tstuardo
asked on
Pix firewall 515E 7.2.2 syslog ID 305005
I have a couple of PIX firewalls with dual ISPs that work great with outbound traffic, the only issue is that when connecting remotely via cisco vpn client with backup servers enabled (if i disable ISP1), the client will connect but it will connect but i cannot ping anything inside the network. within the PIX i get syslog ID, severity 3 305005 No translation group found for <packet>
Explanation An outbound packet does not match any of the outbound nat rules.
I use cisco pix 515E with 3 interfaces version 7.2.2 (25)
Explanation An outbound packet does not match any of the outbound nat rules.
I use cisco pix 515E with 3 interfaces version 7.2.2 (25)
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
I assume this is your VPN pool
ip local pool xxxxxxpool 172.18.16.150-172.18.16.17 0 mask 255.255.255.0
and your inside network you want to reach is 172.18.3.0 255.255.255.248
then..
access-list inside_nat0_outbound extended permit ip 172.18.3.0 255.255.255.248 172.18.16.0 255.255.255.0
no access-list VicisUK_splitTunnelAcl standard permit 172.18.20.0 255.255.255.0
no access-list VicisUK_splitTunnelAcl standard permit 172.18.4.0 255.255.255.0
access-list VicisUK_splitTunnelAcl permit ip 172.18.3.0 255.255.255.248 172.18.16.0 255.255.255.0
ip local pool xxxxxxpool 172.18.16.150-172.18.16.17
and your inside network you want to reach is 172.18.3.0 255.255.255.248
then..
access-list inside_nat0_outbound extended permit ip 172.18.3.0 255.255.255.248 172.18.16.0 255.255.255.0
no access-list VicisUK_splitTunnelAcl standard permit 172.18.20.0 255.255.255.0
no access-list VicisUK_splitTunnelAcl standard permit 172.18.4.0 255.255.255.0
access-list VicisUK_splitTunnelAcl permit ip 172.18.3.0 255.255.255.248 172.18.16.0 255.255.255.0
ASKER
Result of the command: "sh run"
: Saved
:
PIX Version 7.2(2)22
!
hostname test
domain-name testdomain
enable password BZaJt0.UrQ9B6InA encrypted
names
dns-guard
!
interface Ethernet0
speed 100
duplex full
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx
!
interface Ethernet1
speed 100
duplex full
nameif inside
security-level 100
ip address 172.18.3.1 255.255.255.248
!
interface Ethernet2
speed 100
duplex full
nameif backup
security-level 0
ip address xxx.xxx.xxx.xxx
!
passwd GVK6z3lwmphYdb9T encrypted
banner login **************************
banner login W A R N I N G
banner login This is a xxxxxxxx's system and is intended for
banner login official use only. Unauthorized access is prohibited.
banner login All user activities are subject to monitoring.
banner login YOU HAVE NO EXPECTATIONS OF PRIVACY USING THIS SYSTEM.
banner login Unauthorized or improper use of this system may result in
banner login civil and criminal penalties.
banner login **************************
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name vxxxxxxxxxxxxxxxxxxxx
object-group service pcanywhere tcp-udp
port-object range 5631 5632
object-group service rdesktop tcp-udp
port-object range 3389 3389
access-list outside_access_in extended permit tcp any any eq ssh
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any unreachable
access-list inside_nat0_outbound extended permit ip any 172.18.16.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.18.4.0 255.255.255.128 192.168.200.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.18.20.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.18.3.0 255.255.255.248 192.168.200.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.18.20.0 255.255.255.0 192.168.201.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.18.4.0 255.255.255.128 192.168.201.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.18.3.0 255.255.255.248 192.168.201.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.18.20.0 255.255.255.0 172.18.14.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.18.20.0 255.255.255.0 172.18.5.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.18.3.0 255.255.255.0 172.18.14.0 255.255.255.0
access-list VicisUK_splitTunnelAcl standard permit 172.18.20.0 255.255.255.0
access-list VicisUK_splitTunnelAcl standard permit 172.18.4.0 255.255.255.0
access-list outside_20_cryptomap extended permit ip 172.18.3.0 255.255.255.248 192.168.200.0 255.255.255.0
access-list outside_20_cryptomap extended permit ip 172.18.4.0 255.255.255.128 192.168.200.0 255.255.255.0
access-list outside_20_cryptomap extended permit ip 172.18.20.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list outside_40_cryptomap extended permit ip 172.18.20.0 255.255.255.0 192.168.201.0 255.255.255.0
access-list outside_40_cryptomap extended permit ip 172.18.4.0 255.255.255.128 192.168.201.0 255.255.255.0
access-list outside_40_cryptomap extended permit ip 172.18.3.0 255.255.255.248 192.168.201.0 255.255.255.0
access-list outside_60_cryptomap extended permit ip 172.18.20.0 255.255.255.0 172.18.5.0 255.255.255.0
access-list outside_60_cryptomap extended permit ip 172.18.3.0 255.255.255.0 172.18.14.0 255.255.255.0
access-list outside_60_cryptomap extended permit ip 172.18.20.0 255.255.255.0 172.18.14.0 255.255.255.0
access-list backup_access_in extended permit icmp any any
access-list backup_access_in extended permit icmp any any echo-reply
access-list backup_access_in extended permit icmp any any unreachable
access-list backup_access_in extended permit icmp any any time-exceeded
access-list inside_access_in extended permit ip any any
access-list inside_outbound extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging trap notifications
logging asdm informational
logging host inside 192.168.200.201
logging message 101002 level errors
logging message 101003 level warnings
logging message 101001 level critical
logging message 101004 level notifications
mtu outside 1500
mtu inside 1500
mtu backup 1500
ip local pool xxxxxxpool 172.18.16.150-172.18.16.17
no failover
monitor-interface outside
monitor-interface inside
monitor-interface backup
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any inside
icmp permit any backup
icmp permit any echo backup
icmp permit any echo-reply backup
asdm image flash:/pdm
asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
global (backup) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 172.18.3.0 255.255.255.248
nat (inside) 10 172.18.4.0 255.255.255.0
nat (inside) 10 172.18.20.0 255.255.255.0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group outside_access_in in interface backup
route outside 0.0.0.0 0.0.0.0 xxx.xxxxx.xxxxx 1 track 1
route inside 172.18.4.0 255.255.255.0 172.18.3.6 1
route inside 172.18.20.0 255.255.255.0 172.18.3.6 1
route backup 0.0.0.0 0.0.0.0 xx.xxx.xxx.xxx 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server RADIUS protocol radius
aaa-server TACAS+ protocol tacacs+
group-policy DfltGrpPolicy attributes
banner value You have connected to a secured network for xxxxxxx
banner value Traffic is monitored and will be teminated in the event of the connected client
banner value is considered a security risk.
banner value
banner value For technical assistance contact xx
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication
user-authentication disable
user-authentication-idle-t
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
client-firewall none
client-access-rule none
group-policy VicisUK internal
group-policy VicisUK attributes
banner value You have connected to a secured network for xxxxx
banner value Traffic is monitored and will be teminated in the event of the connected client
banner value is considered a security risk.
banner value
banner value For technical assistance contact xxxxx0
dns-server value 172.18.20.1 198.6.1.122
vpn-simultaneous-logins 2
vpn-idle-timeout 30
pfs enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VicisUK_splitTunnelAcl
backup-servers keep-client-config
username sreamer password v5q489xLwvjEXAgh encrypted
username sreamer attributes
vpn-group-policy VicisUK
username pablo password GbkH0WYF2Hmlk6kI encrypted privilege 15
username pablo attributes
vpn-group-policy VicisUK
username damiano password Q7PAIpRSLEB/w4Zk encrypted privilege 15
username damiano attributes
vpn-group-policy VicisUK
username nhoang password dFAHEPj0jqsfNSYm encrypted
username nhoang attributes
vpn-group-policy VicisUK
username tstuardo password wpoXgOVhh/xxP86y encrypted privilege 15
username tstuardo attributes
vpn-group-policy VicisUK
username lwelsh password a8YiTG5OBhOrg6F6 encrypted
username lwelsh attributes
vpn-group-policy VicisUK
username ibenitez password AOn8CSnIXQg237Ji encrypted
username ibenitez attributes
vpn-group-policy VicisUK
username jvizzini password uRZaEuTfmRJMouBE encrypted
username jvizzini attributes
vpn-group-policy VicisUK
username diarmuid password gqk1c0Gtyc0ewfsT encrypted privilege 10
username diarmuid attributes
vpn-group-policy VicisUK
username anewcomer password nBPQOiUiOAcY13Tl encrypted
username anewcomer attributes
vpn-group-policy VicisUK
username dkeetley password 1AFyLyWuIjYuCuL5 encrypted
username dkeetley attributes
vpn-group-policy VicisUK
aaa authentication ssh console LOCAL
http server enable
http 208.48.2.114 255.255.255.255 outside
http 172.18.16.0 255.255.255.0 inside
http 172.18.10.0 255.255.255.0 inside
http 172.18.4.0 255.255.255.128 inside
http 172.18.20.0 255.255.255.128 inside
http 172.18.7.0 255.255.255.248 inside
http 192.168.200.0 255.255.255.0 inside
http 192.168.201.0 255.255.255.0 inside
http 64.76.142.98 255.255.255.255 backup
http 208.48.2.114 255.255.255.255 backup
http 66.165.173.228 255.255.255.255 backup
http 208.51.99.114 255.255.255.255 backup
http 64.76.142.98 255.255.255.255 outside
http 208.51.99.114 255.255.255.255 outside
http 66.165.173.228 255.255.255.255 outside
http 201.239.253.168 255.255.255.255 outside
http 201.239.253.168 255.255.255.255 backup
snmp-server host inside 192.168.201.20 community stuardo
snmp-server location Vicis.UK
snmp-server contact monitor@globaloutsourcing.
snmp-server community stuardo
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
type echo protocol ipIcmpEcho 83.244.166.81 interface outside
num-packets 3
frequency 10
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-3des esp-none
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set connection-type answer-only
crypto map outside_map 20 set peer 64.76.142.98
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 40 match address outside_40_cryptomap
crypto map outside_map 40 set connection-type answer-only
crypto map outside_map 40 set peer 66.165.173.228
crypto map outside_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 60 match address outside_60_cryptomap
crypto map outside_map 60 set connection-type answer-only
crypto map outside_map 60 set peer 208.51.99.114
crypto map outside_map 60 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map template interface backup
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp enable backup
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 3600
crypto isakmp nat-traversal 20
!
track 1 rtr 123 reachability
tunnel-group VicisUK type ipsec-ra
tunnel-group VicisUK general-attributes
address-pool VicisUKpool
default-group-policy VicisUK
tunnel-group VicisUK ipsec-attributes
pre-shared-key *
tunnel-group 208.51.99.114 type ipsec-l2l
tunnel-group 208.51.99.114 ipsec-attributes
pre-shared-key *
tunnel-group 66.165.173.228 type ipsec-l2l
tunnel-group 66.165.173.228 ipsec-attributes
pre-shared-key *
tunnel-group 64.76.142.98 type ipsec-l2l
tunnel-group 64.76.142.98 ipsec-attributes
pre-shared-key *
tunnel-group 67.151.224.226 type ipsec-l2l
tunnel-group 67.151.224.226 ipsec-attributes
pre-shared-key *
telnet 172.18.20.0 255.255.255.128 inside
telnet 192.168.201.0 255.255.255.0 inside
telnet 192.168.200.0 255.255.255.0 inside
telnet 172.18.7.0 255.255.255.248 inside
telnet 172.18.10.0 255.255.255.0 inside
telnet 172.18.4.0 255.255.255.128 inside
telnet 172.18.16.0 255.255.255.0 inside
telnet timeout 5
ssh 64.76.142.98 255.255.255.255 outside
ssh 66.165.173.228 255.255.255.255 outside
ssh 208.48.2.114 255.255.255.255 outside
ssh 208.51.99.114 255.255.255.255 outside
ssh timeout 30
console timeout 0
management-access inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect dns
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
!
service-policy global_policy global
ntp server 130.88.203.64 prefer
tftp-server inside 192.168.201.20 vcfw1uk
prompt hostname context
Cryptochecksum:3171c0e64c9
: end