VPN with NAT ip address

ChaneySys · ‎06-13-2019

Hello,

I am trying to setup site to site VPN with NAT ip address inside. I can ping through to the absolute destination but cannot ping through to the NAT ip address.

VPN Tun inside NAT

10.0.0.0 <->2.2.2.2 ________ 3.3.3.3 <-> 4.4.4.4__________172.17.0.4

I can ping from 10.0.0.0 network to 172.17.0.4. I cannot ping the 4.4.4.4 address across tunnel even though it is included in my no nat.

Any advice on how to allow connections on inside NAT through site to site VPN tunnel?

GRANT3779 · ‎06-13-2019

Not so clear on what you are asking but do you have have a route to the 4.4.4.4 from the 10.0.0.0 network?

ChaneySys · ‎06-13-2019

Sorry for confusion,

There is no route. The 4.4.4.4 is nat'd on the inside interface.

object network obj_172.17.0.4
nat (inside,any) static 4.4.4.4

inside interface of ASA is 4.4.4.1/24

Here is my other post about that, that someone helped me on. https://community.cisco.com/t5/firewalls/cisco-asa-public-and-private-network-on-inside-interface/td-p/3867384

So the NAT is working and the host comes out and I can publicly get to the 4.4.4.4 correctly. But when the VPN is connected I can no longer get to 4.4.4.4 just 172.17.0.4.

GRANT3779 · ‎06-13-2019

Hi Chanesys, I'm still unclear on the setup tbh :-) Is the NAT address included in the encryption domain? You would still need a route pointing out the interface with the attached crypto map if there is no default route.

Might be worth sharing the config of each end of the VPN.

ChaneySys · ‎06-13-2019

There is no route. They are in the outside crypto map.

So i have 4.4.4.4 and 172.17.0.0/24 in the crypto map. It would take me some time to get both ends of the VPN and sanitize them. I could try later today.

The issue is I am double NATing I believe on the inside. I tried to add a hairpin NAT with no change in behavior.

Attached is a drawing if it would help.