ā09-30-2024 05:49 AM
Hi
If I NAT a range on our FTD to a Pool of addresses before it goes across a VPN do I need any extra ACLs, I am seeing the traffic on the peer FTD and its now sourced from the new NAT pool, ??
Thanks
ā09-30-2024 05:55 AM
You have VPN S2S and your local LAN is NATing to pool of IP?
Ä°f yes then any IP in pool need to include in ACL of VPN
MHM
ā09-30-2024 05:58 AM
You only NAT when the situation of Overlap IP range, if not i would suggest do not NAT on VPN Traffic.
ā09-30-2024 06:12 AM
Hi @balaji.bandi
Thats why Im natting the traffic.
Thanks
ā09-30-2024 10:34 AM - edited ā09-30-2024 10:35 AM
In that case should be ok other you should see only NATed IP address pool.
here is the concept same should work on FTD :
ā09-30-2024 06:23 AM
@benolyndav traffic is translated before encryption, so the VPN uses the NAT ip addresses to define interesting traffic when establishing the VPN tunnel.
ā09-30-2024 06:25 AM
@Rob Ingram
So as I am seeing the traffic on the peer Firewall and is now seen sourced from the NAT Pool range then should be ok ??
Thanks
ā09-30-2024 06:29 AM
@benolyndav possibly, run "show crypto ipsec sa" and check the encap|decap counters are increasing for that peer, that is a good indication the tunnel is full operational. You can also run "system support firewall-engine-debug" filter on the traffic being sent over the tunnel and confirm traffic sent and receive.
ā10-06-2024 12:41 AM
@Rob Ingram
I could see comunters for encpa/ecaps increasing but still wasnt able to access anything, the new Nat range could be seen on the peer Firewall as the new sourc address, any ideas. the source range is in a vrf which is allowed on acl and the new nat range has been added to the tunnel and seems to be working fine.??
Thanks
ā10-06-2024 01:19 AM
@benolyndav If traffic is received on the peer end from the NAT address, that indicates you are sending the traffic over the tunnel and the peer is receiving it, perhaps they are not returning the traffic over the tunnel (routing issue their end for the return traffic)? Can the peer send traffic to your NAT address and you see this on your end? Can the peer take a packet capture on their end to confirm bi-directional traffic?
ā10-06-2024 02:09 AM
Can't access anything ..that not good
Try use
Packet tracer remote LAN to local LAN
Packet tracer local LAN to remote LAN
Use the real IP in your packet tracer' share result here
MHM
ā09-30-2024 06:30 AM
Remote peer see traffic from NAT pool IP not real IP
Dont worry it ok
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide