08-18-2011 03:17 AM
Hi'
Please advice me howto nat-ing vpn traffic.
the goal is that, the internal ip address 192.168.0.101 will 10.104.4.101 at the other end.
what nat command i have to use?
thanks
08-18-2011 11:51 PM
Assuming that you would like to NAT internal ip of 192.168.0.101 to 10.104.4.101 when trying to access the remote subnet of 172.16.0.0/16
Here is the command:
object network obj-192.168.0.101
host 192.168.0.101
object network obj-10.104.4.101
host 10.104.4.101
object network obj-172.16.0.0-16
subnet 172.16.0.0 255.255.0.0
nat (inside,outside) source static obj-192.168.0.101 obj-10.104.4.101 destination static obj-172.16.0.0-16 obj-172.16.0.0-16
Hope this helps.
08-22-2011 04:07 AM
Hello!
Sorry for my late!
I tried that you advised, and its seems better.
But something is wrong yet.
Attached the config and a debug txt,
Please give me some instructions, what is wrong!
Thanks!
(in nat debug i find this:
nat: translation - inside:192.168.0.101/1729 to outside:10.104.4.101/1729
but no untranslation line)
08-22-2011 04:35 AM
hi ,
can you please check the crypto Access-list on both sides it should be exactly mirrored , Cz we can see the following error in the debugs :
Aug 21 23:48:37 [IKEv1]Group = x.x.x.x, IP = x.x.x.x, Connection terminated for peer x.x.x.x. Reason: Peer Terminate Remote Proxy 0.0.0.0, Local Proxy 0.0.0.0
thanks .
08-24-2011 01:04 AM
Hi,
This is the remote end crypto Access-list :
access-list outside_cryptomap_8; 2 elements; name hash: 0x1a88a6c3
access-list outside_cryptomap_8 line 1 extended permit ip object-group DM_INLINE_NETWORK_19 10.104.4.0 255.255.255.0 0x6105a778
access-list outside_cryptomap_8 line 1 extended permit ip SAP_Netz 255.255.255.0 10.104.4.0 255.255.255.0 (hitcnt=25) 0x2567e08a
access-list outside_cryptomap_8 line 1 extended permit ip 10.1.64.0 255.255.255.0 10.104.4.0 255.255.255.0 (hitcnt=4) 0x1d2940ed
and the remote device vpn log:
08-24-2011 02:03 AM
08-24-2011 02:38 AM
from the debugs you attached :
Aug 24 01:52:05 [IKEv1]Group = x.x.x.x, IP = x.x.x.x, PHASE 2 COMPLETED (msgid=28405279)
this means that phase 2 is up :
can you share the following after initiating the traffic :
show cry ikev1 sa
show crypto ipsec sa
regards.
08-24-2011 02:52 AM
this is it:
sh crypto ikev1 sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: x.x.x.x
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Poli-ASA# sh cry ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 10, local addr: x.x.x.x
access-list jwo_tunnel extended permit ip 10.104.4.0 255.255.255.0 10.1.48 .0 255.255.255.0
local ident (addr/mask/prot/port): (10.104.4.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.48.0/255.255.255.0/0/0)
current_peer: x.x.x.x
#pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 3, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: x.x.x.x/0, remote crypto endpt.: x.x.x.x/0
path mtu 1492, ipsec overhead 74, media mtu 1500
current outbound spi: E05EB4F9
current inbound spi : FB220429
inbound esp sas:
spi: 0xFB220429 (4213310505)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, }
slot: 0, conn_id: 880640, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3915000/28776)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xE05EB4F9 (3764303097)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, }
slot: 0, conn_id: 880640, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914999/28776)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
It means that the tunnel is up?
But if i try to ping 10.1.48.95 which is the target host (or telnet some spec ports) no replies come back.
?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide