If I NAT a range on our FTD to a Pool of addresses before it goes across a VPN do I need any extra ACLs, I am seeing the traffic on the peer FTD and its now sourced from the new NAT pool, ??
@benolyndav traffic is translated before encryption, so the VPN uses the NAT ip addresses to define interesting traffic when establishing the VPN tunnel.
@benolyndav possibly, run "show crypto ipsec sa" and check the encap|decap counters are increasing for that peer, that is a good indication the tunnel is full operational. You can also run "system support firewall-engine-debug" filter on the traffic being sent over the tunnel and confirm traffic sent and receive.
@Rob Ingram I could see comunters for encpa/ecaps increasing but still wasnt able to access anything, the new Nat range could be seen on the peer Firewall as the new sourc address, any ideas. the source range is in a vrf which is allowed on acl and the new nat range has been added to the tunnel and seems to be working fine.??
@benolyndav If traffic is received on the peer end from the NAT address, that indicates you are sending the traffic over the tunnel and the peer is receiving it, perhaps they are not returning the traffic over the tunnel (routing issue their end for the return traffic)? Can the peer send traffic to your NAT address and you see this on your end? Can the peer take a packet capture on their end to confirm bi-directional traffic?
