I have a question.
I am in the process of installing a new Cisco VPN 3020 concentrator into my PIX DMZ (perimeter) interface. What I am having problems with is getting the NAT translations to work correctly. Originally my current VPN 3005 resides on its own interface on the pix and I want to free up this port for another use.
What I have is this.
The DMZ subnet is a 192.168.0.X/24
The private interface of the concentrator has been given a 192.168.0.10 ip.
The configured IP addresses that the concentrator will use for clients is 192.168.201.X, 192.168.202.X, 203.X, 204.x and 205. etc.
What is happening is the following:
I can connect to the concentrator in the DMZ via the cisco vpn client. When I try to access resources on the internal network I get the following error:
305005: No translation group found for udp src dmz:192.168.202.1/3571 dst inside:10.x.x.x/53
Here are the NATs etc:
The vpndmz is the current port the old concentrator is connected to
global (outside) 1 interface
global (dmz) 1 192.168.0.3
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.195.0 255.255.255.0 0 0
nat (inside) 1 10.0.0.0 255.0.0.0 0 0
nat (dmz) 1 192.168.0.0 255.255.255.0 0 0
nat (dmz) 1 192.168.202.0 255.255.255.0 0 0
nat (vpndmz) 1 192.168.201.0 255.255.255.0 0 0
nat (vpndmz) 1 192.168.203.0 255.255.255.0 0 0
nat (vpndmz) 1 192.168.204.0 255.255.255.0 0 0
nat (vpndmz) 1 192.168.205.0 255.255.255.0 0 0
.
static (inside,vpndmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0
static (inside,vpndmz) 192.168.201.0 192.168.201.0 netmask 255.255.255.0 0 0
static (inside,vpndmz) 192.168.203.0 192.168.203.0 netmask 255.255.255.0 0 0
static (inside,vpndmz) 192.168.204.0 192.168.204.0 netmask 255.255.255.0 0 0
static (inside,vpndmz) 192.168.205.0 192.168.205.0 netmask 255.255.255.0 0 0
This is the IP address range that the concentrator will give out to the clients when they log in (192.168.202.0)
static (inside,dmz) 192.168.202.0 10.0.0.0 netmask 255.255.255.0 0 0
I am testing with the 192.168.202.0 subnet...once i get this working then I can move the rest over.
I have tried a couple different variations of NAT'g to no avail.
Any help would be appreciated.
Mark
Mark C. Greenwood, CNE
m_jgreenwood@yahoo.com
With more than 10 years experience to share.
I am in the process of installing a new Cisco VPN 3020 concentrator into my PIX DMZ (perimeter) interface. What I am having problems with is getting the NAT translations to work correctly. Originally my current VPN 3005 resides on its own interface on the pix and I want to free up this port for another use.
What I have is this.
The DMZ subnet is a 192.168.0.X/24
The private interface of the concentrator has been given a 192.168.0.10 ip.
The configured IP addresses that the concentrator will use for clients is 192.168.201.X, 192.168.202.X, 203.X, 204.x and 205. etc.
What is happening is the following:
I can connect to the concentrator in the DMZ via the cisco vpn client. When I try to access resources on the internal network I get the following error:
305005: No translation group found for udp src dmz:192.168.202.1/3571 dst inside:10.x.x.x/53
Here are the NATs etc:
The vpndmz is the current port the old concentrator is connected to
global (outside) 1 interface
global (dmz) 1 192.168.0.3
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.195.0 255.255.255.0 0 0
nat (inside) 1 10.0.0.0 255.0.0.0 0 0
nat (dmz) 1 192.168.0.0 255.255.255.0 0 0
nat (dmz) 1 192.168.202.0 255.255.255.0 0 0
nat (vpndmz) 1 192.168.201.0 255.255.255.0 0 0
nat (vpndmz) 1 192.168.203.0 255.255.255.0 0 0
nat (vpndmz) 1 192.168.204.0 255.255.255.0 0 0
nat (vpndmz) 1 192.168.205.0 255.255.255.0 0 0
.
static (inside,vpndmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0
static (inside,vpndmz) 192.168.201.0 192.168.201.0 netmask 255.255.255.0 0 0
static (inside,vpndmz) 192.168.203.0 192.168.203.0 netmask 255.255.255.0 0 0
static (inside,vpndmz) 192.168.204.0 192.168.204.0 netmask 255.255.255.0 0 0
static (inside,vpndmz) 192.168.205.0 192.168.205.0 netmask 255.255.255.0 0 0
This is the IP address range that the concentrator will give out to the clients when they log in (192.168.202.0)
static (inside,dmz) 192.168.202.0 10.0.0.0 netmask 255.255.255.0 0 0
I am testing with the 192.168.202.0 subnet...once i get this working then I can move the rest over.
I have tried a couple different variations of NAT'g to no avail.
Any help would be appreciated.
Mark
Mark C. Greenwood, CNE
m_jgreenwood@yahoo.com
With more than 10 years experience to share.