08-28-2012 04:20 AM
Hey,
have simple Config !
ASA to ASA VPN Site to Site !
And VPN Client !
Connection works but no traffic from VPN Client to the VPN Site to Site !
I think it was a Nat Problem !
object-group network ITA-2-LOCAL
network-object 10.104.0.0 255.255.0.0
network-object 10.105.0.0 255.255.0.0
object-group network VPN_KIT-neu
network-object 10.12.0.0 255.255.248.0
network-object 10.12.10.0 255.255.255.0
object-group network vpn-cl-re
network-object 10.105.0.0 255.255.0.0
object network my-inside-net
subnet 10.104.0.0 255.255.0.0
Internet Works !
nat (inside,outside) source dynamic any interface
Lan to the VPN Tunnel Works ! NO TRAFFIC from VPN Client !!!!
nat (inside,outside) source static ITA-2-LOCAL ITA-2-LOCAL destination static VPN_KIT-neu VPN_KIT-neu
LAN to VPN Client Works !
nat (inside,outside) source static my-inside-net my-inside-net destination static vpn-cl-re vpn-cl-re
No traffic from vpn-cl-re to VPN_KIT-neu !!!!
What is wrong ?
Have you a Idee ?
08-28-2012 05:20 AM
you are missing the NAT-excemption for vpn-cl-re to VPN_KIT-neu:
nat (inside,outside) source static vpn-cl-re vpn-cl-re destination static VPN_KIT-neu VPN_KIT-neu
I usually do a more general excemption:
object-group network RFC1918
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
nat (any,outside) source static RFC1918 RFC1918 destination static RFC1918 RFC1918 description NAT-Excempt for VPN
If it has a destination in the RFC1918-range, don't NAT it. If it has to be natted I add a new rule above that.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-28-2012 05:25 AM
Hey ,
have install , but nothing !
4 (inside) to (outside) source static vpn-cl-re vpn-cl-re destination static VPN_KIT-neu VPN_KIT-neu
translate_hits = 0, untranslate_hits = 0
No Traffic !
08-28-2012 05:28 AM
Is there any matching NAT-rule above that one? NAT is processed top-down. Do a "show nat" to control that.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-28-2012 05:31 AM
Hey ,
Manual NAT Policies (Section 1)
1 (any) to (outside) source static RFC1918 RFC1918 destination static RFC1918 RFC1918 description NAT-Excempt for VPN
translate_hits = 182, untranslate_hits = 259
2 (inside) to (outside) source dynamic any interface
translate_hits = 335, untranslate_hits = 22
3 (inside) to (outside) source static ITA-2-LOCAL ITA-2-LOCAL destination static VPN_KIT-neu VPN_KIT-neu
translate_hits = 0, untranslate_hits = 0
4 (inside) to (outside) source static my-inside-net my-inside-net destination static vpn-cl-re vpn-cl-re
translate_hits = 0, untranslate_hits = 0
5 (inside) to (outside) source static vpn-cl-re vpn-cl-re destination static VPN_KIT-neu VPN_KIT-neu
translate_hits = 0, untranslate_hits = 0
08-28-2012 05:35 AM
still not working? At least the first NAT-rule shows hits, so there could be another problem involved. For your NAT the Rules 3 to 5 are probably not needed any more as they all fall in the range of RFC1918 to RFC1918.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-28-2012 05:42 AM
Hey,
now remove 3 to 5 ! No working the VPN Client !
Manual NAT Policies (Section 1)
1 (any) to (outside) source static RFC1918 RFC1918 destination static RFC1918 RFC1918 description NAT-Excempt for VPN
translate_hits = 904, untranslate_hits = 1396
2 (inside) to (outside) source dynamic any interface
translate_hits = 1108, untranslate_hits = 208
Have connection from the VPN Client to the LAN , but nothing connection to VPN Tunnel !
Have you a Idee ?
08-28-2012 05:58 AM
Hey ,
thanks for Help , the Problem was :
crypto ipsec df-bit clear-df outside
Now removed , then works !
Thanks !
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide