[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

VPN nat rules - error: No translation group found

Posted on 2008-11-05
6
Medium Priority
?
1,918 Views
Last Modified: 2012-05-08
Background:
We have a network dedicated to mobile devices connecting via wireless access points (10.235.6.0/24).  This is a VLAN that is trunked to the ASA with the ASA at 10.235.6.9.  There are no other layer 3 devices on this network except for the access points.  All our mobile devices then connect with the Cisco VPN client and get an address from a DHCP pool (10.235.8.0/24).  The primary interface for all other LAN traffic is 10.235.0.0/23 with the ASA at 10.235.0.9.

Traffic from the mobile device to the network is fine, we have problems when we try to access the mobile device from the LAN by using the VPN ip, with the following type error:

%ASA-3-305005: No translation group found for udp src PA-SERVER:10.210.1.124/137 dst PA-SERVER:10.235.8.114/137  
%ASA-3-305005: No translation group found for tcp src PA-SERVER:10.235.1.170/80 dst PA-SERVER:10.235.8.116/2633

I've tried to include as much as I can from the config, it's huge and I can't post it all due to privacy concerns.

sh ver
 
Cisco Adaptive Security Appliance Software Version 8.0(3)19
Device Manager Version 6.1(1)
 
sh running-config nat
nat (PA-SERVER) 0 access-list PA-SERVER_nat0_outbound
nat (PA-SERVER) 0 access-list PA-SERVER_nat0_outbound_1 outside
nat (PA-SERVER) 3 county-supernet 255.0.0.0
nat (PA-SERVER) 1 0.0.0.0 0.0.0.0
nat (DMZ) 0 access-list DMZ_nat0_outbound
nat (DMZ) 2 access-list DMZ_nat_outbound
nat (PA-Wireless) 0 access-list PA-Wireless_nat0_outbound
nat (PA-Wireless) 1 10.235.6.0 255.255.255.0
 
other random pieces:
name 10.235.8.0 pa-vpn-network
name 10.235.6.99 WLAN_AP
name 10.0.0.0 county-supernet
 
interface Redundant1
 member-interface Ethernet0/2
 member-interface Ethernet0/1
 nameif PA-SERVER
 security-level 100
 ip address 10.235.0.9 255.255.254.0 standby 10.235.0.8
!
interface Redundant1.6
 vlan 6
 nameif PA-Wireless
 security-level 25
 ip address 10.235.6.9 255.255.255.0 standby 10.235.6.8
!
 
access-list PA-SERVER_nat0_outbound extended permit ip any DMZ-Network 255.255.255.0
access-list PA-SERVER_nat0_outbound extended permit ip any pa-vpn-network 255.255.255.0
access-list PA-SERVER_nat0_outbound extended permit ip county-supernet 255.0.0.0 10.235.6.0 255.255.255.0
access-list PA-SERVER_nat0_outbound extended permit ip host LAN_proxy-sg pa-vpn-network 255.255.255.0
 
access-list PA-Wireless_access_in extended permit udp 10.235.6.0 255.255.255.0 object-group LAN_DNS-Group eq domain
access-list PA-Wireless_access_in extended permit icmp 10.235.6.0 255.255.255.0 any echo-reply
access-list PA-Wireless_nat0_outbound extended permit ip 10.235.6.0 255.255.255.0 county-supernet 255.0.0.0
 
access-list PA-SERVER_nat0_outbound_1 extended permit ip any pa-vpn-network 255.255.255.0
 
ip local pool Remote-Access 10.235.8.100-10.235.8.199 mask 255.255.255.0
 
dhcpd address 10.235.6.100-10.235.6.199 PA-Wireless

Open in new window

0
Comment
Question by:PascoSteve
6 Comments
 
LVL 23

Assisted Solution

by:debuggerau
debuggerau earned 240 total points
ID: 22890892
I understand you haven't included all the config, but the addresses in question have no access rules associated with them, this normally lead to this message..

10.210.1.x
10.235.8.x
10.235.1.x
10.235.8.x

So do you have any access-lists that use these ranges?
0
 
LVL 6

Accepted Solution

by:
kdtresh earned 180 total points
ID: 22890917
Have you tried it with access-list no_nat entries, or do you need to NAT between subnets?
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 180 total points
ID: 22891675
> PA-SERVER:10.210.1.124/137 dst PA-SERVER:10.235.8.114/137
Where does 10.210.1.24 come from? ASA does not seem to know where it belongs. It also sees 10.235.8.0 as local to the PA-SERVER interface which is odd.
I'd have to see more of the config to anlyze this further.
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 1

Author Comment

by:PascoSteve
ID: 22894753
Appreciate the responses so far folks, here's more info.

Irmoore:

The LAN connection is part of a larger internal network.
10.235.0.0/20 is assigned to my department
10.235.0.0/16 is assigned to my building
10.0.0.0/8 is used for all LAN activities, so 10.210.0.0/16 is another building.  EIGRP is handling routing there, that isn't an issue.  The VPN client can access these remote subnets.  We just can't access things on the VPN client, such as file sharing.   We can use icmp against VPN clients however, just not tcp/udp.  

kdtresh:

I do not need NAT for PA-SERVER <--> PA-VPN, I do need nat from both of these interfaces to the WAN, and of course I have all my static DMZ <--> WAN rules.  I use ASDM for all my configuring, and I've never seen anything relating to the VPN connection under NAT rules.  The only headings I have are for my DMZ, Wireless, and Server (LAN) interfaces.

debuggerau:

I'm assuming that you want to see the access-list assigned to the VPN user? See code snippet.

access-list VPNEmployee-ACL remark Allow normal user VPN access to the server group
access-list VPNEmployee-ACL extended permit ip 10.235.8.0 255.255.255.0 10.235.0.0 255.255.254.0 
access-list VPNEmployee-ACL extended permit icmp 10.235.8.0 255.255.255.0 10.235.0.0 255.255.254.0 
access-list VPNEmployee-ACL extended permit ip 10.235.8.0 255.255.255.0 host 10.210.1.40 
access-list VPNEmployee-ACL extended permit object-group MS_WINS-Group 10.235.8.0 255.255.255.0 object-group county_WINS-group 
access-list VPNEmployee-ACL extended permit udp 10.235.8.0 255.255.255.0 object-group Internal-DNS-Group eq domain 
access-list VPNEmployee-ACL extended permit ip 10.235.8.0 255.255.255.0 object-group LAN_DomainControllers-Group 
access-list VPNEmployee-ACL extended permit ip 10.235.8.0 255.255.255.0 host 10.235.10.10 
access-list VPNEmployee-ACL extended permit icmp 10.235.8.0 255.255.255.0 any 
access-list VPNEmployee-ACL extended permit ip 10.235.8.0 255.255.255.0 object-group LAN_Printers 
access-list VPNEmployee-ACL extended permit ip object-group DM_INLINE_NETWORK_1 10.235.8.0 255.255.255.0 
access-list VPNEmployee-ACL extended permit icmp 10.0.0.0 255.0.0.0 10.235.8.0 255.255.255.0 
access-list VPNEmployee-ACL extended permit ip 10.235.8.0 255.255.255.0 host 10.235.12.5 
access-list VPNEmployee-ACL extended deny ip any 10.0.0.0 255.0.0.0 
access-list VPNEmployee-ACL extended permit ip any any 

Open in new window

0
 
LVL 23

Assisted Solution

by:debuggerau
debuggerau earned 240 total points
ID: 22919361
Let start with this one, looks like no static redirection for 10.210.1.124 or has it been left out?
0
 
LVL 1

Author Closing Comment

by:PascoSteve
ID: 31656950
Closing this one out -- There's probably more wrong in this config tha just the VPN setup.  I'm going to lab one of the devices and try it on a smaller scale.  Thanks to those that responded.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question