Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
411
Views
0
Helpful
4
Replies

IPSec and NAT

d.saveliev
Level 1
Level 1

‎08-26-2015 02:33 AM - edited ‎02-21-2020 08:25 PM

Hello. Can anybody help to solve my problem.

I have two sites connected to each other using IPSec VPN. Site A: ASA - LAN 172.20.120.0/24, WAN: 95.109.45.32/28, IPSec from Internet. Site B: Cisco 2821, LAN 172.16.0.0/16, WAN: 178.249.126.128/28. IPSec 95.109.45.34-178.249.126.133. I need to use static NAT on 2821 for host from 172.20.120.0. 172.20.120.220-178.249.126.139.

Cisco 2821 configuration:

interface GigabitEthernet0/0
 description TO_INTERNET_CDK
 ip address 178.249.126.133 255.255.255.240
 ip access-group INET_IN in
 no ip proxy-arp
 ip mtu 1400
 ip nat outside
 ip virtual-reassembly in
 load-interval 30
 crypto map SITE_VPN
end

ip nat inside source static 172.20.120.220 178.249.126.139 no-alias

If i ping 178.249.126.139 from internet, i see packets on host 172.20.120.220, i see reply packet too, but packet does not leave Cisco 2821. Encrypt and decrypt counters are changed in sh crypto ipsec sa | beg 172.20.120.220.

I think, problem is because ip nat inside absent in chains, i use one interface for incoming and outgoing traffic for host 172.20.120.220 on CIsco 2821.

On internet host i see "Blocked incoming ICMP packet (ICMP type 0) from 172.20.120.220 to 97.237.139.18" when i ping 172.249.126.139 from this host.

Labels:
0 Helpful
4 Replies 4

rizwanr74
Level 7
Level 7

‎08-26-2015 07:26 AM

It is difficult to follow nature of the issue you are facing on your setup.

If I understood right, you want users at Site A need to accessing your host on this IP 172.20.120.220 or on this IP:  172.20.120.0 at Site B ?

0 Helpful

d.saveliev
Level 1
Level 1
In response to rizwanr74

‎08-27-2015 12:40 PM

Not right. I need host 172.20.120.220 from Site A become available from internet using IP 178.249.126.139 that belongs to Site B. If i ping 178.249.126.139 from internet i see ICMP packet on host 172.20.120.220, and i see respond packets too, but respond packets do not go to internet from Cisco 2821. See attachment.
 

Preview file
58 KB
0 Helpful

rizwanr74
Level 7
Level 7
In response to d.saveliev

‎08-27-2015 06:41 PM

You want Internet traffic for host: 178.249.126.139 traversing from Site B, via the IPSec tunnel to host 172.20.120.220/32 at Site A ?

 

thanks

 

 

0 Helpful

d.saveliev
Level 1
Level 1
In response to rizwanr74

‎08-28-2015 01:09 AM

Yes. I need host on site A look like host on site B from internet.

0 Helpful
Customers Also Viewed These Support Documents