Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Deny inbound (No xlate) icmp src

Status
Not open for further replies.

ProXXio

Technical User
Jan 13, 2011
4
NL
We are bussy to configuring a PIX 520 for making VPN connections so we can reach servers with an internal IP from a external location. On this moment we can connect the PIX with the Cisco VPN Cliënt without any problem but we can't reach the servers with the internal IP's. On the console we get the following errors:

Code:
106011: Deny inbound (No xlate) icmp src outside:10.15.10.10 dst outside:10.15.10.225 (type 0, code 0)
106011: Deny inbound (No xlate) udp src outside:10.15.10.225/138 dst outside:10.255.255.255/138

Do anybody know how to solve this error? This is my config:

Code:
PIX Version 6.3(5)145
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
enable password ****** encrypted
passwd ****** encrypted
hostname pix
domain-name ******.net
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol http 2222
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol smtp 2525
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network public
  network-object 0.0.0.0 0.0.0.0
object-group service winserv tcp
  description Default open ports Windows Servers
  port-object range https https
  port-object eq www
  port-object eq ftp-data
  port-object range 3389 3389
  port-object eq ftp
  port-object range 5000 5004
object-group service daserv tcp
  description Open ports for servers with DirectAdmin
  port-object range 5000 5004
  port-object eq 2222
  port-object eq smtp
  port-object eq domain
  port-object eq pop3
  port-object eq ftp-data
  port-object eq 2525
  port-object eq www
  port-object eq ftp
  port-object eq 2235
access-list myacl_in permit icmp any any
access-list VPNGate_splitTunnelAcl permit ip interface inside any
access-list VPNGate_splitTunnelAcl permit ip 10.15.10.0 255.255.255.0 any
access-list VPNGate_splitTunnelAcl permit ip any any
access-list inside_outbound_nat0_acl permit ip interface inside 10.15.10.224 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any 10.15.10.224 255.255.255.224
access-list nat0 permit ip 10.15.10.0 255.255.255.0 10.15.10.0 255.255.255.0
pager lines 24
logging console warnings
logging monitor warnings
logging buffered warnings
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside xx.xx.xx.155 255.255.255.224
ip address inside 10.15.10.1 255.255.255.0
no ip address intf2
no ip address intf3
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNPool 10.15.10.225-10.15.10.254
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
pdm location xx.xx.xx.xx 255.255.255.255 outside
pdm history enable
arp timeout 14400
nat (inside) 0 access-list nat0
nat (inside) 1 10.15.10.0 255.255.255.0 0 0
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
access-group myacl_in in interface outside
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.129 1
timeout xlate 0:30:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 10.15.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup VPNGate address-pool VPNPool
vpngroup VPNGate dns-server xx.xx.xx.xx
vpngroup VPNGate default-domain proxxio.net
vpngroup VPNGate split-tunnel VPNGate_splitTunnelAcl
vpngroup VPNGate idle-time 1800
vpngroup VPNGate password ********
telnet timeout 5
ssh xx.xx.xx.xx 255.255.255.255 outside
ssh timeout 5
console timeout 0
username Admin password ****** encrypted privilege 2
username VPNuser01 password ****** encrypted privilege 3
terminal width 80

Any help on this subject is much appreciated. Thanks in advance!!
 
change your vpn pool to be outside of the scope of your internal network. once you've changed the vpn pool be sure to change your nat0 ACL to reflect it.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
@unclerico Thanks for your reply. I had give it a try but without the wishing result. Now I got the follow error:

Code:
305005: No translation group found for icmp src outside:10.15.11.1 dst inside:10.15.10.10 (type 8, code 0)
106011: Deny inbound (No xlate) udp src outside:10.15.11.1/137 dst outside:10.255.255.255/137

This is changed:
Code:
access-list myacl_in permit icmp any any
access-list VPNGate_splitTunnelAcl permit ip interface inside any
access-list VPNGate_splitTunnelAcl permit ip 10.15.10.0 255.255.255.0 any
access-list VPNGate_splitTunnelAcl permit ip any any
access-list VPNGate_splitTunnelAcl permit ip 10.15.11.0 255.255.255.0 any
access-list inside_outbound_nat0_acl permit ip interface inside 10.15.11.0 255.
access-list outside_cryptomap_dyn_20 permit ip any 10.15.11.0 255.255.255.0
access-list nat0 permit ip 10.15.11.0 255.255.255.0 10.15.10.0 255.255.255.0

ip local pool VPNPool 10.15.11.1-10.15.11.254
nat (inside) 0 access-list inside_outbound_nat0_acl

Hope somebody know the solution. Thanks!
 
this
Code:
access-list inside_outbound_nat0_acl permit ip interface inside 10.15.11.0 255
should be this
Code:
access-list inside_outbound_nat0_acl permit ip 10.15.10.0 255.255.255.0 10.15.11.0 255.255.255.0
also, looking at your config i noticed that you don't have a global statement:
Code:
global (outside) 1 interface

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top