PIX Remote Access VPN Tunnel

So I have an IP address of 172.20.0.1 assigned when I VPN into my PIX (7.01 IOS)

I try to ping a machine on my network 172.16.3.200

PIX Debug shows:

305005:  No translation group found for ICMP src Outside: 172.20.0.1 dst inside:172.16.3.200 (Type8,code 0)

Any idea on how to add that entry to get the thing to ping?  I can connect just fine and I can get outside.  Can't get inside.

LVL 2
CiscotekAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

tmesiasCommented:
You need to

static (inside, outside) 172.16.3.200 172.16.3.200 255.255.255.255 0 0

or

access-list nonat permit ip any any

nat 0 (outside) nonat

Just because you have the access list permiting the traffic doesn't mean you have put up the "door knob" on the outside of the door you've opened up.
CiscotekAuthor Commented:
nat 0 (Outside) nonat is not a valid command

MedPIX(config)# access-list nonat permit ip any any
MedPIX(config)#
MedPIX(config)# nat 0 (outside) nonat
                              ^
ERROR: % Invalid input detected at '^' marker.

Also tried:


MedPIX(config)# nat (Outside) nonat
                                            ^
ERROR: % Invalid input detected at '^' marker.

Remember that this is not 6.3(3) code.  This is PIX 7.01 code.
CiscotekAuthor Commented:
nat 0 (Outside) nonat is not a valid command

MedPIX(config)# access-list nonat permit ip any any
MedPIX(config)#
MedPIX(config)# nat 0 (outside) nonat
                              ^
ERROR: % Invalid input detected at '^' marker.

Also tried:


MedPIX(config)# nat (Outside) nonat
                                            ^
ERROR: % Invalid input detected at '^' marker.

Remember that this is not 6.3(3) code.  This is PIX 7.01 code.
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

tmesiasCommented:
it's

nat (outside) 0 access-list nonat

Realize that if you do it this way, you are esentially turnng off all natting at the outside interface going in..   if your configuration have other nat statements proceed with caution.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
CiscotekAuthor Commented:
Now I am doing a U-Turn on this outside interface, meaning I am terminating VPN traffic on that interface, then turning around and building a Site-to-Site tunnel that originates on the same outside interface.

Will this statement stop that from working?
CiscotekAuthor Commented:
Well I added it, still no connectivity to the IP I'm pinging when VPN'd in.

I am on 172.20.0.1 connected to my PIX (from outside)

Here is my setup -

Connected to my PIX via outside interface.

Obtain an IP address from the scope I specified
172.20.0.1

Outside interface of the PIX = 192.168.1.1

Inside interface of the PIX = 172.16.0.1

My network that I need to reach = 172.16.0.0 /22   (172.16.0-4.x)

I can't give the config for obvious reasons... I have other client VPN gateways configured and working... Don't think they'd appreciate that.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.