Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
920
Views
0
Helpful
2
Replies

IPsec over two NAT routers

Go to solution
Azlord_Cisco
Level 1
Level 1

‎04-16-2018 01:44 PM - edited ‎03-08-2019 02:40 PM

Hello,

 

I am creating a lab network that has NAT and an IPsec tunnel.

 

Since implementing NAT both on a packet tracer activity and physical equipment, I have encountered issues with communication over the tunnel. Prior to applying NAT, I was able to ping the opposite end of the tunnel and communicate between client machines. Although the tunnel is up, I am unable to get communication though it. I have tried several iterations and troubleshooting steps, yet the reason why it doesn't work as expected currently remains a mystery to me.

 

I have attached a topology of the network with router configurations for inspection (the public IP addresses are randomly selected). Any assistance would be greatly appreciated.

 

Cheers,

Az

 

Labels:
Preview file
2 KB
Preview file
58 KB
Preview file
13 KB
Preview file
11 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎04-24-2018 08:27 AM

Az

 

If I understand correctly the VPN worked befoere the nat was added and broke when the nat was configured. So I have not looked closely at the general config and concentrated on the nat configuration. I believe that the configuration of nat on CBR-GW is done correctly which each ACL to control nat specifies a single source subnet (for example 192.168.0.0/22) and specifies multiple destination subnets. However the configuration of nat on SYD-GW is different and I believe that this is the issue. In the ACL to control nat on SYD the ACL specifies multiple source subnets and a single destination subnet. I believe that if you correct the ACLs for nat on SYD that your vpn should work.

 

HTH

 

Rick 

HTH

Rick

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎04-24-2018 08:27 AM

Az

 

If I understand correctly the VPN worked befoere the nat was added and broke when the nat was configured. So I have not looked closely at the general config and concentrated on the nat configuration. I believe that the configuration of nat on CBR-GW is done correctly which each ACL to control nat specifies a single source subnet (for example 192.168.0.0/22) and specifies multiple destination subnets. However the configuration of nat on SYD-GW is different and I believe that this is the issue. In the ACL to control nat on SYD the ACL specifies multiple source subnets and a single destination subnet. I believe that if you correct the ACLs for nat on SYD that your vpn should work.

 

HTH

 

Rick 

HTH

Rick
0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Richard Burts

‎04-30-2018 07:08 AM

I am glad that my response pointed you toward the solution to this question. Thank you for marking this question as solved. This will help other readers in the forum to identify discussions that have helpful information. These forums are excellent places to ask questions and to learn about networking. I hope to see you continue to be active in the forums.

 

HTH

 

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card