernet0 outside security0
    > > nameif ethernet1 inside security100
    > > nameif ethernet2 intf2 security4
    > > nameif vlan2 vlan security50
    > > enable password 2KFQnbNIdI.2KYOU encrypted
    > > passwd 2KFQnbNIdI.2KYOU encrypted
    > > hostname pix0
    > > domain-name domain.com
    > > fixup protocol dns maximum-length 512
    > > fixup protocol ftp 21
    > > fixup protocol h323 h225 1720
    > > fixup protocol h323 ras 1718-1719
    > > fixup protocol http 80
    > > fixup protocol ils 389
    > > fixup protocol rsh 514
    > > fixup protocol rtsp 554
    > > fixup protocol sip 5060
    > > fixup protocol sip udp 5060
    > > fixup protocol skinny 2000
    > > fixup protocol smtp 25
    > > fixup protocol sqlnet 1521
    > > fixup protocol tftp 69
    > > names
    > > access-list inbound permit icmp any any
    > > access-list inbound permit tcp any any
    > > access-list inbound permit udp any any
    > > access-list inbound permit ip any any
    > > access-list vpn_acl permit ip 172.16.3.0 255.255.255.0 172.16.1.0
    > > 255.255.255.0
    > > access-list vpn_acl permit icmp 172.16.3.0 255.255.255.0 172.16.1.0
    > > 255.255.255.0
    > > access-list vpn_acl permit udp 172.16.3.0 255.255.255.0 172.16.1.0
    > > 255.255.255.0
    > > pager lines 24
    > > logging on
    > > logging timestamp
    > > logging standby
    > > logging trap debugging
    > > logging facility 19
    > > logging host inside 172.16.1.15
    > > mtu outside 1500
    > > mtu inside 1500
    > > mtu intf2 1500
    > > ip address outside 63.x.x.80 255.255.255.0
    > > ip address inside 172.16.1.1 255.255.255.0
    > > no ip address intf2
    > > ip address vlan 172.16.2.1 255.255.255.0
    > > ip audit info action alarm
    > > ip audit attack action alarm
    > > ip local pool vpn 172.16.3.1-172.16.3.254
    > > pdm history enable
    > > arp timeout 60
    > > global (outside) 1 interface
    > > nat (inside) 0 access-list vpn_acl
    > > nat (inside) 1 172.16.1.0 255.255.255.0 0 0
    > > static (inside,outside) 63.x.x.82 172.16.1.4 netmask 255.255.255.255 0
    > > 0
    > > access-group inbound in interface outside
    > > route outside 0.0.0.0 0.0.0.0 63.122.61.1 1
    > > timeout xlate 0:05:00
    > > timeout conn 0:30:00 half-closed 0:05:00 udp 0:01:00 rpc 0:10:00 h225
    > > 0:30:00
    > > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    > > timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    > > timeout uauth 0:05:00 absolute
    > > aaa-server TACACS+ protocol tacacs+
    > > aaa-server TACACS+ max-failed-attempts 3
    > > aaa-server TACACS+ deadtime 10
    > > aaa-server RADIUS protocol radius
    > > aaa-server RADIUS max-failed-attempts 3
    > > aaa-server RADIUS deadtime 10
    > > aaa-server RADIUS (inside) host 172.16.1.15 cisco timeout 5
    > > aaa-server LOCAL protocol local
    > > aaa-server radius protocol radius
    > > aaa-server radius max-failed-attempts 3
    > > aaa-server radius deadtime 10
    > > aaa-server partnerauth protocol radius
    > > aaa-server partnerauth max-failed-attempts 3
    > > aaa-server partnerauth deadtime 10
    > > aaa-server partnerauth (inside) host 172.16.1.15 abcdef timeout 5
    > > http server enable
    > > http 172.16.1.3 255.255.255.255 inside
    > > no snmp-server location
    > > no snmp-server contact
    > > snmp-server community public
    > > no snmp-server enable traps
    > > floodguard enable
    > > sysopt connection permit-ipsec
    > > sysopt connection permit-pptp
    > > sysopt connection permit-l2tp
    > > crypto ipsec transform-set myset esp-des esp-md5-hmac
    > > crypto dynamic-map dyna 20 set security-association lifetime seconds
    > > 3600 kilobytes 4608000
    > > crypto dynamic-map dynmap 10 set transform-set myset
    > > crypto map mymap 10 ipsec-isakmp dynamic dynmap
    > > crypto map mymap client configuration address initiate
    > > crypto map mymap client configuration address respond
    > > crypto map mymap interface outside
    > > isakmp enable outside
    > > isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
    > > isakmp identity address
    > > isakmp client configuration address-pool local vpn outside
    > > isakmp policy 10 authentication pre-share
    > > isakmp policy 10 encryption des
    > > isakmp policy 10 hash md5
    > > isakmp policy 10 group 1
    > > isakmp policy 10 lifetime 86400
    > > isakmp policy 20 authentication pre-share
    > > isakmp policy 20 encryption des
    > > isakmp policy 20 hash md5
    > > isakmp policy 20 group 2
    > > isakmp policy 20 lifetime 86400
    > > vpngroup vpn3000-all address-pool vpn
    > > vpngroup vpn3000-all dns-server 63.x.x.10
    > > vpngroup vpn3000-all wins-server 63.x.x.10
    > > vpngroup vpn3000-all default-domain domain.com
    > > vpngroup vpn3000-all idle-time 1800
    > > vpngroup vpn3000-all password ********
    > > telnet 172.16.1.0 255.255.255.0 inside
    > > telnet timeout 30
    > > ssh 0.0.0.0 0.0.0.0 outside
    > > ssh 172.16.1.0 255.255.255.0 inside
    > > ssh timeout 60
    > > console timeout 0
    > > vpdn group 1 accept dialin pptp
    > > vpdn group 1 ppp authentication pap
    > > vpdn group 1 ppp authentication chap
    > > vpdn group 1 ppp authentication mschap
    > > vpdn group 1 ppp encryption mppe 40
    > > vpdn group 1 client configuration address local vpn
    > > vpdn group 1 pptp echo 60
    > > vpdn group 1 client authentication local
    > > vpdn username jtrooney password *********
    > > vpdn enable outside
    > > terminal width 80
    > >
     
    , Jun 2, 2006
    #3
  4. mcaissie Guest

    It's normal no being able to ping the inside interface from the outside,
    even
    through a vpn. Do you have the same problem pinging a pc on the inside ?

    If you want your inside to be accessible from the outside through a vpn you
    must
    add the command;

    management-access inside


    <> wrote in message
    news:...
    > Getting closser, I can actually see the icmp traffic hitting the
    > access-lists now =) Now the error that I'm getting is:
    >
    > Jun 2 14:29:16 172.16.1.1 %PIX-6-302013: Built inbound TCP connection
    > 2211258 for outside:172.16.3.11/1078 (172.16.3.11/1078) to
    > inside:172.16.1.10/22 (172
    > .16.1.10/22)
    > Jun 2 14:31:18 172.16.1.1 %PIX-6-302014: Teardown TCP connection
    > 2211258 for outside:172.16.3.11/1078 to inside:172.16.1.10/22 duration
    > 0:02:01 bytes 0 SYN
    > Timeout
    >
    > or if i turn on the debug icmp i get:
    > 2420: ICMP echo-request from outside:172.16.3.11 to 172.16.1.1 ID=768
    > seq=40960 length=40
    > 2421: ICMP echo-request from outside:172.16.3.11 to 172.16.1.1 ID=768
    > seq=41216 length=40
    > 2422: ICMP echo-request from outside:172.16.3.11 to 172.16.1.1 ID=768
    > seq=41472 length=40
    > 2423: ICMP echo-request from outside:172.16.3.11 to 172.16.1.1 ID=768
    > seq=41728 length=40
    > 2424: ICMP echo-request from outside:172.16.3.11 to 172.16.1.1 ID=768
    > seq=41984 length=40
    >
    >
    >
    > Any Ideas? Thanks for your help so far =)
    >
    > mcaissie wrote:
    >> You have to nonat the traffic from inside to outside , but you are
    >> nonating the traffic from
    >> outside to inside
    >>
    >> > nat (inside) 0 access-list vpn_acl

    >>
    >> > access-list vpn_acl permit ip 172.16.3.0 255.255.255.0 172.16.1.0
    >> > 255.255.255.0
    >> > access-list vpn_acl permit icmp 172.16.3.0 255.255.255.0 172.16.1.0
    >> > 255.255.255.0
    >> > access-list vpn_acl permit udp 172.16.3.0 255.255.255.0 172.16.1.0
    >> > 255.255.255.0

    >>
    >> try replacing vpn_acl with
    >>
    >> access-list vpn_acl permit ip 172.16.1.0 255.255.255.0 172.16.3.0
    >> 255.255.255.0
    >> access-list vpn_acl permit icmp 172.16.1.0 255.255.255.0 172.16.3.0
    >> 255.255.255.0
    >> access-list vpn_acl permit udp 172.16.1.0 255.255.255.0 172.16.3.0
    >> 255.255.255.0
    >>
    >>
    >>
    >> <> wrote in message
    >> news:...
    >> >I have a pix 515-e, running 6.3(5), and have been trying to get a basic
    >> > vpn up and running, but can't finish for the life of me. I have the vpn
    >> > connection working just fine, I get an ip from a local pool that I
    >> > specify, but whenever I try to access the network behind the inside
    >> > interface of the pix from the vpn I get an error:
    >> > Jun 2 12:46:07 172.16.1.1 %PIX-3-305005: No translation group found
    >> > for icmp src outside:172.16.3.11 dst inside:172.16.1.1 (type 8, code 0)
    >> >
    >> > I am pulling out my hair trying to get this damn thing working but just
    >> > don't know what else to try. Below is my config. Any help would be
    >> > greatly appreciated:
    >> >
    >> > interface ethernet0 auto
    >> > interface ethernet1 auto
    >> > interface ethernet1 vlan2 logical
    >> > interface ethernet2 auto
    >> > nameif ethernet0 outside security0
    >> > nameif ethernet1 inside security100
    >> > nameif ethernet2 intf2 security4
    >> > nameif vlan2 vlan security50
    >> > enable password 2KFQnbNIdI.2KYOU encrypted
    >> > passwd 2KFQnbNIdI.2KYOU encrypted
    >> > hostname pix0
    >> > domain-name domain.com
    >> > fixup protocol dns maximum-length 512
    >> > fixup protocol ftp 21
    >> > fixup protocol h323 h225 1720
    >> > fixup protocol h323 ras 1718-1719
    >> > fixup protocol http 80
    >> > fixup protocol ils 389
    >> > fixup protocol rsh 514
    >> > fixup protocol rtsp 554
    >> > fixup protocol sip 5060
    >> > fixup protocol sip udp 5060
    >> > fixup protocol skinny 2000
    >> > fixup protocol smtp 25
    >> > fixup protocol sqlnet 1521
    >> > fixup protocol tftp 69
    >> > names
    >> > access-list inbound permit icmp any any
    >> > access-list inbound permit tcp any any
    >> > access-list inbound permit udp any any
    >> > access-list inbound permit ip any any
    >> > access-list vpn_acl permit ip 172.16.3.0 255.255.255.0 172.16.1.0
    >> > 255.255.255.0
    >> > access-list vpn_acl permit icmp 172.16.3.0 255.255.255.0 172.16.1.0
    >> > 255.255.255.0
    >> > access-list vpn_acl permit udp 172.16.3.0 255.255.255.0 172.16.1.0
    >> > 255.255.255.0
    >> > pager lines 24
    >> > logging on
    >> > logging timestamp
    >> > logging standby
    >> > logging trap debugging
    >> > logging facility 19
    >> > logging host inside 172.16.1.15
    >> > mtu outside 1500
    >> > mtu inside 1500
    >> > mtu intf2 1500
    >> > ip address outside 63.x.x.80 255.255.255.0
    >> > ip address inside 172.16.1.1 255.255.255.0
    >> > no ip address intf2
    >> > ip address vlan 172.16.2.1 255.255.255.0
    >> > ip audit info action alarm
    >> > ip audit attack action alarm
    >> > ip local pool vpn 172.16.3.1-172.16.3.254
    >> > pdm history enable
    >> > arp timeout 60
    >> > global (outside) 1 interface
    >> > nat (inside) 0 access-list vpn_acl
    >> > nat (inside) 1 172.16.1.0 255.255.255.0 0 0
    >> > static (inside,outside) 63.x.x.82 172.16.1.4 netmask 255.255.255.255 0
    >> > 0
    >> > access-group inbound in interface outside
    >> > route outside 0.0.0.0 0.0.0.0 63.122.61.1 1
    >> > timeout xlate 0:05:00
    >> > timeout conn 0:30:00 half-closed 0:05:00 udp 0:01:00 rpc 0:10:00 h225
    >> > 0:30:00
    >> > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    >> > timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    >> > timeout uauth 0:05:00 absolute
    >> > aaa-server TACACS+ protocol tacacs+
    >> > aaa-server TACACS+ max-failed-attempts 3
    >> > aaa-server TACACS+ deadtime 10
    >> > aaa-server RADIUS protocol radius
    >> > aaa-server RADIUS max-failed-attempts 3
    >> > aaa-server RADIUS deadtime 10
    >> > aaa-server RADIUS (inside) host 172.16.1.15 cisco timeout 5
    >> > aaa-server LOCAL protocol local
    >> > aaa-server radius protocol radius
    >> > aaa-server radius max-failed-attempts 3
    >> > aaa-server radius deadtime 10
    >> > aaa-server partnerauth protocol radius
    >> > aaa-server partnerauth max-failed-attempts 3
    >> > aaa-server partnerauth deadtime 10
    >> > aaa-server partnerauth (inside) host 172.16.1.15 abcdef timeout 5
    >> > http server enable
    >> > http 172.16.1.3 255.255.255.255 inside
    >> > no snmp-server location
    >> > no snmp-server contact
    >> > snmp-server community public
    >> > no snmp-server enable traps
    >> > floodguard enable
    >> > sysopt connection permit-ipsec
    >> > sysopt connection permit-pptp
    >> > sysopt connection permit-l2tp
    >> > crypto ipsec transform-set myset esp-des esp-md5-hmac
    >> > crypto dynamic-map dyna 20 set security-association lifetime seconds
    >> > 3600 kilobytes 4608000
    >> > crypto dynamic-map dynmap 10 set transform-set myset
    >> > crypto map mymap 10 ipsec-isakmp dynamic dynmap
    >> > crypto map mymap client configuration address initiate
    >> > crypto map mymap client configuration address respond
    >> > crypto map mymap interface outside
    >> > isakmp enable outside
    >> > isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
    >> > isakmp identity address
    >> > isakmp client configuration address-pool local vpn outside
    >> > isakmp policy 10 authentication pre-share
    >> > isakmp policy 10 encryption des
    >> > isakmp policy 10 hash md5
    >> > isakmp policy 10 group 1
    >> > isakmp policy 10 lifetime 86400
    >> > isakmp policy 20 authentication pre-share
    >> > isakmp policy 20 encryption des
    >> > isakmp policy 20 hash md5
    >> > isakmp policy 20 group 2
    >> > isakmp policy 20 lifetime 86400
    >> > vpngroup vpn3000-all address-pool vpn
    >> > vpngroup vpn3000-all dns-server 63.x.x.10
    >> > vpngroup vpn3000-all wins-server 63.x.x.10
    >> > vpngroup vpn3000-all default-domain domain.com
    >> > vpngroup vpn3000-all idle-time 1800
    >> > vpngroup vpn3000-all password ********
    >> > telnet 172.16.1.0 255.255.255.0 inside
    >> > telnet timeout 30
    >> > ssh 0.0.0.0 0.0.0.0 outside
    >> > ssh 172.16.1.0 255.255.255.0 inside
    >> > ssh timeout 60
    >> > console timeout 0
    >> > vpdn group 1 accept dialin pptp
    >> > vpdn group 1 ppp authentication pap
    >> > vpdn group 1 ppp authentication chap
    >> > vpdn group 1 ppp authentication mschap
    >> > vpdn group 1 ppp encryption mppe 40
    >> > vpdn group 1 client configuration address local vpn
    >> > vpdn group 1 pptp echo 60
    >> > vpdn group 1 client authentication local
    >> > vpdn username jtrooney password *********
    >> > vpdn enable outside
    >> > terminal width 80
    >> >

    >
     
    mcaissie, Jun 2, 2006
    #4
  5. Guest

    Here is the odd part, i can ping one of my inside hosts, but not
    another. The ones that fail log:
    Jun 2 15:11:37 172.16.1.1 %PIX-3-106011: Deny inbound (No xlate) icmp
    src outside:172.16.1.20 dst outside:172.16.3.11 (type 0, code 0)

    mcaissie wrote:
    > It's normal no being able to ping the inside interface from the outside,
    > even
    > through a vpn. Do you have the same problem pinging a pc on the inside ?
    >
    > If you want your inside to be accessible from the outside through a vpn you
    > must
    > add the command;
    >
    > management-access inside
    >
    >
    > <> wrote in message
    > news:...
    > > Getting closser, I can actually see the icmp traffic hitting the
    > > access-lists now =) Now the error that I'm getting is:
    > >
    > > Jun 2 14:29:16 172.16.1.1 %PIX-6-302013: Built inbound TCP connection
    > > 2211258 for outside:172.16.3.11/1078 (172.16.3.11/1078) to
    > > inside:172.16.1.10/22 (172
    > > .16.1.10/22)
    > > Jun 2 14:31:18 172.16.1.1 %PIX-6-302014: Teardown TCP connection
    > > 2211258 for outside:172.16.3.11/1078 to inside:172.16.1.10/22 duration
    > > 0:02:01 bytes 0 SYN
    > > Timeout
    > >
    > > or if i turn on the debug icmp i get:
    > > 2420: ICMP echo-request from outside:172.16.3.11 to 172.16.1.1 ID=768
    > > seq=40960 length=40
    > > 2421: ICMP echo-request from outside:172.16.3.11 to 172.16.1.1 ID=768
    > > seq=41216 length=40
    > > 2422: ICMP echo-request from outside:172.16.3.11 to 172.16.1.1 ID=768
    > > seq=41472 length=40
    > > 2423: ICMP echo-request from outside:172.16.3.11 to 172.16.1.1 ID=768
    > > seq=41728 length=40
    > > 2424: ICMP echo-request from outside:172.16.3.11 to 172.16.1.1 ID=768
    > > seq=41984 length=40
    > >
    > >
    > >
    > > Any Ideas? Thanks for your help so far =)
    > >
    > > mcaissie wrote:
    > >> You have to nonat the traffic from inside to outside , but you are
    > >> nonating the traffic from
    > >> outside to inside
    > >>
    > >> > nat (inside) 0 access-list vpn_acl
    > >>
    > >> > access-list vpn_acl permit ip 172.16.3.0 255.255.255.0 172.16.1.0
    > >> > 255.255.255.0
    > >> > access-list vpn_acl permit icmp 172.16.3.0 255.255.255.0 172.16.1.0
    > >> > 255.255.255.0
    > >> > access-list vpn_acl permit udp 172.16.3.0 255.255.255.0 172.16.1.0
    > >> > 255.255.255.0
    > >>
    > >> try replacing vpn_acl with
    > >>
    > >> access-list vpn_acl permit ip 172.16.1.0 255.255.255.0 172.16.3.0
    > >> 255.255.255.0
    > >> access-list vpn_acl permit icmp 172.16.1.0 255.255.255.0 172.16.3.0
    > >> 255.255.255.0
    > >> access-list vpn_acl permit udp 172.16.1.0 255.255.255.0 172.16.3.0
    > >> 255.255.255.0
    > >>
    > >>
    > >>
    > >> <> wrote in message
    > >> news:...
    > >> >I have a pix 515-e, running 6.3(5), and have been trying to get a basic
    > >> > vpn up and running, but can't finish for the life of me. I have the vpn
    > >> > connection working just fine, I get an ip from a local pool that I
    > >> > specify, but whenever I try to access the network behind the inside
    > >> > interface of the pix from the vpn I get an error:
    > >> > Jun 2 12:46:07 172.16.1.1 %PIX-3-305005: No translation group found
    > >> > for icmp src outside:172.16.3.11 dst inside:172.16.1.1 (type 8, code 0)
    > >> >
    > >> > I am pulling out my hair trying to get this damn thing working but just
    > >> > don't know what else to try. Below is my config. Any help would be
    > >> > greatly appreciated:
    > >> >
    > >> > interface ethernet0 auto
    > >> > interface ethernet1 auto
    > >> > interface ethernet1 vlan2 logical
    > >> > interface ethernet2 auto
    > >> > nameif ethernet0 outside security0
    > >> > nameif ethernet1 inside security100
    > >> > nameif ethernet2 intf2 security4
    > >> > nameif vlan2 vlan security50
    > >> > enable password 2KFQnbNIdI.2KYOU encrypted
    > >> > passwd 2KFQnbNIdI.2KYOU encrypted
    > >> > hostname pix0
    > >> > domain-name domain.com
    > >> > fixup protocol dns maximum-length 512
    > >> > fixup protocol ftp 21
    > >> > fixup protocol h323 h225 1720
    > >> > fixup protocol h323 ras 1718-1719
    > >> > fixup protocol http 80
    > >> > fixup protocol ils 389
    > >> > fixup protocol rsh 514
    > >> > fixup protocol rtsp 554
    > >> > fixup protocol sip 5060
    > >> > fixup protocol sip udp 5060
    > >> > fixup protocol skinny 2000
    > >> > fixup protocol smtp 25
    > >> > fixup protocol sqlnet 1521
    > >> > fixup protocol tftp 69
    > >> > names
    > >> > access-list inbound permit icmp any any
    > >> > access-list inbound permit tcp any any
    > >> > access-list inbound permit udp any any
    > >> > access-list inbound permit ip any any
    > >> > access-list vpn_acl permit ip 172.16.3.0 255.255.255.0 172.16.1.0
    > >> > 255.255.255.0
    > >> > access-list vpn_acl permit icmp 172.16.3.0 255.255.255.0 172.16.1.0
    > >> > 255.255.255.0
    > >> > access-list vpn_acl permit udp 172.16.3.0 255.255.255.0 172.16.1.0
    > >> > 255.255.255.0
    > >> > pager lines 24
    > >> > logging on
    > >> > logging timestamp
    > >> > logging standby
    > >> > logging trap debugging
    > >> > logging facility 19
    > >> > logging host inside 172.16.1.15
    > >> > mtu outside 1500
    > >> > mtu inside 1500
    > >> > mtu intf2 1500
    > >> > ip address outside 63.x.x.80 255.255.255.0
    > >> > ip address inside 172.16.1.1 255.255.255.0
    > >> > no ip address intf2
    > >> > ip address vlan 172.16.2.1 255.255.255.0
    > >> > ip audit info action alarm
    > >> > ip audit attack action alarm
    > >> > ip local pool vpn 172.16.3.1-172.16.3.254
    > >> > pdm history enable
    > >> > arp timeout 60
    > >> > global (outside) 1 interface
    > >> > nat (inside) 0 access-list vpn_acl
    > >> > nat (inside) 1 172.16.1.0 255.255.255.0 0 0
    > >> > static (inside,outside) 63.x.x.82 172.16.1.4 netmask 255.255.255.255 0
    > >> > 0
    > >> > access-group inbound in interface outside
    > >> > route outside 0.0.0.0 0.0.0.0 63.122.61.1 1
    > >> > timeout xlate 0:05:00
    > >> > timeout conn 0:30:00 half-closed 0:05:00 udp 0:01:00 rpc 0:10:00 h225
    > >> > 0:30:00
    > >> > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    > >> > timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    > >> > timeout uauth 0:05:00 absolute
    > >> > aaa-server TACACS+ protocol tacacs+
    > >> > aaa-server TACACS+ max-failed-attempts 3
    > >> > aaa-server TACACS+ deadtime 10
    > >> > aaa-server RADIUS protocol radius
    > >> > aaa-server RADIUS max-failed-attempts 3
    > >> > aaa-server RADIUS deadtime 10
    > >> > aaa-server RADIUS (inside) host 172.16.1.15 cisco timeout 5
    > >> > aaa-server LOCAL protocol local
    > >> > aaa-server radius protocol radius
    > >> > aaa-server radius max-failed-attempts 3
    > >> > aaa-server radius deadtime 10
    > >> > aaa-server partnerauth protocol radius
    > >> > aaa-server partnerauth max-failed-attempts 3
    > >> > aaa-server partnerauth deadtime 10
    > >> > aaa-server partnerauth (inside) host 172.16.1.15 abcdef timeout 5
    > >> > http server enable
    > >> > http 172.16.1.3 255.255.255.255 inside
    > >> > no snmp-server location
    > >> > no snmp-server contact
    > >> > snmp-server community public
    > >> > no snmp-server enable traps
    > >> > floodguard enable
    > >> > sysopt connection permit-ipsec
    > >> > sysopt connection permit-pptp
    > >> > sysopt connection permit-l2tp
    > >> > crypto ipsec transform-set myset esp-des esp-md5-hmac
    > >> > crypto dynamic-map dyna 20 set security-association lifetime seconds
    > >> > 3600 kilobytes 4608000
    > >> > crypto dynamic-map dynmap 10 set transform-set myset
    > >> > crypto map mymap 10 ipsec-isakmp dynamic dynmap
    > >> > crypto map mymap client configuration address initiate
    > >> > crypto map mymap client configuration address respond
    > >> > crypto map mymap interface outside
    > >> > isakmp enable outside
    > >> > isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
    > >> > isakmp identity address
    > >> > isakmp client configuration address-pool local vpn outside
    > >> > isakmp policy 10 authentication pre-share
    > >> > isakmp policy 10 encryption des
    > >> > isakmp policy 10 hash md5
    > >> > isakmp policy 10 group 1
    > >> > isakmp policy 10 lifetime 86400
    > >> > isakmp policy 20 authentication pre-share
    > >> > isakmp policy 20 encryption des
    > >> > isakmp policy 20 hash md5
    > >> > isakmp policy 20 group 2
    > >> > isakmp policy 20 lifetime 86400
    > >> > vpngroup vpn3000-all address-pool vpn
    > >> > vpngroup vpn3000-all dns-server 63.x.x.10
    > >> > vpngroup vpn3000-all wins-server 63.x.x.10
    > >> > vpngroup vpn3000-all default-domain domain.com
    > >> > vpngroup vpn3000-all idle-time 1800
    > >> > vpngroup vpn3000-all password ********
    > >> > telnet 172.16.1.0 255.255.255.0 inside
    > >> > telnet timeout 30
    > >> > ssh 0.0.0.0 0.0.0.0 outside
    > >> > ssh 172.16.1.0 255.255.255.0 inside
    > >> > ssh timeout 60
    > >> > console timeout 0
    > >> > vpdn group 1 accept dialin pptp
    > >> > vpdn group 1 ppp authentication pap
    > >> > vpdn group 1 ppp authentication chap
    > >> > vpdn group 1 ppp authentication mschap
    > >> > vpdn group 1 ppp encryption mppe 40
    > >> > vpdn group 1 client configuration address local vpn
    > >> > vpdn group 1 pptp echo 60
    > >> > vpdn group 1 client authentication local
    > >> > vpdn username jtrooney password *********
    > >> > vpdn enable outside
    > >> > terminal width 80
    > >> >

    > >
     
    , Jun 2, 2006
    #5
  6. mcaissie Guest

    Maybe the PIX sees the ping as a reply from a previous translation before
    you change
    the nonat stuff.

    If 172.16.1.20 tried to communicate with 172.16.3.x before the changes,
    it got translated.
    And the translation remains event if you change your config . So a good
    thing to do would be to
    clear translation.

    sh xlate will you you the existing translations

    clear xlate will clear all translations ( and all existing session so
    don't use it if you don't want to interrupt anybody)

    I don't recall the syntax to clear a single translation , but you can
    also wait 3 hours for the translation to
    timeout.


    <> wrote in message
    news:...
    > Here is the odd part, i can ping one of my inside hosts, but not
    > another. The ones that fail log:
    > Jun 2 15:11:37 172.16.1.1 %PIX-3-106011: Deny inbound (No xlate) icmp
    > src outside:172.16.1.20 dst outside:172.16.3.11 (type 0, code 0)
    >
    > mcaissie wrote:
    >> It's normal no being able to ping the inside interface from the outside,
    >> even
    >> through a vpn. Do you have the same problem pinging a pc on the inside ?
    >>
    >> If you want your inside to be accessible from the outside through a vpn
    >> you
    >> must
    >> add the command;
    >>
    >> management-access inside
    >>
    >>
    >> <> wrote in message
    >> news:...
    >> > Getting closser, I can actually see the icmp traffic hitting the
    >> > access-lists now =) Now the error that I'm getting is:
    >> >
    >> > Jun 2 14:29:16 172.16.1.1 %PIX-6-302013: Built inbound TCP connection
    >> > 2211258 for outside:172.16.3.11/1078 (172.16.3.11/1078) to
    >> > inside:172.16.1.10/22 (172
    >> > .16.1.10/22)
    >> > Jun 2 14:31:18 172.16.1.1 %PIX-6-302014: Teardown TCP connection
    >> > 2211258 for outside:172.16.3.11/1078 to inside:172.16.1.10/22 duration
    >> > 0:02:01 bytes 0 SYN
    >> > Timeout
    >> >
    >> > or if i turn on the debug icmp i get:
    >> > 2420: ICMP echo-request from outside:172.16.3.11 to 172.16.1.1 ID=768
    >> > seq=40960 length=40
    >> > 2421: ICMP echo-request from outside:172.16.3.11 to 172.16.1.1 ID=768
    >> > seq=41216 length=40
    >> > 2422: ICMP echo-request from outside:172.16.3.11 to 172.16.1.1 ID=768
    >> > seq=41472 length=40
    >> > 2423: ICMP echo-request from outside:172.16.3.11 to 172.16.1.1 ID=768
    >> > seq=41728 length=40
    >> > 2424: ICMP echo-request from outside:172.16.3.11 to 172.16.1.1 ID=768
    >> > seq=41984 length=40
    >> >
    >> >
    >> >
    >> > Any Ideas? Thanks for your help so far =)
    >> >
    >> > mcaissie wrote:
    >> >> You have to nonat the traffic from inside to outside , but you are
    >> >> nonating the traffic from
    >> >> outside to inside
    >> >>
    >> >> > nat (inside) 0 access-list vpn_acl
    >> >>
    >> >> > access-list vpn_acl permit ip 172.16.3.0 255.255.255.0 172.16.1.0
    >> >> > 255.255.255.0
    >> >> > access-list vpn_acl permit icmp 172.16.3.0 255.255.255.0 172.16.1.0
    >> >> > 255.255.255.0
    >> >> > access-list vpn_acl permit udp 172.16.3.0 255.255.255.0 172.16.1.0
    >> >> > 255.255.255.0
    >> >>
    >> >> try replacing vpn_acl with
    >> >>
    >> >> access-list vpn_acl permit ip 172.16.1.0 255.255.255.0 172.16.3.0
    >> >> 255.255.255.0
    >> >> access-list vpn_acl permit icmp 172.16.1.0 255.255.255.0 172.16.3.0
    >> >> 255.255.255.0
    >> >> access-list vpn_acl permit udp 172.16.1.0 255.255.255.0 172.16.3.0
    >> >> 255.255.255.0
    >> >>
    >> >>
    >> >>
    >> >> <> wrote in message
    >> >> news:...
    >> >> >I have a pix 515-e, running 6.3(5), and have been trying to get a
    >> >> >basic
    >> >> > vpn up and running, but can't finish for the life of me. I have the
    >> >> > vpn
    >> >> > connection working just fine, I get an ip from a local pool that I
    >> >> > specify, but whenever I try to access the network behind the inside
    >> >> > interface of the pix from the vpn I get an error:
    >> >> > Jun 2 12:46:07 172.16.1.1 %PIX-3-305005: No translation group found
    >> >> > for icmp src outside:172.16.3.11 dst inside:172.16.1.1 (type 8, code
    >> >> > 0)
    >> >> >
    >> >> > I am pulling out my hair trying to get this damn thing working but
    >> >> > just
    >> >> > don't know what else to try. Below is my config. Any help would be
    >> >> > greatly appreciated:
    >> >> >
    >> >> > interface ethernet0 auto
    >> >> > interface ethernet1 auto
    >> >> > interface ethernet1 vlan2 logical
    >> >> > interface ethernet2 auto
    >> >> > nameif ethernet0 outside security0
    >> >> > nameif ethernet1 inside security100
    >> >> > nameif ethernet2 intf2 security4
    >> >> > nameif vlan2 vlan security50
    >> >> > enable password 2KFQnbNIdI.2KYOU encrypted
    >> >> > passwd 2KFQnbNIdI.2KYOU encrypted
    >> >> > hostname pix0
    >> >> > domain-name domain.com
    >> >> > fixup protocol dns maximum-length 512
    >> >> > fixup protocol ftp 21
    >> >> > fixup protocol h323 h225 1720
    >> >> > fixup protocol h323 ras 1718-1719
    >> >> > fixup protocol http 80
    >> >> > fixup protocol ils 389
    >> >> > fixup protocol rsh 514
    >> >> > fixup protocol rtsp 554
    >> >> > fixup protocol sip 5060
    >> >> > fixup protocol sip udp 5060
    >> >> > fixup protocol skinny 2000
    >> >> > fixup protocol smtp 25
    >> >> > fixup protocol sqlnet 1521
    >> >> > fixup protocol tftp 69
    >> >> > names
    >> >> > access-list inbound permit icmp any any
    >> >> > access-list inbound permit tcp any any
    >> >> > access-list inbound permit udp any any
    >> >> > access-list inbound permit ip any any
    >> >> > access-list vpn_acl permit ip 172.16.3.0 255.255.255.0 172.16.1.0
    >> >> > 255.255.255.0
    >> >> > access-list vpn_acl permit icmp 172.16.3.0 255.255.255.0 172.16.1.0
    >> >> > 255.255.255.0
    >> >> > access-list vpn_acl permit udp 172.16.3.0 255.255.255.0 172.16.1.0
    >> >> > 255.255.255.0
    >> >> > pager lines 24
    >> >> > logging on
    >> >> > logging timestamp
    >> >> > logging standby
    >> >> > logging trap debugging
    >> >> > logging facility 19
    >> >> > logging host inside 172.16.1.15
    >> >> > mtu outside 1500
    >> >> > mtu inside 1500
    >> >> > mtu intf2 1500
    >> >> > ip address outside 63.x.x.80 255.255.255.0
    >> >> > ip address inside 172.16.1.1 255.255.255.0
    >> >> > no ip address intf2
    >> >> > ip address vlan 172.16.2.1 255.255.255.0
    >> >> > ip audit info action alarm
    >> >> > ip audit attack action alarm
    >> >> > ip local pool vpn 172.16.3.1-172.16.3.254
    >> >> > pdm history enable
    >> >> > arp timeout 60
    >> >> > global (outside) 1 interface
    >> >> > nat (inside) 0 access-list vpn_acl
    >> >> > nat (inside) 1 172.16.1.0 255.255.255.0 0 0
    >> >> > static (inside,outside) 63.x.x.82 172.16.1.4 netmask 255.255.255.255
    >> >> > 0
    >> >> > 0
    >> >> > access-group inbound in interface outside
    >> >> > route outside 0.0.0.0 0.0.0.0 63.122.61.1 1
    >> >> > timeout xlate 0:05:00
    >> >> > timeout conn 0:30:00 half-closed 0:05:00 udp 0:01:00 rpc 0:10:00
    >> >> > h225
    >> >> > 0:30:00
    >> >> > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    >> >> > timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    >> >> > timeout uauth 0:05:00 absolute
    >> >> > aaa-server TACACS+ protocol tacacs+
    >> >> > aaa-server TACACS+ max-failed-attempts 3
    >> >> > aaa-server TACACS+ deadtime 10
    >> >> > aaa-server RADIUS protocol radius
    >> >> > aaa-server RADIUS max-failed-attempts 3
    >> >> > aaa-server RADIUS deadtime 10
    >> >> > aaa-server RADIUS (inside) host 172.16.1.15 cisco timeout 5
    >> >> > aaa-server LOCAL protocol local
    >> >> > aaa-server radius protocol radius
    >> >> > aaa-server radius max-failed-attempts 3
    >> >> > aaa-server radius deadtime 10
    >> >> > aaa-server partnerauth protocol radius
    >> >> > aaa-server partnerauth max-failed-attempts 3
    >> >> > aaa-server partnerauth deadtime 10
    >> >> > aaa-server partnerauth (inside) host 172.16.1.15 abcdef timeout 5
    >> >> > http server enable
    >> >> > http 172.16.1.3 255.255.255.255 inside
    >> >> > no snmp-server location
    >> >> > no snmp-server contact
    >> >> > snmp-server community public
    >> >> > no snmp-server enable traps
    >> >> > floodguard enable
    >> >> > sysopt connection permit-ipsec
    >> >> > sysopt connection permit-pptp
    >> >> > sysopt connection permit-l2tp
    >> >> > crypto ipsec transform-set myset esp-des esp-md5-hmac
    >> >> > crypto dynamic-map dyna 20 set security-association lifetime seconds
    >> >> > 3600 kilobytes 4608000
    >> >> > crypto dynamic-map dynmap 10 set transform-set myset
    >> >> > crypto map mymap 10 ipsec-isakmp dynamic dynmap
    >> >> > crypto map mymap client configuration address initiate
    >> >> > crypto map mymap client configuration address respond
    >> >> > crypto map mymap interface outside
    >> >> > isakmp enable outside
    >> >> > isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
    >> >> > isakmp identity address
    >> >> > isakmp client configuration address-pool local vpn outside
    >> >> > isakmp policy 10 authentication pre-share
    >> >> > isakmp policy 10 encryption des
    >> >> > isakmp policy 10 hash md5
    >> >> > isakmp policy 10 group 1
    >> >> > isakmp policy 10 lifetime 86400
    >> >> > isakmp policy 20 authentication pre-share
    >> >> > isakmp policy 20 encryption des
    >> >> > isakmp policy 20 hash md5
    >> >> > isakmp policy 20 group 2
    >> >> > isakmp policy 20 lifetime 86400
    >> >> > vpngroup vpn3000-all address-pool vpn
    >> >> > vpngroup vpn3000-all dns-server 63.x.x.10
    >> >> > vpngroup vpn3000-all wins-server 63.x.x.10
    >> >> > vpngroup vpn3000-all default-domain domain.com
    >> >> > vpngroup vpn3000-all idle-time 1800
    >> >> > vpngroup vpn3000-all password ********
    >> >> > telnet 172.16.1.0 255.255.255.0 inside
    >> >> > telnet timeout 30
    >> >> > ssh 0.0.0.0 0.0.0.0 outside
    >> >> > ssh 172.16.1.0 255.255.255.0 inside
    >> >> > ssh timeout 60
    >> >> > console timeout 0
    >> >> > vpdn group 1 accept dialin pptp
    >> >> > vpdn group 1 ppp authentication pap
    >> >> > vpdn group 1 ppp authentication chap
    >> >> > vpdn group 1 ppp authentication mschap
    >> >> > vpdn group 1 ppp encryption mppe 40
    >> >> > vpdn group 1 client configuration address local vpn
    >> >> > vpdn group 1 pptp echo 60
    >> >> > vpdn group 1 client authentication local
    >> >> > vpdn username jtrooney password *********
    >> >> > vpdn enable outside
    >> >> > terminal width 80
    >> >> >
    >> >

    >
     
    mcaissie, Jun 2, 2006
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Oliver Schlosser

    Re: processing show ip nat translation

    Oliver Schlosser, Jul 24, 2003, in forum: Cisco
    Replies:
    1
    Views:
    2,968
    someone
    Jul 25, 2003
  2. BitBucket
    Replies:
    4
    Views:
    3,849
    BitBucket
    Nov 3, 2003
  3. Oleg Tipisov

    Strange NAT translation entry

    Oleg Tipisov, Aug 10, 2004, in forum: Cisco
    Replies:
    0
    Views:
    537
    Oleg Tipisov
    Aug 10, 2004
  4. Erik Freitag

    Monitoring NAT translation counts

    Erik Freitag, Dec 2, 2004, in forum: Cisco
    Replies:
    0
    Views:
    562
    Erik Freitag
    Dec 2, 2004
  5. Darren Green
    Replies:
    1
    Views:
    6,917
    Walter Roberson
    Mar 19, 2005
Loading...

Share This Page