October 11, 2008 08:40pm pdt

My Account

Top 15 Experts

Overall Top Experts

1RobWill 1,547,640
2lrmoore 1,059,686
3batry_boy 416,944
4grblades 215,434
5rsivanandan 156,746
6dpk_wal 135,395
7arnold 133,803
8TechSoEasy 112,468
9calvinetter 112,055
10mwecom... 88,949
11keith_ala... 86,935
12MrHusy 77,294
13tim_holman 75,964
14Qlemo 74,953
15Cyclops3... 72,785

	[x] Attachment Details

SSL VPN on Cisco ASA 5505 not able to pass traffic to internal network.

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

9.6

Zones: Virtual Private Networking (VPN), Networking Hardware Firewalls, Cisco PIX Firewall

Tags: Cisco ASA 5505

Dear all,

I am having issues with my Cisco ASA 5505 for more than a month and it has been quite frustrating. I am trying to implement SSL-VPN client on ASA 5505 and when I perform a test ping to 192.168.1.25 (a mail server on the internal network), ASA tells me that there is 'No translation group found for icmp src outside:192.168.50.10 dst inside:192.168.1.25 (type 8, code 0)'.

I have NAT0 to help to do the translation but that doesn't work as below. I have split-tunnel to make sure that only traffic to our internal network gets passed through.

The SSL-VPN client connects you up, assigns an IP address of 192.168.50.10 (no gateway) and ROUTE PRINT gives me a route to 192.168.1.0 255.255.255.0 via 192.168.50.10.

Please help.

         
           
             1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:

           
           
             ASA Version 7.2(3)
!
hostname TORAY
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Vlan1
 description LAN Interface
 nameif inside
 security-level 100
 ip address 192.168.1.254 255.255.255.0
!
interface Vlan2
 description WAN Interface
 nameif outside
 security-level 0
 ip address 192.168.10.2 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone GMT 8
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 165.21.100.88
 name-server 165.21.83.88
 domain-name default.domain.invalid
access-list acl_outside extended permit icmp any 192.168.10.0 255.255.255.0 echo-reply
access-list acl_outside extended permit tcp any host 192.168.10.2 eq smtp
access-list acl_outside extended permit tcp any host 192.168.10.2 eq www
access-list acl_outside extended permit tcp any host 192.168.10.2 eq pop3
access-list HTTP extended permit tcp host 192.168.1.25 eq www any eq www
access-list SMTP extended permit tcp host 192.168.1.25 eq smtp any eq smtp
access-list inside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.0
access-list POP3 extended permit tcp host 192.168.1.25 eq pop3 any eq pop3
access-list split_TORAY standard permit 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool CorporateToray 192.168.50.10-192.168.50.25 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.1.0 255.255.255.0
static (inside,outside) tcp interface www access-list HTTP
static (inside,outside) tcp interface smtp access-list SMTP
static (inside,outside) tcp interface pop3 access-list POP3
access-group acl_outside in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.10.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable 8443
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 10
ssh 192.168.1.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
 
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
ntp server 202.150.212.24
ntp server 203.116.5.254
ntp server 202.73.37.27
webvpn
 enable outside
 svc image disk0:/sslclient-win-1.1.0.154.pkg 1
 svc enable
 url-list Exchange "Focus_Srv1" cifs://192.168.1.25 1
 tunnel-group-list enable
group-policy DfltGrpPolicy attributes
 banner none
 wins-server value 192.168.1.25
 dns-server value 192.168.1.25
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter value inside_nat0_outbound
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp enable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split_TORAY
 default-domain none
 split-dns none
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools value CorporateToray
 smartcard-removal-disconnect enable
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry file-access file-entry file-browsing
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp gzip
  filter none
  url-list none
  customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
  svc enable
  svc keep-installer installed
  svc keepalive none
  svc rekey time 30
  svc rekey method ssl
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
username monitor password KEQRmOrieLtgCIos encrypted privilege 1
username mitama password pjJnG33a4ZZtH8L7 encrypted privilege 0
username admin password jm/Sh12pwTBmhF01 encrypted privilege 15
tunnel-group DefaultWEBVPNGroup webvpn-attributes
 nbns-server 192.168.1.25 master timeout 2 retry 2
prompt hostname context
Cryptochecksum:84cfb29dc1a9ce3e6fdcbdf8247c50a8
: end

           
         

	#	Title
	1	SSL VPN connected to only the ASA fi…
	2	Cisco SSL VPN - NAT problems
	3	SSL VPN recommandation
	4	SSL Client VPN on a ASA - The ssl vp…
	5	Configuring site to site VPN tunnel so r…
	6	Trouble using Cisco VPN client behind …