remote access vpn error no.#305005

hello
i have ASA5510 preloaded with asa708 IOS, and I upgraded to version 802 and configured it for remote access  VPN
When i tested the remote access vpn ( to use remote desktop or telnet service for the remote user over the LAV equipment). when i connect to the ASA using VPN client, i can connect normally but cannot access any of the LAN resources ( cannot ping or telnet any network device or remote desktop any pc) and always get SYSlog ID error no. 305005, which says" no translation group found icmp src outside:XXXX dst inside:XXXX(type8, code0". so can anyone help me.
mohamedzidanAsked:
Who is Participating?
 
mohamedzidanConnect With a Mentor Author Commented:
ihave two local subnet, 10.90.0.0/24 for data and 192.168.1.0/24 for voice. i have configured remote access vpn which should use nat 0 , and also configured site2site vpn ( for remote subnets 10.90.1.0/24 for data and 192.168.2.0/24 for voice).
the remote access user ip is 10.90.0.96/29.
i have included below the configuration, so could you check it
remote users ( 10.90.0.96/29) should be able to reach all local lan 10.90.0.0/24 resources without NAT, NAT 0.


ASA Version 8.0(2)
!
hostname ciscoasa
enable password 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 description OUTSIDE INTERFACE CONNECTED DIRECT TO INTERNET
 nameif OUTSIDE
 security-level 0
 ip address 82.205.218.151 255.255.255.240
!
interface Ethernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 description INSIDE INTERFACE CONNECTED TO DATA NETWORK
 nameif INSIDE
 security-level 100
 ip address 10.90.0.3 255.255.255.0
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 no ip address
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone EET 2
object-group network DM_INLINE_NETWORK_1
 network-object 10.90.0.0 255.255.255.0
 network-object 192.168.1.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
 network-object 10.90.1.0 255.255.255.0
 network-object 192.168.2.0 255.255.255.0
object-group network DM_INLINE_NETWORK_3
 network-object 10.90.0.0 255.255.255.0
 network-object 192.168.1.0 255.255.255.0
access-list OUTSIDE_1_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2
access-list INSIDE_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2
access-list OUTSIDE_access_in extended permit ip any host 82.205.218.152
access-list OUTSIDE_access_in extended permit icmp any any
access-list INSIDE_access_in extended permit ip any host 10.90.0.9
access-list INSIDE_access_in extended permit ip object-group DM_INLINE_NETWORK_3 any
pager lines 24
logging enable
logging asdm informational
mtu OUTSIDE 1500
mtu INSIDE 1500
mtu management 1500
ip local pool VPN-Remote 10.90.0.100 mask 255.255.255.240
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (OUTSIDE) 1 interface
nat (INSIDE) 0 access-list INSIDE_nat0_outbound
nat (INSIDE) 1 10.90.0.0 255.255.255.0
static (INSIDE,OUTSIDE) 82.205.218.152 10.90.0.9 netmask 255.255.255.255
access-group OUTSIDE_access_in in interface OUTSIDE
access-group INSIDE_access_in in interface INSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 82.205.218.151 1
route INSIDE 192.168.1.0 255.255.255.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.90.0.0 255.255.255.0 INSIDE
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map OUTSIDE_map 1 match address OUTSIDE_1_cryptomap
crypto map OUTSIDE_map 1 set peer A.B.C.12
crypto map OUTSIDE_map 1 set transform-set ESP-3DES-SHA
crypto map OUTSIDE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map OUTSIDE_map interface OUTSIDE
crypto isakmp enable OUTSIDE
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet 10.90.0.0 255.255.255.0 INSIDE
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.90.0.150-10.90.0.254 INSIDE
dhcpd dns A1.B1.C1.25 A1.B1.C1.9 interface INSIDE
dhcpd enable INSIDE
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
!
service-policy global_policy global
group-policy HQRemoteAccess internal
group-policy HQRemoteAccess attributes
 vpn-tunnel-protocol IPSec
username test1 password k83iXWPan0Gg1s04 encrypted
username test1 attributes
 vpn-group-policy HQRemoteAccess
 vpn-tunnel-protocol IPSec
 group-lock value HQRemoteAccess
 service-type remote-access
username test password k83iXWPan0Gg1s04 encrypted privilege 0
username test attributes
 vpn-group-policy HQRemoteAccess
username mohamed password jKn1JfNi/RZnOey9 encrypted privilege 15
username mohamed attributes
 vpn-group-policy HQRemoteAccess
 vpn-tunnel-protocol IPSec
 group-lock value HQRemoteAccess
tunnel-group A.B.C.12 type ipsec-l2l
tunnel-group A.B.C.12 ipsec-attributes
 pre-shared-key *******
tunnel-group HQRemoteAccess type remote-access
tunnel-group HQRemoteAccess general-attributes
 address-pool VPN-Remote
 default-group-policy HQRemoteAccess
tunnel-group HQRemoteAccess ipsec-attributes
 pre-shared-key *******
prompt hostname context
Cryptochecksum:3e6e0f9e200065d437fd577049197ccf
: end

0
 
mohamedzidanAuthor Commented:
thanks to help me
0
 
amar85Commented:
it means:

A packet does not match any of the outbound nat command rules

This message indicates a configuration error. If dynamic NAT is desired for the source host, ensure that the nat command matches the source IP address. If static NAT is desired for the source host, ensure that the local IP address of the static command matches. If no NAT is desired for the source host, check the ACL bound to the NAT 0 ACL.
0
All Courses

From novice to tech pro — start learning today.