12-12-2013 08:42 AM
Hello,
I have a IPSEC VPN tunnel between my Cisco 891 and a Sonicwall
Communication between sites works, execept for any host on the Cisco side that has a nat entry
example:
ip nat inside source static 192.168.200.26 WANIP
sh cry ipsec sa shows packets encap/decaping, with no errors
Has anyone encountered this issue before and know of a good solution?
Thanks
12-12-2013 09:53 AM
check what all IP's are allowed to communicate over the IPSEC
please paste the output for the command
sh crypto ipsec sa
12-12-2013 11:37 AM
Sure (Local LAN is 192.168.200.0, remote LAN is 172.16.4.0. Both /24)
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.4.0/255.255.255.0/0/0)
current_peer PUBLICIP port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 128267, #pkts encrypt: 128267, #pkts digest: 128267
#pkts decaps: 193479, #pkts decrypt: 193479, #pkts verify: 193479
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: LOCALWANIP, remote crypto endpt.: PUBLICIP
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0
current outbound spi: 0x4942D21A(1229115930)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x3978ABB0(964209584)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 52, flow_id: Onboard VPN:52, sibling_flags 80000040, crypto map: IPSEC-MAP
sa timing: remaining key lifetime (k/sec): (4202221/13656)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x4942D21A(1229115930)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 53, flow_id: Onboard VPN:53, sibling_flags 80000040, crypto map: IPSEC-MAP
sa timing: remaining key lifetime (k/sec): (4204685/13656)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
Relevant ACLs
Extended IP access list NAT_ACL
40 deny ip 192.168.200.0 0.0.0.255 172.16.4.0 0.0.0.255 (128911 matches)
100 permit ip 192.168.200.0 0.0.0.255 any (144311 matches)
Extended IP access list VPN-ACL
40 permit ip 192.168.200.0 0.0.0.255 172.16.4.0 0.0.0.255 (128784 matches)
12-12-2013 12:00 PM
the result shows good.
you are trying to reach the ip 192.168.200.16 which follow under 192.168.200.0/24.
now tell us what problem you are facing ?
12-12-2013 12:13 PM
The tunnel is up and functional; I can hit 192.168.200.1 from the 172.16.4.0 subnet
However, if I try to ping/access any 192.168.200.X host that has a 1 to 1 nat, that fails. I assume it has something to do with the one to one NAT
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide