09-06-2018 08:02 AM
I'm trying to figure out an issue with a 3rd party vpn connection. They require us to NAT our inside to a specific address for use in their network. I believe I have it all set up correctly and the tunnel is show up and NAT appears to be working. My issue is I am not seeing decaps on my end. The vendor is showing decap and encap on his end so it appears my icmp request is reaching there and the echo is being returned.
Any help would be greatly appreciated!
RTR17#sh ip nat trans
Pro Inside global Inside local Outside local Outside global
icmp 150.175.242.71:1 10.6.113.111:1 150.175.58.10:1 150.175.58.10:1
interface Loopback100
ip address 150.175.242.71 255.255.255.255
crypto map cmap 110 ipsec-isakmp
description 3rd Primary
set peer x.x.x.x
set transform-set esp-aes-sha256
set pfs group14
match address 3rd_Party
reverse-route static
ip nat inside source list 3rd_conditional_NAT interface Loopback100 overload
ip access-list extended 3rd_Party
permit ip host 150.175.242.71 host 150.175.58.10
permit ip host 150.175.242.71 host 150.175.57.50
ip access-list extended 3rd_conditional_NAT
permit ip any host 150.175.57.50
permit ip any host 150.175.58.10
RTR17#sh cry ips sa peer x.x.x.x det
interface: GigabitEthernet0/0
Crypto map tag: cmap, local addr 204.225.178.124
protected vrf: (none)
local ident (addr/mask/prot/port): (150.175.242.71/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (150.175.58.10/255.255.255.255/0/0)
current_peer x.x.x.x port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 490, #pkts encrypt: 490, #pkts digest: 490
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts tagged (send): 0, #pkts untagged (rcv): 0
#pkts not tagged (send): 0, #pkts not untagged (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: y.y.y.y, remote crypto endpt.: x.x.x.x
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0xAA006A4D(2852153933)
PFS (Y/N): Y, DH group: group14
inbound esp sas:
spi: 0x88D4CEF0(2295647984)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 2691, flow_id: Onboard VPN:691, sibling_flags 80000040, crypto map: cmap
sa timing: remaining key lifetime (k/sec): (4271566/1848)
IV size: 16 bytes
replay detection support: Y replay window size: 128
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xAA006A4D(2852153933)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 2692, flow_id: Onboard VPN:692, sibling_flags 80000040, crypto map: cmap
sa timing: remaining key lifetime (k/sec): (4271532/1848)
IV size: 16 bytes
replay detection support: Y replay window size: 128
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (150.175.242.71/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (150.175.57.50/255.255.255.255/0/0)
current_peer x.x.x.x port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 82, #pkts encrypt: 82, #pkts digest: 82
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts tagged (send): 0, #pkts untagged (rcv): 0
#pkts not tagged (send): 0, #pkts not untagged (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: y.y.y.y, remote crypto endpt.: x.x.x.x
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide