Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

regular translation creation failed for icmp

Posted on 2009-04-14
1
Medium Priority
?
3,938 Views
Last Modified: 2012-05-06
I have a ASA 5505 with the internal address 192.168.55.0/24, connected to that network is another router which handles the network 172.17.2.0/24. The other routers interface towards the ASA is 192.168.55.20.

However if I try to ping a machine from 172.17.2.0 network the reply gets stuck in the ASA with the following error.

regular translation creation failed for icmp src neava:192.168.55.101 dst neava:172.17.2.172 (type 0, code 0)

Here is a copy of my configuration, can someone help me with this error.
: Saved
:
ASA Version 8.0(4) 
!
hostname firewall
domain-name xxxxxx.xx
enable password  encrypted
passwd  encrypted
names
name 192.168.55.101 NEPC060 description Fredrik L LapTop
name 192.168.55.10 fs1 description Neava File Server 1
name 192.168.55.11 mail1 description Neava Mail Server
name 192.168.55.21 proxy description Neava proxy server
!
interface Vlan1
 description Neava main Network
 nameif neava
 security-level 100
 ip address 192.168.55.1 255.255.255.0 
!
interface Vlan2
 description Internet connection
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.89 255.255.255.128 
!
interface Vlan3
 description Neava DMZ
 nameif dmz
 security-level 50
 ip address 192.168.56.1 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
 switchport access vlan 3
!
interface Ethernet0/4
 switchport access vlan 4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa804-k8.bin
boot system disk0:/asa802-k8.bin
boot system disk0:/asa724-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
 domain-name neava.se
same-security-traffic permit intra-interface
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service DM_INLINE_TCP_2 tcp
 port-object eq 2131
 port-object range 21310 21320
object-group network NeavaClients
 description Neava Clients
 network-object 192.168.55.0 255.255.255.128
 network-object 192.168.55.128 255.255.255.192
access-list neava_nat0_outbound extended permit ip any 192.168.55.192 255.255.255.224 
access-list neava_nat0_outbound extended permit ip any 192.168.55.240 255.255.255.248 
access-list outside_access_in remark Allow FTP to proxy
access-list outside_access_in extended permit tcp any interface outside eq ftp 
access-list outside_access_in remark Allow SSH to proxy
access-list outside_access_in extended permit tcp any interface outside eq ssh 
access-list outside_access_in remark Allow DNS to mail1
access-list outside_access_in extended permit object-group TCPUDP any interface outside eq domain 
access-list outside_access_in remark Allow SMTP to mail1
access-list outside_access_in extended permit tcp any interface outside eq smtp 
access-list outside_access_in remark Allow DNS to websrv
access-list outside_access_in extended permit tcp any host xxx.xxx.249.88 eq domain 
access-list outside_access_in remark Allow HTTP to websrv
access-list outside_access_in extended permit tcp any host xxx.xxx.249.88 eq www 
access-list outside_access_in remark Allow HTTP to websrv
access-list outside_access_in extended permit tcp any host xxx.xxx.249.88 eq https 
access-list outside_access_in remark Allow HTTPS to mail1
access-list outside_access_in extended permit tcp any host xxx.xxx.249.89 eq www 
access-list outside_access_in remark Allow HTTPS to mail1
access-list outside_access_in extended permit tcp any host xxx.xxx.249.89 eq https 
access-list outside_access_in remark Allow traffic to proxy for TEMS_FTP
access-list outside_access_in extended permit tcp any interface outside object-group DM_INLINE_TCP_2 
access-list outside_access_in extended permit tcp any host xxx.xxx.249.79 eq ftp 
access-list outside_access_in remark Implicit rule
access-list outside_access_in extended deny ip any any log notifications 
access-list dmz_access_in extended permit ip host 192.168.56.99 host mail1 
access-list dmz_access_in extended deny ip host 192.168.56.99 192.168.55.0 255.255.255.0 
access-list dmz_access_in extended permit ip any any 
access-list SplitTunnelList standard permit 192.168.55.0 255.255.255.0 
pager lines 24
logging enable
logging timestamp
logging trap errors
logging asdm notifications
logging mail critical
logging from-address 
logging recipient-address level critical
logging host neava fs1
mtu neava 1500
mtu outside 1500
mtu dmz 1500
ip local pool NeavaVPN_IP_Pool 192.168.55.201-192.168.55.220 mask 255.255.255.0
ip local pool TEMP 192.168.55.240-192.168.55.245 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-61557.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (neava) 0 access-list neava_nat0_outbound
nat (neava) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (neava,outside) tcp interface https mail1 https netmask 255.255.255.255 
static (neava,outside) tcp interface 3390 NEPC060 3389 netmask 255.255.255.255 
static (neava,outside) tcp interface ftp proxy ftp netmask 255.255.255.255 
static (neava,outside) tcp interface ssh proxy ssh netmask 255.255.255.255 
static (neava,outside) tcp interface domain mail1 domain netmask 255.255.255.255 
static (neava,outside) tcp interface smtp mail1 smtp netmask 255.255.255.255 
static (neava,outside) tcp interface 8081 192.168.55.103 8081 netmask 255.255.255.255 
static (neava,outside) tcp interface 3389 fs1 3389 netmask 255.255.255.255 
static (neava,outside) tcp interface 5384 proxy 5384 netmask 255.255.255.255 
static (neava,outside) tcp interface imap4 mail1 imap4 netmask 255.255.255.255 
static (neava,outside) tcp interface 8181 proxy 8181 netmask 255.255.255.255 
static (neava,outside) tcp interface 2131 proxy 2131 netmask 255.255.255.255 
static (neava,outside) tcp interface 21320 proxy 21320 netmask 255.255.255.255 
static (neava,outside) tcp interface 21319 proxy 21319 netmask 255.255.255.255 
static (neava,outside) tcp interface 21318 proxy 21318 netmask 255.255.255.255 
static (neava,outside) tcp interface 21317 proxy 21317 netmask 255.255.255.255 
static (neava,outside) tcp interface 21316 proxy 21316 netmask 255.255.255.255 
static (neava,outside) tcp interface 21315 proxy 21315 netmask 255.255.255.255 
static (neava,outside) tcp interface 21314 proxy 21314 netmask 255.255.255.255 
static (neava,outside) tcp interface 21313 proxy 21313 netmask 255.255.255.255 
static (neava,outside) tcp interface 21312 proxy 21312 netmask 255.255.255.255 
static (neava,outside) tcp interface 21311 proxy 21311 netmask 255.255.255.255 
static (neava,outside) tcp interface 21310 proxy 21310 netmask 255.255.255.255 
static (neava,outside) tcp interface 8105 192.168.55.111 8105 netmask 255.255.255.255 
static (neava,outside) tcp interface 8104 192.168.55.111 8104 netmask 255.255.255.255 
static (neava,outside) tcp interface 8103 192.168.55.111 8103 netmask 255.255.255.255 
static (neava,outside) tcp interface 8102 192.168.55.111 8102 netmask 255.255.255.255 
static (neava,outside) tcp interface 8101 192.168.55.111 8101 netmask 255.255.255.255 
static (dmz,outside) tcp xxx.xxx.249.88 www 192.168.56.99 www netmask 255.255.255.255 
static (neava,outside) tcp xxx.xxx.249.79 ftp NEPC060 ftp netmask 255.255.255.255 
static (neava,dmz) xxx.xxx.249.89 mail1 netmask 255.255.255.255 
static (neava,dmz) 192.168.55.128 192.168.55.128 netmask 255.255.255.192 
static (neava,dmz) 192.168.55.0 192.168.55.0 netmask 255.255.255.128 
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 xxx.xxx.249.1 1
route neava 172.17.2.0 255.255.255.0 192.168.55.20 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server NeavaLAAN protocol nt
aaa-server NeavaLAAN (neava) host fs1
 nt-auth-domain-controller 192.168.55.10
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
 reval-period 36000
 sq-period 300
http server enable
http 192.168.55.0 255.255.255.0 neava
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA TRANS_ESP_3DES_SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 60 set pfs group1
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 60 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 80 set pfs group1
crypto dynamic-map outside_dyn_map 80 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map outside_dyn_map 80 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 80 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 192.168.55.0 255.255.255.0 neava
telnet timeout 5
ssh 192.168.55.0 255.255.255.0 neava
ssh timeout 5
ssh version 2
console timeout 0
dhcpd dns fs1
!
dhcpd address 192.168.56.20-192.168.56.60 dmz
dhcpd dns 213.50.29.170 interface dmz
!
 
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 212.247.117.169 source outside
webvpn
 port 700
 enable outside
 csd image disk0:/securedesktop-asa-3.3.0.151-k9.pkg
 svc image disk0:/anyconnect-win-2.2.0140-k9.pkg 1
 svc image disk0:/anyconnect-linux-2.2.0140-k9.pkg 2
 svc enable
 port-forward AdminPortForwardings 3400 192.168.55.11 3389 Mail1 Remote Desktop
 port-forward AdminPortForwardings 3401 192.168.55.10 3389 FS1 Remote Desktop
 port-forward AdminPortForwardings 3410 192.168.55.101 3389 nfreluns laptop
 port-forward UserPortForwarding 1433 192.168.55.10 1433 PortForwarding for Visma Tid
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 wins-server value 192.168.55.10
 dns-server value 192.168.55.10
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 default-domain value NEAVA.LAN
group-policy DefaultRAGroup_1 internal
group-policy DefaultRAGroup_1 attributes
 dns-server value 192.168.55.10
 vpn-tunnel-protocol l2tp-ipsec 
group-policy DfltGrpPolicy attributes
 banner value Welcome to the NeavaVPN Portal
 wins-server value 192.168.55.10
 dns-server value 192.168.55.10
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 default-domain value neava.lan
 nac-settings value DfltGrpPolicy-nac-framework-create
 address-pools value NeavaVPN_IP_Pool
 webvpn
  port-forward enable UserPortForwarding
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc ask enable default webvpn
  activex-relay disable
  url-entry disable
group-policy AdministratorVPNGroup internal
group-policy AdministratorVPNGroup attributes
 wins-server value 192.168.55.10
 dns-server value 192.168.55.10
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SplitTunnelList
 webvpn
  port-forward enable AdminPortForwardings
group-policy NeavaANYConnectGroup internal
group-policy NeavaANYConnectGroup attributes
 wins-server value 192.168.55.10
 dns-server value 192.168.55.10
 vpn-tunnel-protocol svc webvpn
group-policy NeavaVPNTunnel internal
group-policy NeavaVPNTunnel attributes
 dns-server value 192.168.55.10
 vpn-tunnel-protocol IPSec 
 default-domain value neava.lan
username nmichen password yfUJx9ftH7yq4PL9 encrypted
username nmichen attributes
 vpn-group-policy AdministratorVPNGroup
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
username nfrelun nopassword
username nfrelun attributes
 vpn-group-policy AdministratorVPNGroup
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
username nwesrii password 6ou6tA7a9qZ0W.mu encrypted
username nwesrii attributes
 vpn-group-policy AdministratorVPNGroup
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
username xerox password kmMdsXDe.Ue4bKGi encrypted
username xerox attributes
 vpn-group-policy AdministratorVPNGroup
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
tunnel-group DefaultRAGroup general-attributes
 address-pool NeavaVPN_IP_Pool
 address-pool TEMP
 authentication-server-group NeavaLAAN
 default-group-policy DefaultRAGroup_1
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
 peer-id-validate nocheck
 isakmp ikev1-user-authentication none
tunnel-group DefaultWEBVPNGroup general-attributes
 address-pool NeavaVPN_IP_Pool
 authentication-server-group NeavaLAAN LOCAL
 authorization-server-group LOCAL
tunnel-group NeavaANYConnectVPN type remote-access
tunnel-group NeavaANYConnectVPN general-attributes
 address-pool NeavaVPN_IP_Pool
 authentication-server-group NeavaLAAN LOCAL
 authorization-server-group LOCAL
 default-group-policy NeavaANYConnectGroup
 authorization-required
tunnel-group NeavaANYConnectVPN webvpn-attributes
 nbns-server fs1 master timeout 4 retry 4
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
smtp-server 192.168.55.11
prompt hostname context 
Cryptochecksum:afbe160f0d6e3cdf90d9f4d53fee7c25
: end
asdm image disk0:/asdm-61557.bin
asdm history enable

Open in new window

0
Comment
Question by:eplfrlu
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 1500 total points
ID: 24137562
This isn't going to work due to the nature of stateful connections traversing the Firewall.

What you have to do to enable communication between the two networks is set the 192.168.55.0/24 clients default gateway to 192.168.55.20 (the router instead of the ASA) and make sure the 192.168.55.20 router has a default route via the ASA (192.168.55.1).  This is the only way TCP connections are going to work between these networks without adding routes to each 192.168.55.0 PC (another option if willing).
0

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question