Avatar of David Haycox
David Haycox
Flag for United Kingdom of Great Britain and Northern Ireland

asked on 

Cisco ASA site to site VPN: "no translation group found" error.

Just set up a site to site VPN tunnel using the ASDM wizard between an ASA 5510 and an upgraded Pix 515.  Tunnel is up fine, no traffic passed though.  Here's the error for a ping and an SMTP connection (similar error for any traffic attempted)

No translation group found for icmp src outside:192.168.111.3 dst inside:192.168.50.5 (type 8, code 0)

No translation group found for tcp src outside:192.168.111.3/7523 dst inside:MailServer_in/25

I'm guessing I have either the ACL or the NAT config wrong - which is odd as I just ran the wizard - but I don't know enough to troubleshoot further.  I've attached sanitised configs for both devices below.

Thanks in advance!
: Saved
:
PIX Version 8.0(4) 
!
hostname londonpix515
domain-name domain.com
enable password * encrypted
passwd * encrypted
names
name 192.168.111.0 London_NET
name 192.168.50.0 Telford_NET
name 192.168.111.6 SP-APP-01-6
name 192.168.111.7 SP-APP-01-7
name * Janet_Remote
name * Neil_Remote
name * Belgium
name * France
name * Server_WAN
name 192.168.111.3 Server_LAN
name 192.168.111.9 LondonPix_LAN
name * LondonPix_WAN
name * LondonPix_GWY
name * Midland_WAN
name 192.168.112.0 VPN_NET
name * Telford_WAN
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address LondonPix_WAN 255.255.255.248 
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address LondonPix_LAN 255.255.255.0 
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
 domain-name *
access-list outside_access_in extended permit icmp any any echo-reply 
access-list outside_access_in extended permit icmp any any time-exceeded 
access-list outside_access_in extended permit tcp any host Server_WAN eq imap4 
access-list outside_access_in extended permit tcp any host Server_WAN eq www 
access-list outside_access_in extended permit tcp any host Server_WAN eq ftp 
access-list outside_access_in extended permit tcp any host Server_WAN eq pop3 
access-list outside_access_in extended permit tcp any host Server_WAN eq https 
access-list outside_access_in extended permit tcp any host Server_WAN eq smtp 
access-list outside_access_in extended permit tcp any host Server_WAN eq ftp-data 
access-list outside_access_in extended permit tcp host Midland_WAN host Server_WAN eq 3389 
access-list outside_access_in extended permit tcp host Janet_Remote host SP-APP-01-6 eq 3389 
access-list outside_access_in extended permit tcp host Belgium host SP-APP-01-6 eq 3389 
access-list outside_access_in extended permit tcp host France host SP-APP-01-6 eq 3389 
access-list outside_access_in extended permit tcp host Janet_Remote host SP-APP-01-7 eq 33389 
access-list outside_access_in extended permit tcp host Neil_Remote host SP-APP-01-7 eq 33389 
access-list outside_access_in extended permit tcp host Midland_WAN any eq ssh 
access-list outside_access_in extended permit tcp host Midland_WAN any eq telnet 
access-list outside_access_in extended permit tcp host Telford_WAN host Server_WAN eq 3389 
access-list VPNSPLON_splitTunnelAcl standard permit London_NET 255.255.255.0 
access-list inside_nat0_outbound extended permit ip London_NET 255.255.255.0 VPN_NET 255.255.255.0 
access-list inside_nat0_outbound extended permit ip London_NET 255.255.255.0 Telford_NET 255.255.255.0 
access-list outside_1_cryptomap extended permit ip London_NET 255.255.255.0 Telford_NET 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool VPNPOOL 192.168.112.1-192.168.112.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply outside
icmp permit any unreachable outside
icmp permit any time-exceeded outside
icmp permit any redirect outside
icmp permit any inside
asdm image flash:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 SP-APP-01-6 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 33389 SP-APP-01-7 33389 netmask 255.255.255.255 
static (inside,outside) Server_WAN Server_LAN netmask 255.255.255.255 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 LondonPix_GWY 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http Telford_NET 255.255.255.0 inside
http Midland_WAN 255.255.255.255 outside
http London_NET 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs 
crypto map outside_map 1 set peer Telford_WAN 
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet Midland_WAN 255.255.255.255 outside
telnet London_NET 255.255.255.0 inside
telnet timeout 5
ssh Midland_WAN 255.255.255.255 outside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy VPNSPLON internal
group-policy VPNSPLON attributes
 wins-server value 192.168.111.3
 dns-server value 192.168.111.3
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPNSPLON_splitTunnelAcl
 default-domain value soundperformance.local
username * password * encrypted privilege 15
username * password * encrypted
username * password * encrypted
username * password * encrypted
tunnel-group VPNSPLON type remote-access
tunnel-group VPNSPLON general-attributes
 address-pool VPNPOOL
 default-group-policy VPNSPLON
tunnel-group VPNSPLON ipsec-attributes
 pre-shared-key *
tunnel-group * type ipsec-l2l
tunnel-group * ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:53549cab16bb9c54b53da8eb97f35ea2
: end
asdm image flash:/asdm-613.bin
no asdm history enable
 
 
 
 
 
 
: Saved
:
ASA Version 8.0(3) 
!
hostname telfordasa5510
domain-name domain.com
enable password * encrypted
names
name * MailServer_out
name 192.168.50.4 MailServer_in
name 192.168.50.9 WebServer_in
name * WebServer_out
name 192.168.250.10 FTP_sever_dmz
name * FW-DDA-UK
name * FTP_server_outside
name * Mailgateway_outside
name 192.168.50.1 Mailgateway_inside
name * Phone-server_outside
name 192.168.50.73 Phone-server_inside
name * LondonPix_WAN
name 192.168.111.0 London_NET
name 192.168.253.0 VPN_NET
name 192.168.50.0 Telford_NET
name 192.168.250.0 DMZ_NET
name * TelfordPix_GWY
name * Midland_WAN
name 192.168.1.0 Mgmt_NET
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address FW-DDA-UK 255.255.255.240 
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.50.253 255.255.255.0 
!
interface Ethernet0/2
 speed 100
 duplex full
 nameif dmz
 security-level 50
 ip address 192.168.250.254 255.255.255.0 
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 speed 10
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
passwd * encrypted
banner motd 
boot system disk0:/asa803-k8.bin
boot system disk0:/asa723-k8.bin
boot system disk0:/asa707-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
 domain-name soundperformance.co.uk
object-group service Phone-server_management tcp
 port-object eq 5000
 port-object eq 5080
object-group network Phone-provider_Connaught
 network-object host *
access-list NAT0 extended permit ip Telford_NET 255.255.255.0 VPN_NET 255.255.255.0 
access-list NAT0 extended permit ip Telford_NET 255.255.255.0 DMZ_NET 255.255.255.0 
access-list outside_access_in extended permit tcp any host WebServer_out eq www 
access-list outside_access_in extended permit tcp any host WebServer_out eq ftp 
access-list outside_access_in extended permit tcp any host MailServer_out eq smtp 
access-list outside_access_in extended permit tcp any host MailServer_out eq www 
access-list outside_access_in extended permit tcp any host FTP_server_outside eq ftp 
access-list outside_access_in extended permit tcp any host Mailgateway_outside eq smtp 
access-list outside_access_in extended permit tcp any any eq ssh 
access-list outside_access_in extended permit tcp any any eq telnet 
access-list outside_access_in extended permit icmp any any echo-reply 
access-list outside_access_in extended permit icmp any any time-exceeded 
access-list outside_access_in remark Access from Connaught to phone-server
access-list outside_access_in extended permit tcp object-group Phone-provider_Connaught host Phone-server_outside object-group Phone-server_management 
access-list outside_cryptomap_dyn_30 extended permit ip any VPN_NET 255.255.255.0 
access-list dmz_to_pix extended permit tcp host FTP_sever_dmz eq ftp any 
access-list dmz_to_pix extended permit icmp host FTP_sever_dmz any 
access-list outside_cryptomap extended permit ip Telford_NET 255.255.255.0 London_NET 255.255.255.0 
pager lines 24
logging enable
logging timestamp
logging buffered critical
logging trap critical
logging asdm notifications
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip local pool VPNPOOL 192.168.253.1-192.168.253.254
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply outside
icmp permit any unreachable outside
icmp permit any time-exceeded outside
icmp permit any redirect outside
icmp permit any inside
asdm image disk0:/asdm-603.bin
asdm history enable
arp timeout 14400
global (outside) 1 Mailgateway_outside
nat (inside) 0 access-list NAT0
nat (inside) 1 Telford_NET 255.255.255.0
nat (dmz) 1 DMZ_NET 255.255.255.0
static (inside,outside) tcp Mailgateway_outside smtp Mailgateway_inside smtp netmask 255.255.255.255 
static (inside,outside) WebServer_out WebServer_in netmask 255.255.255.255 
static (inside,outside) MailServer_out MailServer_in netmask 255.255.255.255 
static (dmz,outside) FTP_server_outside FTP_sever_dmz netmask 255.255.255.255 dns 
static (inside,outside) Phone-server_outside Phone-server_inside netmask 255.255.255.255 
access-group outside_access_in in interface outside
access-group dmz_to_pix in interface dmz
route outside 0.0.0.0 0.0.0.0 TelfordPix_GWY 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication enable console LOCAL 
aaa authentication http console LOCAL 
aaa authentication serial console LOCAL 
aaa authentication ssh console LOCAL 
aaa authentication telnet console LOCAL 
http server enable
http Midland_WAN 255.255.255.255 outside
http Telford_NET 255.255.255.0 inside
http Mgmt_NET 255.255.255.0 management
no snmp-server location
no snmp-server contact
crypto ipsec transform-set dd-tset esp-des esp-md5-hmac 
crypto ipsec transform-set dd-3tset esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map vpnclient 15 set transform-set dd-tset
crypto dynamic-map vpnclient 30 match address outside_cryptomap_dyn_30
crypto dynamic-map vpnclient 30 set transform-set dd-3tset
crypto map ddmap 1 match address outside_cryptomap
crypto map ddmap 1 set pfs 
crypto map ddmap 1 set peer LondonPix_WAN 
crypto map ddmap 1 set transform-set ESP-3DES-SHA
crypto map ddmap 1000 ipsec-isakmp dynamic vpnclient
crypto map ddmap interface outside
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 40
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet Telford_NET 255.255.255.0 inside
telnet timeout 30
ssh Midland_WAN 255.255.255.255 outside
ssh Telford_NET 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
username * password * encrypted
username * password * encrypted privilege 5
username * password * encrypted
username * password * encrypted privilege 15
username * password * encrypted privilege 5
username * password * encrypted
username * password * encrypted
username * password * encrypted
username * password * encrypted
tunnel-group VPNDDAUK type remote-access
tunnel-group VPNDDAUK general-attributes
 address-pool VPNPOOL
tunnel-group VPNDDAUK ipsec-attributes
 pre-shared-key *
tunnel-group * type ipsec-l2l
tunnel-group * ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect dns preset_dns_map 
  inspect http 
  inspect ils 
  inspect icmp 
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:11f981755f8290b2665146cefbe43823
: end
asdm image disk0:/asdm-603.bin
asdm location Mailgateway_inside 255.255.255.255 inside
asdm location WebServer_in 255.255.255.255 inside
asdm location Telford_NET 255.255.255.0 outside
asdm location MailServer_in 255.255.255.255 inside
asdm location MailServer_out 255.255.255.255 outside
asdm location WebServer_out 255.255.255.255 outside
asdm location VPN_NET 255.255.255.0 inside
asdm location FTP_sever_dmz 255.255.255.255 dmz
asdm location London_NET 255.255.255.0 inside
asdm history enable

Open in new window

CiscoHardware Firewalls

Avatar of undefined
Last Comment
David Haycox

8/22/2022 - Mon