Link to home
Create AccountLog in
Avatar of tstuardo
tstuardoFlag for United States of America

asked on

Pix firewall 515E 7.2.2 syslog ID 305005

I have a couple of PIX firewalls with dual ISPs that work great with outbound traffic, the only issue is that when connecting remotely via cisco vpn client with backup servers enabled (if i disable ISP1), the client will connect but it will connect but i cannot ping anything inside the network. within the PIX i get syslog ID, severity 3 305005 No translation group found for <packet>
Explanation    An outbound packet does not match any of the outbound nat rules.

I use cisco pix 515E with 3 interfaces version 7.2.2 (25)
ASKER CERTIFIED SOLUTION
Avatar of Alan Huseyin Kayahan
Alan Huseyin Kayahan
Flag of Sweden image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of tstuardo

ASKER

here is my current config

Result of the command: "sh run"

: Saved
:
PIX Version 7.2(2)22
!
hostname test
domain-name testdomain
enable password BZaJt0.UrQ9B6InA encrypted
names
dns-guard
!
interface Ethernet0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.xxx
!
interface Ethernet1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 172.18.3.1 255.255.255.248
!
interface Ethernet2
 speed 100
 duplex full
 nameif backup
 security-level 0
 ip address xxx.xxx.xxx.xxx
!
passwd GVK6z3lwmphYdb9T encrypted
banner login **************************************************************
banner login   W A R N I N G
banner login      This is a xxxxxxxx's system and is intended for
banner login      official use only. Unauthorized access is prohibited.
banner login      All user activities are subject to monitoring.
banner login      YOU HAVE NO EXPECTATIONS OF PRIVACY USING THIS SYSTEM.
banner login      Unauthorized or improper use of this system may result in
banner login      civil and criminal penalties.
banner login **************************************************************
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
 domain-name vxxxxxxxxxxxxxxxxxxxx
object-group service pcanywhere tcp-udp
 port-object range 5631 5632
object-group service rdesktop tcp-udp
 port-object range 3389 3389
access-list outside_access_in extended permit tcp any any eq ssh
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any unreachable
access-list inside_nat0_outbound extended permit ip any 172.18.16.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.18.4.0 255.255.255.128 192.168.200.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.18.20.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.18.3.0 255.255.255.248 192.168.200.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.18.20.0 255.255.255.0 192.168.201.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.18.4.0 255.255.255.128 192.168.201.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.18.3.0 255.255.255.248 192.168.201.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.18.20.0 255.255.255.0 172.18.14.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.18.20.0 255.255.255.0 172.18.5.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.18.3.0 255.255.255.0 172.18.14.0 255.255.255.0
access-list VicisUK_splitTunnelAcl standard permit 172.18.20.0 255.255.255.0
access-list VicisUK_splitTunnelAcl standard permit 172.18.4.0 255.255.255.0
access-list outside_20_cryptomap extended permit ip 172.18.3.0 255.255.255.248 192.168.200.0 255.255.255.0
access-list outside_20_cryptomap extended permit ip 172.18.4.0 255.255.255.128 192.168.200.0 255.255.255.0
access-list outside_20_cryptomap extended permit ip 172.18.20.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list outside_40_cryptomap extended permit ip 172.18.20.0 255.255.255.0 192.168.201.0 255.255.255.0
access-list outside_40_cryptomap extended permit ip 172.18.4.0 255.255.255.128 192.168.201.0 255.255.255.0
access-list outside_40_cryptomap extended permit ip 172.18.3.0 255.255.255.248 192.168.201.0 255.255.255.0
access-list outside_60_cryptomap extended permit ip 172.18.20.0 255.255.255.0 172.18.5.0 255.255.255.0
access-list outside_60_cryptomap extended permit ip 172.18.3.0 255.255.255.0 172.18.14.0 255.255.255.0
access-list outside_60_cryptomap extended permit ip 172.18.20.0 255.255.255.0 172.18.14.0 255.255.255.0
access-list backup_access_in extended permit icmp any any
access-list backup_access_in extended permit icmp any any echo-reply
access-list backup_access_in extended permit icmp any any unreachable
access-list backup_access_in extended permit icmp any any time-exceeded
access-list inside_access_in extended permit ip any any
access-list inside_outbound extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging trap notifications
logging asdm informational
logging host inside 192.168.200.201
logging message 101002 level errors
logging message 101003 level warnings
logging message 101001 level critical
logging message 101004 level notifications
mtu outside 1500
mtu inside 1500
mtu backup 1500
ip local pool xxxxxxpool 172.18.16.150-172.18.16.170 mask 255.255.255.0
no failover
monitor-interface outside
monitor-interface inside
monitor-interface backup
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any inside
icmp permit any backup
icmp permit any echo backup
icmp permit any echo-reply backup
asdm image flash:/pdm
asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
global (backup) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 172.18.3.0 255.255.255.248
nat (inside) 10 172.18.4.0 255.255.255.0
nat (inside) 10 172.18.20.0 255.255.255.0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group outside_access_in in interface backup
route outside 0.0.0.0 0.0.0.0 xxx.xxxxx.xxxxx 1 track 1
route inside 172.18.4.0 255.255.255.0 172.18.3.6 1
route inside 172.18.20.0 255.255.255.0 172.18.3.6 1
route backup 0.0.0.0 0.0.0.0 xx.xxx.xxx.xxx 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server RADIUS protocol radius
aaa-server TACAS+ protocol tacacs+
group-policy DfltGrpPolicy attributes
 banner value You have connected to a secured network for xxxxxxx
 banner value Traffic is monitored and will be teminated in the event of the connected client
 banner value is considered a security risk.
 banner value
 banner value For technical assistance contact xx
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec l2tp-ipsec
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools none
 client-firewall none
 client-access-rule none
group-policy VicisUK internal
group-policy VicisUK attributes
 banner value You have connected to a secured network for xxxxx
 banner value Traffic is monitored and will be teminated in the event of the connected client
 banner value is considered a security risk.
 banner value
 banner value For technical assistance contact xxxxx0
 dns-server value 172.18.20.1 198.6.1.122
 vpn-simultaneous-logins 2
 vpn-idle-timeout 30
 pfs enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VicisUK_splitTunnelAcl
 backup-servers keep-client-config
username sreamer password v5q489xLwvjEXAgh encrypted
username sreamer attributes
 vpn-group-policy VicisUK
username pablo password GbkH0WYF2Hmlk6kI encrypted privilege 15
username pablo attributes
 vpn-group-policy VicisUK
username damiano password Q7PAIpRSLEB/w4Zk encrypted privilege 15
username damiano attributes
 vpn-group-policy VicisUK
username nhoang password dFAHEPj0jqsfNSYm encrypted
username nhoang attributes
 vpn-group-policy VicisUK
username tstuardo password wpoXgOVhh/xxP86y encrypted privilege 15
username tstuardo attributes
 vpn-group-policy VicisUK
username lwelsh password a8YiTG5OBhOrg6F6 encrypted
username lwelsh attributes
 vpn-group-policy VicisUK
username ibenitez password AOn8CSnIXQg237Ji encrypted
username ibenitez attributes
 vpn-group-policy VicisUK
username jvizzini password uRZaEuTfmRJMouBE encrypted
username jvizzini attributes
 vpn-group-policy VicisUK
username diarmuid password gqk1c0Gtyc0ewfsT encrypted privilege 10
username diarmuid attributes
 vpn-group-policy VicisUK
username anewcomer password nBPQOiUiOAcY13Tl encrypted
username anewcomer attributes
 vpn-group-policy VicisUK
username dkeetley password 1AFyLyWuIjYuCuL5 encrypted
username dkeetley attributes
 vpn-group-policy VicisUK
aaa authentication ssh console LOCAL
http server enable
http 208.48.2.114 255.255.255.255 outside
http 172.18.16.0 255.255.255.0 inside
http 172.18.10.0 255.255.255.0 inside
http 172.18.4.0 255.255.255.128 inside
http 172.18.20.0 255.255.255.128 inside
http 172.18.7.0 255.255.255.248 inside
http 192.168.200.0 255.255.255.0 inside
http 192.168.201.0 255.255.255.0 inside
http 64.76.142.98 255.255.255.255 backup
http 208.48.2.114 255.255.255.255 backup
http 66.165.173.228 255.255.255.255 backup
http 208.51.99.114 255.255.255.255 backup
http 64.76.142.98 255.255.255.255 outside
http 208.51.99.114 255.255.255.255 outside
http 66.165.173.228 255.255.255.255 outside
http 201.239.253.168 255.255.255.255 outside
http 201.239.253.168 255.255.255.255 backup
snmp-server host inside 192.168.201.20 community stuardo
snmp-server location Vicis.UK
snmp-server contact monitor@globaloutsourcing.cl
snmp-server community stuardo
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
 type echo protocol ipIcmpEcho 83.244.166.81 interface outside
 num-packets 3
 frequency 10
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-3des esp-none
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set connection-type answer-only
crypto map outside_map 20 set peer 64.76.142.98
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 40 match address outside_40_cryptomap
crypto map outside_map 40 set connection-type answer-only
crypto map outside_map 40 set peer 66.165.173.228
crypto map outside_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 60 match address outside_60_cryptomap
crypto map outside_map 60 set connection-type answer-only
crypto map outside_map 60 set peer 208.51.99.114
crypto map outside_map 60 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map template interface backup
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp enable backup
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 3600
crypto isakmp nat-traversal  20
!
track 1 rtr 123 reachability
tunnel-group VicisUK type ipsec-ra
tunnel-group VicisUK general-attributes
 address-pool VicisUKpool
 default-group-policy VicisUK
tunnel-group VicisUK ipsec-attributes
 pre-shared-key *
tunnel-group 208.51.99.114 type ipsec-l2l
tunnel-group 208.51.99.114 ipsec-attributes
 pre-shared-key *
tunnel-group 66.165.173.228 type ipsec-l2l
tunnel-group 66.165.173.228 ipsec-attributes
 pre-shared-key *
tunnel-group 64.76.142.98 type ipsec-l2l
tunnel-group 64.76.142.98 ipsec-attributes
 pre-shared-key *
tunnel-group 67.151.224.226 type ipsec-l2l
tunnel-group 67.151.224.226 ipsec-attributes
 pre-shared-key *
telnet 172.18.20.0 255.255.255.128 inside
telnet 192.168.201.0 255.255.255.0 inside
telnet 192.168.200.0 255.255.255.0 inside
telnet 172.18.7.0 255.255.255.248 inside
telnet 172.18.10.0 255.255.255.0 inside
telnet 172.18.4.0 255.255.255.128 inside
telnet 172.18.16.0 255.255.255.0 inside
telnet timeout 5
ssh 64.76.142.98 255.255.255.255 outside
ssh 66.165.173.228 255.255.255.255 outside
ssh 208.48.2.114 255.255.255.255 outside
ssh 208.51.99.114 255.255.255.255 outside
ssh timeout 30
console timeout 0
management-access inside
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect dns
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
!
service-policy global_policy global
ntp server 130.88.203.64 prefer
tftp-server inside 192.168.201.20 vcfw1uk
prompt hostname context
Cryptochecksum:3171c0e64c9c7c8f23364b988f738e45
: end
I assume this is your VPN pool
ip local pool xxxxxxpool 172.18.16.150-172.18.16.170 mask 255.255.255.0
and your inside network you want to reach is 172.18.3.0 255.255.255.248
then..

access-list inside_nat0_outbound extended permit ip 172.18.3.0 255.255.255.248 172.18.16.0 255.255.255.0

no access-list VicisUK_splitTunnelAcl standard permit 172.18.20.0 255.255.255.0
no access-list VicisUK_splitTunnelAcl standard permit 172.18.4.0 255.255.255.0
access-list VicisUK_splitTunnelAcl permit ip 172.18.3.0 255.255.255.248 172.18.16.0 255.255.255.0