cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
configure & troubleshoot anyconnect
316
Views
0
Helpful
5
Replies
Highlighted
Beginner

ASR IPSEC client to site NAT issues

Hi All,

 

I recently am trying to fix/trouble shoot a VPN client to site I configured on an ASR 1001. I had the configuration working then it stopped...Also the VPN works when its not going through NAT. However once I try connecting through NAT, I'm not even prompted for login, phase one of the session fails. Overall its a fairly simple configuration, although I've had issues with doing Port overload NAT since you cannot map NAT to the outside interface without DHCP failing...(I don't know if the mappings are related to this issue)

 

I've provided my current configurations and debugging logs. Please see attachments. 

 

Thanks,

Matt

 

 

 

 

 

 

Everyone's tags (3)
5 REPLIES 5
Beginner

Re: ASR IPSEC client to site NAT issues

Hi all,

Does anyone have any Idea of what I should check, I'm completely stuck.

Thanks,
Matthew Kahle
VIP Advocate RJI VIP Advocate
VIP Advocate

Re: ASR IPSEC client to site NAT issues

Hi,
Are you referring to the NAT you've configured on the ASR or NAT configured on another device in front of the ASR?
Beginner

Re: ASR IPSEC client to site NAT issues

The NAT that's configured on the ASR.
Beginner

Re: ASR IPSEC client to site NAT issues

Would it be helpful if I provide success logs without the NAT in place?
VIP Advocate RJI VIP Advocate
VIP Advocate

Re: ASR IPSEC client to site NAT issues

Define a Loopback interface using a private 192.168.x.x IP address and use that as the unnumbered interface under the Virtual-Template rather than Gi0/0/1

 

Also remove the nat entry "access-list 110 permit ip any any" and add a specific nat entry for each of the VPN Pools, but above the last rule - deny

If that fails, yes provide the debug logs when nat is disabled.