Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
290
Views
0
Helpful
1
Replies

Redirecting and NATting traffic from one VPN-Tunnel to another

amir.glibic
Level 1
Level 1

‎09-22-2014 08:24 AM - edited ‎03-11-2019 09:48 PM

Hello,

I'm currently facing a problem in our environment, of which I'm not sure how to solve.

There are 3 Firewalls: 

 

"Customer" -----vpn------ "IT"------vpn------ "DC"

 

There is a VPN tunnel between "Customer" and "IT" that is working. No NAT is used. Access to a DMZ on "IT" is working properly.

Now the customer came with another request: They need a tunnel between "IT" and "DC", so that clients from "Customer"-DMZ can connect to a server "DC"-DMZ, with our "IT"-FW in the middle.

Unfortunately, "DC" has the Subnet already in use, so they gave us a free IP to "PAT" the traffic towards them.

We have already a similar construct in use, which is working, but there is no NAT/PAT in between.

 

On "IT"-FW the tunnels are both established on the outside interface. 

"same-security-traffic permit intra-interface" command is set.

 

 

In this case I get the packets from Customer, but they are not forwarded properly to the DC. According to a packet trace, it is a NAT-Problem.

The NAT command that we use on "IT"-FW is:


nat (outside,outside) source dynamic obj-192.168.1.0 obj-10.100.1.1 destination static obj-10.1.0.0 obj-10.1.0.0

 

obj-192.168.1.0 -> Client network

obj-10.100.1.1 -> IP for PAT towards "DC"

obj-10.1.0.0 -> IP range at "DC", where servers are located

 

Packet-Trace:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (nat-xlate-failed) NAT failed

 

 

Any ideas?

 

BR
Amir

Labels:
0 Helpful
1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni

‎09-22-2014 10:52 AM

Hi,

 

Any reason why you are not configuring the L2L VPN connection directly between the 2 firewall/vpn devices? I understood that you currently have the connections going through 2 L2L VPN connections?

 

I don't think you are able to use "packet-tracer" to test/simulate a packet incoming from a VPN connection going to another VPN connection.

 

I would also suggest doing possible NAT configuration closes to the user. So you could do the Dynamic Policy PAT on Customer firewall.

 

The actual NAT configuration seems fine.

 

Have you checked your Crypto ACLs that they hold the correct subnets/addresses? I guess if you tried with your current setup the Crypto ACLs should hold the following subnets/addresses on the IT firewall

 

Customer to IT: Real Customer subnet as source and Real DC subnet as the destination

IT to DC: Dynamic Policy PAT IP address as the source and Real DC subnet as the destination (As NAT is applied before any VPN related is matched)

 

When you test traffic from Customer subnet can you see the Dynamic Policy PAT being applied on the IT firewall? Can you see any packets being encapsulated to the IT -> DC L2L VPN connection?


You can use the following command to show the information

 

show crypto ipsec sa peer <peer ip>

 

- Jouni

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card