eplfrlu
asked on
regular translation creation failed for icmp
I have a ASA 5505 with the internal address 192.168.55.0/24, connected to that network is another router which handles the network 172.17.2.0/24. The other routers interface towards the ASA is 192.168.55.20.
However if I try to ping a machine from 172.17.2.0 network the reply gets stuck in the ASA with the following error.
regular translation creation failed for icmp src neava:192.168.55.101 dst neava:172.17.2.172 (type 0, code 0)
Here is a copy of my configuration, can someone help me with this error.
However if I try to ping a machine from 172.17.2.0 network the reply gets stuck in the ASA with the following error.
regular translation creation failed for icmp src neava:192.168.55.101 dst neava:172.17.2.172 (type 0, code 0)
Here is a copy of my configuration, can someone help me with this error.
: Saved
:
ASA Version 8.0(4)
!
hostname firewall
domain-name xxxxxx.xx
enable password encrypted
passwd encrypted
names
name 192.168.55.101 NEPC060 description Fredrik L LapTop
name 192.168.55.10 fs1 description Neava File Server 1
name 192.168.55.11 mail1 description Neava Mail Server
name 192.168.55.21 proxy description Neava proxy server
!
interface Vlan1
description Neava main Network
nameif neava
security-level 100
ip address 192.168.55.1 255.255.255.0
!
interface Vlan2
description Internet connection
nameif outside
security-level 0
ip address xxx.xxx.xxx.89 255.255.255.128
!
interface Vlan3
description Neava DMZ
nameif dmz
security-level 50
ip address 192.168.56.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 3
!
interface Ethernet0/4
switchport access vlan 4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa804-k8.bin
boot system disk0:/asa802-k8.bin
boot system disk0:/asa724-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name neava.se
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_TCP_2 tcp
port-object eq 2131
port-object range 21310 21320
object-group network NeavaClients
description Neava Clients
network-object 192.168.55.0 255.255.255.128
network-object 192.168.55.128 255.255.255.192
access-list neava_nat0_outbound extended permit ip any 192.168.55.192 255.255.255.224
access-list neava_nat0_outbound extended permit ip any 192.168.55.240 255.255.255.248
access-list outside_access_in remark Allow FTP to proxy
access-list outside_access_in extended permit tcp any interface outside eq ftp
access-list outside_access_in remark Allow SSH to proxy
access-list outside_access_in extended permit tcp any interface outside eq ssh
access-list outside_access_in remark Allow DNS to mail1
access-list outside_access_in extended permit object-group TCPUDP any interface outside eq domain
access-list outside_access_in remark Allow SMTP to mail1
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in remark Allow DNS to websrv
access-list outside_access_in extended permit tcp any host xxx.xxx.249.88 eq domain
access-list outside_access_in remark Allow HTTP to websrv
access-list outside_access_in extended permit tcp any host xxx.xxx.249.88 eq www
access-list outside_access_in remark Allow HTTP to websrv
access-list outside_access_in extended permit tcp any host xxx.xxx.249.88 eq https
access-list outside_access_in remark Allow HTTPS to mail1
access-list outside_access_in extended permit tcp any host xxx.xxx.249.89 eq www
access-list outside_access_in remark Allow HTTPS to mail1
access-list outside_access_in extended permit tcp any host xxx.xxx.249.89 eq https
access-list outside_access_in remark Allow traffic to proxy for TEMS_FTP
access-list outside_access_in extended permit tcp any interface outside object-group DM_INLINE_TCP_2
access-list outside_access_in extended permit tcp any host xxx.xxx.249.79 eq ftp
access-list outside_access_in remark Implicit rule
access-list outside_access_in extended deny ip any any log notifications
access-list dmz_access_in extended permit ip host 192.168.56.99 host mail1
access-list dmz_access_in extended deny ip host 192.168.56.99 192.168.55.0 255.255.255.0
access-list dmz_access_in extended permit ip any any
access-list SplitTunnelList standard permit 192.168.55.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging trap errors
logging asdm notifications
logging mail critical
logging from-address
logging recipient-address level critical
logging host neava fs1
mtu neava 1500
mtu outside 1500
mtu dmz 1500
ip local pool NeavaVPN_IP_Pool 192.168.55.201-192.168.55.220 mask 255.255.255.0
ip local pool TEMP 192.168.55.240-192.168.55.245 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-61557.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (neava) 0 access-list neava_nat0_outbound
nat (neava) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (neava,outside) tcp interface https mail1 https netmask 255.255.255.255
static (neava,outside) tcp interface 3390 NEPC060 3389 netmask 255.255.255.255
static (neava,outside) tcp interface ftp proxy ftp netmask 255.255.255.255
static (neava,outside) tcp interface ssh proxy ssh netmask 255.255.255.255
static (neava,outside) tcp interface domain mail1 domain netmask 255.255.255.255
static (neava,outside) tcp interface smtp mail1 smtp netmask 255.255.255.255
static (neava,outside) tcp interface 8081 192.168.55.103 8081 netmask 255.255.255.255
static (neava,outside) tcp interface 3389 fs1 3389 netmask 255.255.255.255
static (neava,outside) tcp interface 5384 proxy 5384 netmask 255.255.255.255
static (neava,outside) tcp interface imap4 mail1 imap4 netmask 255.255.255.255
static (neava,outside) tcp interface 8181 proxy 8181 netmask 255.255.255.255
static (neava,outside) tcp interface 2131 proxy 2131 netmask 255.255.255.255
static (neava,outside) tcp interface 21320 proxy 21320 netmask 255.255.255.255
static (neava,outside) tcp interface 21319 proxy 21319 netmask 255.255.255.255
static (neava,outside) tcp interface 21318 proxy 21318 netmask 255.255.255.255
static (neava,outside) tcp interface 21317 proxy 21317 netmask 255.255.255.255
static (neava,outside) tcp interface 21316 proxy 21316 netmask 255.255.255.255
static (neava,outside) tcp interface 21315 proxy 21315 netmask 255.255.255.255
static (neava,outside) tcp interface 21314 proxy 21314 netmask 255.255.255.255
static (neava,outside) tcp interface 21313 proxy 21313 netmask 255.255.255.255
static (neava,outside) tcp interface 21312 proxy 21312 netmask 255.255.255.255
static (neava,outside) tcp interface 21311 proxy 21311 netmask 255.255.255.255
static (neava,outside) tcp interface 21310 proxy 21310 netmask 255.255.255.255
static (neava,outside) tcp interface 8105 192.168.55.111 8105 netmask 255.255.255.255
static (neava,outside) tcp interface 8104 192.168.55.111 8104 netmask 255.255.255.255
static (neava,outside) tcp interface 8103 192.168.55.111 8103 netmask 255.255.255.255
static (neava,outside) tcp interface 8102 192.168.55.111 8102 netmask 255.255.255.255
static (neava,outside) tcp interface 8101 192.168.55.111 8101 netmask 255.255.255.255
static (dmz,outside) tcp xxx.xxx.249.88 www 192.168.56.99 www netmask 255.255.255.255
static (neava,outside) tcp xxx.xxx.249.79 ftp NEPC060 ftp netmask 255.255.255.255
static (neava,dmz) xxx.xxx.249.89 mail1 netmask 255.255.255.255
static (neava,dmz) 192.168.55.128 192.168.55.128 netmask 255.255.255.192
static (neava,dmz) 192.168.55.0 192.168.55.0 netmask 255.255.255.128
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 xxx.xxx.249.1 1
route neava 172.17.2.0 255.255.255.0 192.168.55.20 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server NeavaLAAN protocol nt
aaa-server NeavaLAAN (neava) host fs1
nt-auth-domain-controller 192.168.55.10
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
reval-period 36000
sq-period 300
http server enable
http 192.168.55.0 255.255.255.0 neava
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA TRANS_ESP_3DES_SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 60 set pfs group1
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 60 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 80 set pfs group1
crypto dynamic-map outside_dyn_map 80 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map outside_dyn_map 80 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 80 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 192.168.55.0 255.255.255.0 neava
telnet timeout 5
ssh 192.168.55.0 255.255.255.0 neava
ssh timeout 5
ssh version 2
console timeout 0
dhcpd dns fs1
!
dhcpd address 192.168.56.20-192.168.56.60 dmz
dhcpd dns 213.50.29.170 interface dmz
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 212.247.117.169 source outside
webvpn
port 700
enable outside
csd image disk0:/securedesktop-asa-3.3.0.151-k9.pkg
svc image disk0:/anyconnect-win-2.2.0140-k9.pkg 1
svc image disk0:/anyconnect-linux-2.2.0140-k9.pkg 2
svc enable
port-forward AdminPortForwardings 3400 192.168.55.11 3389 Mail1 Remote Desktop
port-forward AdminPortForwardings 3401 192.168.55.10 3389 FS1 Remote Desktop
port-forward AdminPortForwardings 3410 192.168.55.101 3389 nfreluns laptop
port-forward UserPortForwarding 1433 192.168.55.10 1433 PortForwarding for Visma Tid
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
wins-server value 192.168.55.10
dns-server value 192.168.55.10
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain value NEAVA.LAN
group-policy DefaultRAGroup_1 internal
group-policy DefaultRAGroup_1 attributes
dns-server value 192.168.55.10
vpn-tunnel-protocol l2tp-ipsec
group-policy DfltGrpPolicy attributes
banner value Welcome to the NeavaVPN Portal
wins-server value 192.168.55.10
dns-server value 192.168.55.10
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
default-domain value neava.lan
nac-settings value DfltGrpPolicy-nac-framework-create
address-pools value NeavaVPN_IP_Pool
webvpn
port-forward enable UserPortForwarding
svc dpd-interval client none
svc dpd-interval gateway none
svc ask enable default webvpn
activex-relay disable
url-entry disable
group-policy AdministratorVPNGroup internal
group-policy AdministratorVPNGroup attributes
wins-server value 192.168.55.10
dns-server value 192.168.55.10
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SplitTunnelList
webvpn
port-forward enable AdminPortForwardings
group-policy NeavaANYConnectGroup internal
group-policy NeavaANYConnectGroup attributes
wins-server value 192.168.55.10
dns-server value 192.168.55.10
vpn-tunnel-protocol svc webvpn
group-policy NeavaVPNTunnel internal
group-policy NeavaVPNTunnel attributes
dns-server value 192.168.55.10
vpn-tunnel-protocol IPSec
default-domain value neava.lan
username nmichen password yfUJx9ftH7yq4PL9 encrypted
username nmichen attributes
vpn-group-policy AdministratorVPNGroup
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
username nfrelun nopassword
username nfrelun attributes
vpn-group-policy AdministratorVPNGroup
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
username nwesrii password 6ou6tA7a9qZ0W.mu encrypted
username nwesrii attributes
vpn-group-policy AdministratorVPNGroup
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
username xerox password kmMdsXDe.Ue4bKGi encrypted
username xerox attributes
vpn-group-policy AdministratorVPNGroup
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
tunnel-group DefaultRAGroup general-attributes
address-pool NeavaVPN_IP_Pool
address-pool TEMP
authentication-server-group NeavaLAAN
default-group-policy DefaultRAGroup_1
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
isakmp ikev1-user-authentication none
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool NeavaVPN_IP_Pool
authentication-server-group NeavaLAAN LOCAL
authorization-server-group LOCAL
tunnel-group NeavaANYConnectVPN type remote-access
tunnel-group NeavaANYConnectVPN general-attributes
address-pool NeavaVPN_IP_Pool
authentication-server-group NeavaLAAN LOCAL
authorization-server-group LOCAL
default-group-policy NeavaANYConnectGroup
authorization-required
tunnel-group NeavaANYConnectVPN webvpn-attributes
nbns-server fs1 master timeout 4 retry 4
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
smtp-server 192.168.55.11
prompt hostname context
Cryptochecksum:afbe160f0d6e3cdf90d9f4d53fee7c25
: end
asdm image disk0:/asdm-61557.bin
asdm history enable
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.