Hi,

I have a crypto tunnel between Cisco and VMware Vshield which is UP and working.  No issues with encryption. 

I can ping fine from 10.10.10.x to 200.200.10.x no problem.

10.10.10.0--->Cisco-----IP NAT 193.50.50.103 ----->VMware Vshield ----> 200.200.10.0

But return traffic i.e ping from network 200.200.10.x/24  to 10.10.10.0/24  does not work ???

Any ideas ?

Hi,

Can you please share below commands output from router?

show crypto session

show crypto ipsec sa

show crypto isakmp sa

trace 200.200.10.x source GigabitEthernet0/1

Sheshu.

All,

I am also attaching VMware screen shots with Router outputs above.

No NAT, No Static Routes defined in GUI

Hi mistryj,

Successful ping from 10 network to 20 network and not vice versa is correct behavior as per your both ends configuration.

Because, when you initiate traffic from 10 to 20, this is what happens.

10 gets natted to public, goes over tunnel to other end, other end knows how to go to 20, 20  replies back to natted public IP over tunnel, reaches our router, our router know this is replied back traffic to public IP and it also knows was natted while sending and does reverse natting. hence, ping is successful.

This is what happens when you initiate traffic to 10 Network from 20.

Reaches vmshield and since it doesn't know how to reach to 10 network, it drops.

hope this explains and useful. :)

Regards,

Sheshu.

Hi Sheshu,

Yes but I cannot ping from 200.200.10.10 Server to Servers on 10 network ?

What change do I need to make ?

As far i know, following might help.

1. At router end, you need to update CRYPTO ACL crypto_map_TEST-BOX, add below line.

permit ip 10.10.10.0 0.0.0.255 200.200.10.0 0.0.0.255

2. At router end, you need to update ACL TEST-BOX-NAT, add below line and it should be on top of the ACL.

deny ip 10.10.10.0 0.0.0.255 200.200.10.0 0.0.0.255

3. At the VMshield end, you need to do same in the reverse way as the line 1, permit traffic from 200.200.10.0/24 to 10.10.10.0/24

4. Also write a route for 10.10.10.0/24 in VMshield to route over crypto VPN tunnel.

I believe this should do.

Regards,

Sheshu.

Hi Sheshu,

OK I will try this and come back with update.

Hi,

Yes unfortunately this did not help VMware does not like NAT.  I had to remove NAT completely and change my peer network.

Thank you !

Hi,

good it works now!

All,

Please see router outputs as requested.

From config:
set peer 82.82.82.201
From the VMware-2.png:
Local End Point 82.82.82.20
I does not seem like they are the same, I wonder if that is a typo?

Peer Network should be 10.10.10.0/24 I think, that seems to be the inside network on the router.
"Peer Networks The Peer Networks is the remote network for the VPN. In CIDR format, enter the remote subnet address (for example, 192.168.2.0/24)."

Can you change the peer network and try again?

Hi,

Yes typo I am not showing real IPs here it's 82.82.82.201 on VMware GUI I replaced.

The Peer address is the Nated address as I am hiding 10 network behind the external NAT 193.50.50.103

If I remove the tunnel will complain and come up as MM_NOSTATE