VPN nat rules - error: No translation group found

Background:
We have a network dedicated to mobile devices connecting via wireless access points (10.235.6.0/24).  This is a VLAN that is trunked to the ASA with the ASA at 10.235.6.9.  There are no other layer 3 devices on this network except for the access points.  All our mobile devices then connect with the Cisco VPN client and get an address from a DHCP pool (10.235.8.0/24).  The primary interface for all other LAN traffic is 10.235.0.0/23 with the ASA at 10.235.0.9.

Traffic from the mobile device to the network is fine, we have problems when we try to access the mobile device from the LAN by using the VPN ip, with the following type error:

%ASA-3-305005: No translation group found for udp src PA-SERVER:10.210.1.124/137 dst PA-SERVER:10.235.8.114/137  
%ASA-3-305005: No translation group found for tcp src PA-SERVER:10.235.1.170/80 dst PA-SERVER:10.235.8.116/2633

I've tried to include as much as I can from the config, it's huge and I can't post it all due to privacy concerns.

sh ver
 
Cisco Adaptive Security Appliance Software Version 8.0(3)19
Device Manager Version 6.1(1)
 
sh running-config nat
nat (PA-SERVER) 0 access-list PA-SERVER_nat0_outbound
nat (PA-SERVER) 0 access-list PA-SERVER_nat0_outbound_1 outside
nat (PA-SERVER) 3 county-supernet 255.0.0.0
nat (PA-SERVER) 1 0.0.0.0 0.0.0.0
nat (DMZ) 0 access-list DMZ_nat0_outbound
nat (DMZ) 2 access-list DMZ_nat_outbound
nat (PA-Wireless) 0 access-list PA-Wireless_nat0_outbound
nat (PA-Wireless) 1 10.235.6.0 255.255.255.0
 
other random pieces:
name 10.235.8.0 pa-vpn-network
name 10.235.6.99 WLAN_AP
name 10.0.0.0 county-supernet
 
interface Redundant1
 member-interface Ethernet0/2
 member-interface Ethernet0/1
 nameif PA-SERVER
 security-level 100
 ip address 10.235.0.9 255.255.254.0 standby 10.235.0.8
!
interface Redundant1.6
 vlan 6
 nameif PA-Wireless
 security-level 25
 ip address 10.235.6.9 255.255.255.0 standby 10.235.6.8
!
 
access-list PA-SERVER_nat0_outbound extended permit ip any DMZ-Network 255.255.255.0
access-list PA-SERVER_nat0_outbound extended permit ip any pa-vpn-network 255.255.255.0
access-list PA-SERVER_nat0_outbound extended permit ip county-supernet 255.0.0.0 10.235.6.0 255.255.255.0
access-list PA-SERVER_nat0_outbound extended permit ip host LAN_proxy-sg pa-vpn-network 255.255.255.0
 
access-list PA-Wireless_access_in extended permit udp 10.235.6.0 255.255.255.0 object-group LAN_DNS-Group eq domain
access-list PA-Wireless_access_in extended permit icmp 10.235.6.0 255.255.255.0 any echo-reply
access-list PA-Wireless_nat0_outbound extended permit ip 10.235.6.0 255.255.255.0 county-supernet 255.0.0.0
 
access-list PA-SERVER_nat0_outbound_1 extended permit ip any pa-vpn-network 255.255.255.0
 
ip local pool Remote-Access 10.235.8.100-10.235.8.199 mask 255.255.255.0
 
dhcpd address 10.235.6.100-10.235.6.199 PA-Wireless

Open in new window

LVL 1
PascoSteveAsked:
Who is Participating?
 
kdtreshConnect With a Mentor Commented:
Have you tried it with access-list no_nat entries, or do you need to NAT between subnets?
0
 
debuggerauConnect With a Mentor Commented:
I understand you haven't included all the config, but the addresses in question have no access rules associated with them, this normally lead to this message..

10.210.1.x
10.235.8.x
10.235.1.x
10.235.8.x

So do you have any access-lists that use these ranges?
0
 
lrmooreConnect With a Mentor Commented:
> PA-SERVER:10.210.1.124/137 dst PA-SERVER:10.235.8.114/137
Where does 10.210.1.24 come from? ASA does not seem to know where it belongs. It also sees 10.235.8.0 as local to the PA-SERVER interface which is odd.
I'd have to see more of the config to anlyze this further.
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
PascoSteveAuthor Commented:
Appreciate the responses so far folks, here's more info.

Irmoore:

The LAN connection is part of a larger internal network.
10.235.0.0/20 is assigned to my department
10.235.0.0/16 is assigned to my building
10.0.0.0/8 is used for all LAN activities, so 10.210.0.0/16 is another building.  EIGRP is handling routing there, that isn't an issue.  The VPN client can access these remote subnets.  We just can't access things on the VPN client, such as file sharing.   We can use icmp against VPN clients however, just not tcp/udp.  

kdtresh:

I do not need NAT for PA-SERVER <--> PA-VPN, I do need nat from both of these interfaces to the WAN, and of course I have all my static DMZ <--> WAN rules.  I use ASDM for all my configuring, and I've never seen anything relating to the VPN connection under NAT rules.  The only headings I have are for my DMZ, Wireless, and Server (LAN) interfaces.

debuggerau:

I'm assuming that you want to see the access-list assigned to the VPN user? See code snippet.

access-list VPNEmployee-ACL remark Allow normal user VPN access to the server group
access-list VPNEmployee-ACL extended permit ip 10.235.8.0 255.255.255.0 10.235.0.0 255.255.254.0 
access-list VPNEmployee-ACL extended permit icmp 10.235.8.0 255.255.255.0 10.235.0.0 255.255.254.0 
access-list VPNEmployee-ACL extended permit ip 10.235.8.0 255.255.255.0 host 10.210.1.40 
access-list VPNEmployee-ACL extended permit object-group MS_WINS-Group 10.235.8.0 255.255.255.0 object-group county_WINS-group 
access-list VPNEmployee-ACL extended permit udp 10.235.8.0 255.255.255.0 object-group Internal-DNS-Group eq domain 
access-list VPNEmployee-ACL extended permit ip 10.235.8.0 255.255.255.0 object-group LAN_DomainControllers-Group 
access-list VPNEmployee-ACL extended permit ip 10.235.8.0 255.255.255.0 host 10.235.10.10 
access-list VPNEmployee-ACL extended permit icmp 10.235.8.0 255.255.255.0 any 
access-list VPNEmployee-ACL extended permit ip 10.235.8.0 255.255.255.0 object-group LAN_Printers 
access-list VPNEmployee-ACL extended permit ip object-group DM_INLINE_NETWORK_1 10.235.8.0 255.255.255.0 
access-list VPNEmployee-ACL extended permit icmp 10.0.0.0 255.0.0.0 10.235.8.0 255.255.255.0 
access-list VPNEmployee-ACL extended permit ip 10.235.8.0 255.255.255.0 host 10.235.12.5 
access-list VPNEmployee-ACL extended deny ip any 10.0.0.0 255.0.0.0 
access-list VPNEmployee-ACL extended permit ip any any 

Open in new window

0
 
debuggerauConnect With a Mentor Commented:
Let start with this one, looks like no static redirection for 10.210.1.124 or has it been left out?
0
 
PascoSteveAuthor Commented:
Closing this one out -- There's probably more wrong in this config tha just the VPN setup.  I'm going to lab one of the devices and try it on a smaller scale.  Thanks to those that responded.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.