PIX VPN question

Discussion in 'Cisco' started by tical, Nov 28, 2003.

  1. tical

    tical Guest

    I have a remote site connected via 3DES IPSEC VPN tunnel mode. Remote
    site is 1720, head office is PIX515e. VPN is working for long time.
    One question remains: How do I get traffic originating on the remote
    router into my internal network, through the pix?

    -tical-
     
    tical, Nov 28, 2003
    #1
    1. Advertising

  2. In article <>,
    tical <> wrote:
    :I have a remote site connected via 3DES IPSEC VPN tunnel mode. Remote
    :site is 1720, head office is PIX515e. VPN is working for long time.
    :One question remains: How do I get traffic originating on the remote
    :router into my internal network, through the pix?

    I interpret your question to be asking how you tunnel the traffic
    that originates at the remote router *itself*, such as syslog and ping.

    On the PIX side, the way you would do this would be to add a line
    to the access-list used in the crypto map 'match address', with the
    new line matching just the router. For example, if before you had

    access-list vpn-traffic permit ip 192.168.10.0 255.255.255.0 192.168.15.0 255.255.255.0
    crypto map vpn-map 1000 set peer 112.81.32.1
    crypto map vpn-map 1000 match address vpn-traffic

    then you would add the line

    access-list vpn-traffic permit ip 192.168.10.0 255.255.255.0 host 112.81.32.1

    if you wanted all of the inside network 192.168.10/24 to be
    able to access the remote router 112.81.32.1 through the VPN.
    --
    History is a pile of debris -- Laurie Anderson
     
    Walter Roberson, Nov 28, 2003
    #2
    1. Advertising

  3. "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:bq8f5v$3sb$...
    > In article <>,
    > tical <> wrote:
    > :I have a remote site connected via 3DES IPSEC VPN tunnel mode. Remote
    > :site is 1720, head office is PIX515e. VPN is working for long time.
    > :One question remains: How do I get traffic originating on the remote
    > :router into my internal network, through the pix?
    >
    > I interpret your question to be asking how you tunnel the traffic
    > that originates at the remote router *itself*, such as syslog and ping.
    >
    > On the PIX side, the way you would do this would be to add a line
    > to the access-list used in the crypto map 'match address', with the
    > new line matching just the router. For example, if before you had
    >
    > access-list vpn-traffic permit ip 192.168.10.0 255.255.255.0 192.168.15.0

    255.255.255.0
    > crypto map vpn-map 1000 set peer 112.81.32.1
    > crypto map vpn-map 1000 match address vpn-traffic
    >
    > then you would add the line
    >
    > access-list vpn-traffic permit ip 192.168.10.0 255.255.255.0 host

    112.81.32.1
    >
    > if you wanted all of the inside network 192.168.10/24 to be
    > able to access the remote router 112.81.32.1 through the VPN.
    > --
    > History is a pile of debris -- Laurie Anderson


    Seems like the right idea, but in pix log I'm getting the following:
    %PIX-3-305005: No translation group found for icmp src outside
    I get this while trying to ping from the remote router, to an IP on
    the same subnet as the inside interface of the PIX . The main reason
    I want this is so that I can make backup of the router config via tftp.
    Any ideas.
    Does there need to be included in the access-list on the remote router
    a permit statement as well?

    -tical-
     
    news.teranews.com, Nov 28, 2003
    #3
  4. In article <>,
    news.teranews.com <> wrote:
    :Seems like the right idea, but in pix log I'm getting the following:
    :%PIX-3-305005: No translation group found for icmp src outside
    :I get this while trying to ping from the remote router, to an IP on
    :the same subnet as the inside interface of the PIX . The main reason
    :I want this is so that I can make backup of the router config via tftp.
    :Any ideas.
    :Does there need to be included in the access-list on the remote router
    :a permit statement as well?

    Your nat 0 access-list isn't covering the traffic with the remote router,
    and you don't have a 'static' permitting access from the remote router
    to the inside, so the PIX doesn't know how to match up the IP to the inside
    host. Testing for a translation (via nat 0 or static) is done before
    ACLs are checked, and the 'No translation group' message is characteristic
    if this problem.

    You will also need the access-list entry you are referring to, unless
    you have sysopt connection permit-ipsec turned on.
    --
    "Infinity is like a stuffed walrus I can hold in the palm of my hand.
    Don't do anything with infinity you wouldn't do with a stuffed walrus."
    -- Dr. Fletcher, Va. Polytechnic Inst. and St. Univ.
     
    Walter Roberson, Nov 28, 2003
    #4
  5. tical

    tical Guest


    > news.teranews.com <> wrote:
    > :Seems like the right idea, but in pix log I'm getting the following:
    > :%PIX-3-305005: No translation group found for icmp src outside
    > :I get this while trying to ping from the remote router, to an IP on
    > :the same subnet as the inside interface of the PIX . The main reason
    > :I want this is so that I can make backup of the router config via

    tftp.
    > :Any ideas.
    > :Does there need to be included in the access-list on the remote

    router
    > :a permit statement as well?
    >
    > Your nat 0 access-list isn't covering the traffic with the remote

    router,
    > and you don't have a 'static' permitting access from the remote router
    > to the inside, so the PIX doesn't know how to match up the IP to the

    inside
    > host. Testing for a translation (via nat 0 or static) is done before
    > ACLs are checked, and the 'No translation group' message is

    characteristic
    > if this problem.
    >
    > You will also need the access-list entry you are referring to, unless
    > you have sysopt connection permit-ipsec turned on.
    > --


    I have sysopt connection permit-ipsec turned on, and I added an entry to
    pix
    nonat list, and an entry to my remote router crypto list, and it's
    working now.
    No static was required.
    Thanks for your help.
    peace
    -tical-
     
    tical, Nov 28, 2003
    #5
  6. tical

    jrecho

    Joined:
    Dec 2, 2009
    Messages:
    2
    I can not get thrafic thru my VPN please help

    No ping from one side to the other nothing. I see the tunnel up but I get this error when I try to ping
    I get in Site B this error
    3 Dec 02 2009 16:17:38 305005 10.10.20.55 No translation group found for icmp src outside:10.10.10.157 dst Inside:10.10.20.55 (type 8, code 0)


    Here is the config for :
    Site A
    Public: 196.XXX.XXX.XXX
    inside: 10.10.10.0/24
    --------------------------------------------
    crypto isakmp enable Outside
    crypto isakmp policy 10
    authentication pre-share
    encryption aes
    hash sha
    group 1
    lifetime 28800
    access-list REMOTE_SITE ex permit ip 10.10.10.0 255.255.255.0 10.10.20.0 255.255.255.0
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto map OUTSIDE_MAP 20 match address REMOTE_SITE
    crypto map OUTSIDE_MAP 20 set pfs group1
    crypto map OUTSIDE_MAP 20 set peer 82.XXX.XXX.XXX
    crypto map OUTSIDE_MAP 20 set transform-set ESP-AES-128-SHA
    crypto map OUTSIDE_MAP 20 set security-association lifetime seconds 28800
    crypto map OUTSIDE_MAP interface Outside
    nat (inside) 0 access-list REMOTE_SITE
    tunnel-group 82.XXX.XXX.XXX type ipsec-l2l
    tunnel-group 82.XXX.XXX.XXX ipsec-attributes
    pre-shared-key ***
    ---------------------------------

    SiteB
    Public: 82.XXX.XXX.XXX
    Inside: 10.10.20.0/24
    -----------------------------------

    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption aes
    hash sha
    group 1
    lifetime 28800
    access-list REMOTE_SITE ex permit ip 10.10.20.0 255.255.255.0 10.10.10.0 255.255.255.0
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto map OUTSIDE_MAP 20 match address REMOTE_SITE
    crypto map OUTSIDE_MAP 20 set pfs group1
    crypto map OUTSIDE_MAP 20 set peer 196.XXX.XXX.XXX
    crypto map OUTSIDE_MAP 20 set transform-set ESP-AES-128-SHA
    crypto map OUTSIDE_MAP 20 set security-association lifetime seconds 28800
    crypto map OUTSIDE_MAP interface outside
    nat (inside) 0 access-list REMOTE_SITE
    tunnel-group 196.XXX.XXX.XXX type ipsec-l2l
    tunnel-group 196.XXX.XXX.XXX ipsec-attributes


    Thanks for the help
     
    jrecho, Dec 2, 2009
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Richard

    PIX to PIX to PIX meshed VPN

    Richard, Nov 13, 2003, in forum: Cisco
    Replies:
    1
    Views:
    607
    Richard
    Nov 15, 2003
  2. GVB
    Replies:
    1
    Views:
    2,841
    Martin Bilgrav
    Feb 6, 2004
  3. Tom
    Replies:
    4
    Views:
    677
  4. Marko Uusitalo
    Replies:
    1
    Views:
    1,521
    Frank Durham
    Apr 11, 2005
  5. Svenn
    Replies:
    3
    Views:
    741
    Svenn
    Mar 13, 2006
Loading...

Share This Page