Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1912
Views
5
Helpful
5
Replies

IP SLA ping remote host through VPN tunnel with NAT

Go to solution
Quanza Support
Level 1
Level 1

‎05-30-2012 06:15 AM

Hello all,

I've done some searching here, but not come across any similar questions. I'm pretty sure what I want is not possible, but I would like to make sure.

I would like to monitor a remote host on the other side of a VPN. The local endpoint is my ASA.

Traffic from the local INSIDE_LAN is NATted to 10.19.124.1 before it enters the VPN tunnel.

Interesting traffic VPN ACL used in crypto map:

access-list ACL_TUNNELED_TO_REMOTE line 1 extended permit ip host 10.19.124.1 192.168.1.0 255.255.255.0

NAT rules:

global (OUTSIDE) 2 10.19.124.1 netmask 255.255.255.255

nat (INSIDE_LAN) 2 access-list ACL_NAT_TO_REMOTE

NAT ACL

access-list ACL_NAT_TO_REMOTE line 1 extended permit ip 172.19.126.32 255.255.255.224 192.168.1.0 255.255.255.0

This configuration works fine for traffic coming from hosts in 172.19.126.32 255.255.255.224 going to 192.168.1.0 255.255.255.0.

However I would like to use 'ip sla' on the ASA itself to monitor a remote host in 192.168.1.0 with icmp ping. This would entail NATting an IP on the ASA to 10.19.124.1, but I don't see how to do this. None of the interfaces on the ASA are logical to use as a source interface for this.

Thanks for any insights and/or comments.

Regards

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎05-30-2012 06:25 AM

You are absolutely correct, unfortunately you won't be able to NAT the ASA interface IP Address. NAT only works for traffic passing through the ASA, not originated from the ASA itself.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎05-30-2012 06:25 AM

You are absolutely correct, unfortunately you won't be able to NAT the ASA interface IP Address. NAT only works for traffic passing through the ASA, not originated from the ASA itself.

0 Helpful

Go to solution
Quanza Support
Level 1
Level 1
In response to Jennifer Halim

‎05-30-2012 06:27 AM

Hello Jennifer,

Thank you for your quick response.

Kind regards

0 Helpful

Go to solution
Quanza Support
Level 1
Level 1
In response to Jennifer Halim

‎05-30-2012 06:43 AM

If you had to monitor a site-to-site VPN on an ASA, how would you do it? Are there reliable SNMP OIDs I can read indicating the status of the tunnel? The only ones I have found seem to change their index when the tunnel is taken down and put up again.

Thanks

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Quanza Support

‎05-30-2012 06:48 AM

It is quite difficult to monitor site-to-site vpn tunnel as it could be a number of reasons why the tunnel is failing.

You can look through the syslog messages for IKE and IPSEC and look for the one that you are interested in.

For IKE and IPSEC, the syslog# would be starting with

316, 320, 402, 404, 501, 602, 702, 713, 714, 715

http://www.cisco.com/en/US/docs/security/asa/asa83/system/message/logmsgs.html

Go to solution
Quanza Support
Level 1
Level 1
In response to Jennifer Halim

‎05-30-2012 06:56 AM

That is a very good idea, thank you. I think we will go that route.

0 Helpful
Customers Also Viewed These Support Documents