Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
482
Views
0
Helpful
4
Replies

ISR Site to Site VPN Trouble communicating with NATed hosts

williamtwomey
Level 1
Level 1

‎12-12-2013 08:42 AM

Hello,

I have a IPSEC VPN tunnel between my Cisco 891 and a Sonicwall

Communication between sites works, execept for any host on the Cisco side that has a nat entry

example:

ip nat inside source static 192.168.200.26 WANIP

sh cry ipsec sa  shows packets encap/decaping, with no errors

Has anyone encountered this issue before and know of a good solution?

Thanks

Labels:
0 Helpful
4 Replies 4

shine pothen
Level 3
Level 3

‎12-12-2013 09:53 AM

check what all IP's are allowed to communicate over the IPSEC

please paste the output for the command

sh crypto ipsec sa

0 Helpful

williamtwomey
Level 1
Level 1
In response to shine pothen

‎12-12-2013 11:37 AM

Sure (Local LAN is 192.168.200.0, remote LAN is 172.16.4.0. Both /24)

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (172.16.4.0/255.255.255.0/0/0)

   current_peer PUBLICIP port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 128267, #pkts encrypt: 128267, #pkts digest: 128267

    #pkts decaps: 193479, #pkts decrypt: 193479, #pkts verify: 193479

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: LOCALWANIP, remote crypto endpt.: PUBLICIP

     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0

     current outbound spi: 0x4942D21A(1229115930)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

      spi: 0x3978ABB0(964209584)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 52, flow_id: Onboard VPN:52, sibling_flags 80000040, crypto map: IPSEC-MAP

        sa timing: remaining key lifetime (k/sec): (4202221/13656)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0x4942D21A(1229115930)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 53, flow_id: Onboard VPN:53, sibling_flags 80000040, crypto map: IPSEC-MAP

        sa timing: remaining key lifetime (k/sec): (4204685/13656)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

Relevant ACLs

Extended IP access list NAT_ACL

    40 deny ip 192.168.200.0 0.0.0.255 172.16.4.0 0.0.0.255 (128911 matches)

    100 permit ip 192.168.200.0 0.0.0.255 any (144311 matches)

Extended IP access list VPN-ACL

    40 permit ip 192.168.200.0 0.0.0.255 172.16.4.0 0.0.0.255 (128784 matches)

0 Helpful

shine pothen
Level 3
Level 3
In response to williamtwomey

‎12-12-2013 12:00 PM

the result shows good.

you are trying to reach the ip 192.168.200.16 which follow under 192.168.200.0/24.

now tell us what problem you are facing ?

0 Helpful

williamtwomey
Level 1
Level 1
In response to shine pothen

‎12-12-2013 12:13 PM

The tunnel is up and functional; I can hit 192.168.200.1 from the 172.16.4.0 subnet

However, if I try to ping/access any 192.168.200.X host that has a 1 to 1 nat, that fails. I assume it has something to do with the one to one NAT

0 Helpful
Customers Also Viewed These Support Documents