cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5202
Views
0
Helpful
7
Replies

Cisco ASA Version 8.6 nat

bodo.kaiser
Level 1
Level 1

Hey,

have simple Config !

ASA to ASA VPN Site to Site !

And VPN Client !

Connection works but no traffic from VPN Client to the VPN Site to Site !

I think it was a Nat Problem !

object-group network ITA-2-LOCAL

network-object 10.104.0.0 255.255.0.0

network-object 10.105.0.0 255.255.0.0

object-group network VPN_KIT-neu

network-object 10.12.0.0 255.255.248.0

network-object 10.12.10.0 255.255.255.0

object-group network vpn-cl-re

network-object 10.105.0.0 255.255.0.0

object network my-inside-net

subnet 10.104.0.0 255.255.0.0

Internet Works  !

nat (inside,outside) source dynamic any interface

Lan to the  VPN Tunnel Works !  NO TRAFFIC from VPN Client !!!!

nat (inside,outside) source static ITA-2-LOCAL ITA-2-LOCAL destination static VPN_KIT-neu VPN_KIT-neu

LAN to VPN Client Works !

nat (inside,outside) source static my-inside-net my-inside-net destination static vpn-cl-re vpn-cl-re

No traffic from  vpn-cl-re to VPN_KIT-neu !!!!

What is wrong ?

Have you a Idee ?

7 Replies 7

you are missing the NAT-excemption for vpn-cl-re to VPN_KIT-neu:

nat (inside,outside) source static vpn-cl-re vpn-cl-re destination static VPN_KIT-neu VPN_KIT-neu

I usually do a more general excemption:

object-group network RFC1918

network-object 10.0.0.0 255.0.0.0

network-object 172.16.0.0 255.240.0.0

network-object 192.168.0.0 255.255.0.0

nat (any,outside) source static RFC1918 RFC1918 destination static RFC1918 RFC1918 description NAT-Excempt for VPN

If it has a destination in the RFC1918-range, don't NAT it. If it has to be natted I add a new rule above that.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Hey ,

have install , but nothing !

4 (inside) to (outside) source static vpn-cl-re vpn-cl-re   destination static VPN_KIT-neu VPN_KIT-neu

    translate_hits = 0, untranslate_hits = 0

No Traffic !

Is there any matching NAT-rule above that one? NAT is processed top-down. Do a "show nat" to control that.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Hey ,

Manual NAT Policies (Section 1)

1 (any) to (outside) source static RFC1918 RFC1918   destination static RFC1918 RFC1918 description NAT-Excempt for VPN

    translate_hits = 182, untranslate_hits = 259

2 (inside) to (outside) source dynamic any interface

    translate_hits = 335, untranslate_hits = 22

3 (inside) to (outside) source static ITA-2-LOCAL ITA-2-LOCAL   destination static VPN_KIT-neu VPN_KIT-neu

    translate_hits = 0, untranslate_hits = 0

4 (inside) to (outside) source static my-inside-net my-inside-net   destination static vpn-cl-re vpn-cl-re

    translate_hits = 0, untranslate_hits = 0

5 (inside) to (outside) source static vpn-cl-re vpn-cl-re   destination static VPN_KIT-neu VPN_KIT-neu

    translate_hits = 0, untranslate_hits = 0

still not working? At least the first NAT-rule shows hits, so there could be another problem involved. For your NAT the Rules 3 to 5 are probably not needed any more as they all fall in the range of RFC1918 to RFC1918.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Hey,

now remove 3 to 5 ! No working the VPN Client !

Manual NAT Policies (Section 1)

1 (any) to (outside) source static RFC1918 RFC1918   destination static RFC1918 RFC1918 description NAT-Excempt for VPN

    translate_hits = 904, untranslate_hits = 1396

2 (inside) to (outside) source dynamic any interface

    translate_hits = 1108, untranslate_hits = 208

Have connection from the VPN Client to the LAN , but nothing connection to VPN Tunnel !

Have you a Idee ?

Hey ,

thanks for Help , the Problem was :

crypto ipsec df-bit clear-df outside

Now removed , then works !

Thanks !

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: