Solved

regular translation creation failed for icmp

Posted on 2009-04-14
1
3,514 Views
Last Modified: 2012-05-06
I have a ASA 5505 with the internal address 192.168.55.0/24, connected to that network is another router which handles the network 172.17.2.0/24. The other routers interface towards the ASA is 192.168.55.20.

However if I try to ping a machine from 172.17.2.0 network the reply gets stuck in the ASA with the following error.

regular translation creation failed for icmp src neava:192.168.55.101 dst neava:172.17.2.172 (type 0, code 0)

Here is a copy of my configuration, can someone help me with this error.
: Saved

:

ASA Version 8.0(4) 

!

hostname firewall

domain-name xxxxxx.xx

enable password  encrypted

passwd  encrypted

names

name 192.168.55.101 NEPC060 description Fredrik L LapTop

name 192.168.55.10 fs1 description Neava File Server 1

name 192.168.55.11 mail1 description Neava Mail Server

name 192.168.55.21 proxy description Neava proxy server

!

interface Vlan1

 description Neava main Network

 nameif neava

 security-level 100

 ip address 192.168.55.1 255.255.255.0 

!

interface Vlan2

 description Internet connection

 nameif outside

 security-level 0

 ip address xxx.xxx.xxx.89 255.255.255.128 

!

interface Vlan3

 description Neava DMZ

 nameif dmz

 security-level 50

 ip address 192.168.56.1 255.255.255.0 

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

 switchport access vlan 3

!

interface Ethernet0/4

 switchport access vlan 4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa804-k8.bin

boot system disk0:/asa802-k8.bin

boot system disk0:/asa724-k8.bin

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns server-group DefaultDNS

 domain-name neava.se

same-security-traffic permit intra-interface

object-group protocol TCPUDP

 protocol-object udp

 protocol-object tcp

object-group service DM_INLINE_TCP_2 tcp

 port-object eq 2131

 port-object range 21310 21320

object-group network NeavaClients

 description Neava Clients

 network-object 192.168.55.0 255.255.255.128

 network-object 192.168.55.128 255.255.255.192

access-list neava_nat0_outbound extended permit ip any 192.168.55.192 255.255.255.224 

access-list neava_nat0_outbound extended permit ip any 192.168.55.240 255.255.255.248 

access-list outside_access_in remark Allow FTP to proxy

access-list outside_access_in extended permit tcp any interface outside eq ftp 

access-list outside_access_in remark Allow SSH to proxy

access-list outside_access_in extended permit tcp any interface outside eq ssh 

access-list outside_access_in remark Allow DNS to mail1

access-list outside_access_in extended permit object-group TCPUDP any interface outside eq domain 

access-list outside_access_in remark Allow SMTP to mail1

access-list outside_access_in extended permit tcp any interface outside eq smtp 

access-list outside_access_in remark Allow DNS to websrv

access-list outside_access_in extended permit tcp any host xxx.xxx.249.88 eq domain 

access-list outside_access_in remark Allow HTTP to websrv

access-list outside_access_in extended permit tcp any host xxx.xxx.249.88 eq www 

access-list outside_access_in remark Allow HTTP to websrv

access-list outside_access_in extended permit tcp any host xxx.xxx.249.88 eq https 

access-list outside_access_in remark Allow HTTPS to mail1

access-list outside_access_in extended permit tcp any host xxx.xxx.249.89 eq www 

access-list outside_access_in remark Allow HTTPS to mail1

access-list outside_access_in extended permit tcp any host xxx.xxx.249.89 eq https 

access-list outside_access_in remark Allow traffic to proxy for TEMS_FTP

access-list outside_access_in extended permit tcp any interface outside object-group DM_INLINE_TCP_2 

access-list outside_access_in extended permit tcp any host xxx.xxx.249.79 eq ftp 

access-list outside_access_in remark Implicit rule

access-list outside_access_in extended deny ip any any log notifications 

access-list dmz_access_in extended permit ip host 192.168.56.99 host mail1 

access-list dmz_access_in extended deny ip host 192.168.56.99 192.168.55.0 255.255.255.0 

access-list dmz_access_in extended permit ip any any 

access-list SplitTunnelList standard permit 192.168.55.0 255.255.255.0 

pager lines 24

logging enable

logging timestamp

logging trap errors

logging asdm notifications

logging mail critical

logging from-address 

logging recipient-address level critical

logging host neava fs1

mtu neava 1500

mtu outside 1500

mtu dmz 1500

ip local pool NeavaVPN_IP_Pool 192.168.55.201-192.168.55.220 mask 255.255.255.0

ip local pool TEMP 192.168.55.240-192.168.55.245 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-61557.bin

asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (neava) 0 access-list neava_nat0_outbound

nat (neava) 1 0.0.0.0 0.0.0.0

nat (dmz) 1 0.0.0.0 0.0.0.0

static (neava,outside) tcp interface https mail1 https netmask 255.255.255.255 

static (neava,outside) tcp interface 3390 NEPC060 3389 netmask 255.255.255.255 

static (neava,outside) tcp interface ftp proxy ftp netmask 255.255.255.255 

static (neava,outside) tcp interface ssh proxy ssh netmask 255.255.255.255 

static (neava,outside) tcp interface domain mail1 domain netmask 255.255.255.255 

static (neava,outside) tcp interface smtp mail1 smtp netmask 255.255.255.255 

static (neava,outside) tcp interface 8081 192.168.55.103 8081 netmask 255.255.255.255 

static (neava,outside) tcp interface 3389 fs1 3389 netmask 255.255.255.255 

static (neava,outside) tcp interface 5384 proxy 5384 netmask 255.255.255.255 

static (neava,outside) tcp interface imap4 mail1 imap4 netmask 255.255.255.255 

static (neava,outside) tcp interface 8181 proxy 8181 netmask 255.255.255.255 

static (neava,outside) tcp interface 2131 proxy 2131 netmask 255.255.255.255 

static (neava,outside) tcp interface 21320 proxy 21320 netmask 255.255.255.255 

static (neava,outside) tcp interface 21319 proxy 21319 netmask 255.255.255.255 

static (neava,outside) tcp interface 21318 proxy 21318 netmask 255.255.255.255 

static (neava,outside) tcp interface 21317 proxy 21317 netmask 255.255.255.255 

static (neava,outside) tcp interface 21316 proxy 21316 netmask 255.255.255.255 

static (neava,outside) tcp interface 21315 proxy 21315 netmask 255.255.255.255 

static (neava,outside) tcp interface 21314 proxy 21314 netmask 255.255.255.255 

static (neava,outside) tcp interface 21313 proxy 21313 netmask 255.255.255.255 

static (neava,outside) tcp interface 21312 proxy 21312 netmask 255.255.255.255 

static (neava,outside) tcp interface 21311 proxy 21311 netmask 255.255.255.255 

static (neava,outside) tcp interface 21310 proxy 21310 netmask 255.255.255.255 

static (neava,outside) tcp interface 8105 192.168.55.111 8105 netmask 255.255.255.255 

static (neava,outside) tcp interface 8104 192.168.55.111 8104 netmask 255.255.255.255 

static (neava,outside) tcp interface 8103 192.168.55.111 8103 netmask 255.255.255.255 

static (neava,outside) tcp interface 8102 192.168.55.111 8102 netmask 255.255.255.255 

static (neava,outside) tcp interface 8101 192.168.55.111 8101 netmask 255.255.255.255 

static (dmz,outside) tcp xxx.xxx.249.88 www 192.168.56.99 www netmask 255.255.255.255 

static (neava,outside) tcp xxx.xxx.249.79 ftp NEPC060 ftp netmask 255.255.255.255 

static (neava,dmz) xxx.xxx.249.89 mail1 netmask 255.255.255.255 

static (neava,dmz) 192.168.55.128 192.168.55.128 netmask 255.255.255.192 

static (neava,dmz) 192.168.55.0 192.168.55.0 netmask 255.255.255.128 

access-group outside_access_in in interface outside

access-group dmz_access_in in interface dmz

route outside 0.0.0.0 0.0.0.0 xxx.xxx.249.1 1

route neava 172.17.2.0 255.255.255.0 192.168.55.20 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa-server NeavaLAAN protocol nt

aaa-server NeavaLAAN (neava) host fs1

 nt-auth-domain-controller 192.168.55.10

nac-policy DfltGrpPolicy-nac-framework-create nac-framework

 reval-period 36000

 sq-period 300

http server enable

http 192.168.55.0 255.255.255.0 neava

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 20 set pfs 

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA TRANS_ESP_3DES_SHA

crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800

crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 40 set pfs group1

crypto dynamic-map outside_dyn_map 40 set transform-set TRANS_ESP_3DES_SHA

crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800

crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 60 set pfs group1

crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 60 set security-association lifetime seconds 28800

crypto dynamic-map outside_dyn_map 60 set security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 80 set pfs group1

crypto dynamic-map outside_dyn_map 80 set transform-set TRANS_ESP_3DES_SHA

crypto dynamic-map outside_dyn_map 80 set security-association lifetime seconds 28800

crypto dynamic-map outside_dyn_map 80 set security-association lifetime kilobytes 4608000

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

no crypto isakmp nat-traversal

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

telnet 192.168.55.0 255.255.255.0 neava

telnet timeout 5

ssh 192.168.55.0 255.255.255.0 neava

ssh timeout 5

ssh version 2

console timeout 0

dhcpd dns fs1

!

dhcpd address 192.168.56.20-192.168.56.60 dmz

dhcpd dns 213.50.29.170 interface dmz

!
 

threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 212.247.117.169 source outside

webvpn

 port 700

 enable outside

 csd image disk0:/securedesktop-asa-3.3.0.151-k9.pkg

 svc image disk0:/anyconnect-win-2.2.0140-k9.pkg 1

 svc image disk0:/anyconnect-linux-2.2.0140-k9.pkg 2

 svc enable

 port-forward AdminPortForwardings 3400 192.168.55.11 3389 Mail1 Remote Desktop

 port-forward AdminPortForwardings 3401 192.168.55.10 3389 FS1 Remote Desktop

 port-forward AdminPortForwardings 3410 192.168.55.101 3389 nfreluns laptop

 port-forward UserPortForwarding 1433 192.168.55.10 1433 PortForwarding for Visma Tid

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

 wins-server value 192.168.55.10

 dns-server value 192.168.55.10

 vpn-tunnel-protocol IPSec l2tp-ipsec 

 default-domain value NEAVA.LAN

group-policy DefaultRAGroup_1 internal

group-policy DefaultRAGroup_1 attributes

 dns-server value 192.168.55.10

 vpn-tunnel-protocol l2tp-ipsec 

group-policy DfltGrpPolicy attributes

 banner value Welcome to the NeavaVPN Portal

 wins-server value 192.168.55.10

 dns-server value 192.168.55.10

 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

 default-domain value neava.lan

 nac-settings value DfltGrpPolicy-nac-framework-create

 address-pools value NeavaVPN_IP_Pool

 webvpn

  port-forward enable UserPortForwarding

  svc dpd-interval client none

  svc dpd-interval gateway none

  svc ask enable default webvpn

  activex-relay disable

  url-entry disable

group-policy AdministratorVPNGroup internal

group-policy AdministratorVPNGroup attributes

 wins-server value 192.168.55.10

 dns-server value 192.168.55.10

 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value SplitTunnelList

 webvpn

  port-forward enable AdminPortForwardings

group-policy NeavaANYConnectGroup internal

group-policy NeavaANYConnectGroup attributes

 wins-server value 192.168.55.10

 dns-server value 192.168.55.10

 vpn-tunnel-protocol svc webvpn

group-policy NeavaVPNTunnel internal

group-policy NeavaVPNTunnel attributes

 dns-server value 192.168.55.10

 vpn-tunnel-protocol IPSec 

 default-domain value neava.lan

username nmichen password yfUJx9ftH7yq4PL9 encrypted

username nmichen attributes

 vpn-group-policy AdministratorVPNGroup

 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

username nfrelun nopassword

username nfrelun attributes

 vpn-group-policy AdministratorVPNGroup

 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

username nwesrii password 6ou6tA7a9qZ0W.mu encrypted

username nwesrii attributes

 vpn-group-policy AdministratorVPNGroup

 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

username xerox password kmMdsXDe.Ue4bKGi encrypted

username xerox attributes

 vpn-group-policy AdministratorVPNGroup

 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

tunnel-group DefaultRAGroup general-attributes

 address-pool NeavaVPN_IP_Pool

 address-pool TEMP

 authentication-server-group NeavaLAAN

 default-group-policy DefaultRAGroup_1

tunnel-group DefaultRAGroup ipsec-attributes

 pre-shared-key *

 peer-id-validate nocheck

 isakmp ikev1-user-authentication none

tunnel-group DefaultWEBVPNGroup general-attributes

 address-pool NeavaVPN_IP_Pool

 authentication-server-group NeavaLAAN LOCAL

 authorization-server-group LOCAL

tunnel-group NeavaANYConnectVPN type remote-access

tunnel-group NeavaANYConnectVPN general-attributes

 address-pool NeavaVPN_IP_Pool

 authentication-server-group NeavaLAAN LOCAL

 authorization-server-group LOCAL

 default-group-policy NeavaANYConnectGroup

 authorization-required

tunnel-group NeavaANYConnectVPN webvpn-attributes

 nbns-server fs1 master timeout 4 retry 4

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect xdmcp 

  inspect sip  

  inspect netbios 

  inspect tftp 

!

service-policy global_policy global

smtp-server 192.168.55.11

prompt hostname context 

Cryptochecksum:afbe160f0d6e3cdf90d9f4d53fee7c25

: end

asdm image disk0:/asdm-61557.bin

asdm history enable

Open in new window

0
Comment
Question by:eplfrlu
1 Comment
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 24137562
This isn't going to work due to the nature of stateful connections traversing the Firewall.

What you have to do to enable communication between the two networks is set the 192.168.55.0/24 clients default gateway to 192.168.55.20 (the router instead of the ASA) and make sure the 192.168.55.20 router has a default route via the ASA (192.168.55.1).  This is the only way TCP connections are going to work between these networks without adding routes to each 192.168.55.0 PC (another option if willing).
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
This video discusses moving either the default database or any database to a new volume.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now