Solved: Issue with Site-to-Site Policy Source NAT

shanilkumar2003 · ‎08-02-2012

Dear All,

Iam facing issue with source base nat in Site-toSite VPN configuration.

We want to access the remote site server 10.67.1.5 from my end server 192.168.210.224 , my server 192.168.210.224 need to nat with 10.66.102.178 to go outside remote site. we have done the below configuration and VPN pahse1 and phase 2 is establishing fine ,but we are not able to access the remote server 10.67.1.5. Phase 2 is establishing and only packets are encapsulating not decapsulating. Remote site is having VPN terminating on router and phase 1 and phase 2 is establishing.

There is no nat exemption configured .Appreciate urgent help to identify the issue...

we already have lot f site to site tunnels up and running..but no tunnels with policy NAT

config
--------
access-list acl-NI line 1 extended permit ip host 192.168.210.224 host 10.67.1.5 (hitcnt=0)
access-list acl-NI line 2 extended permit ip host 10.66.102.178 host 10.67.1.5 (hitcnt=2)

nat (inside) 2 192.168.210.224 255.255.255.255
global (outside) 2 10.66.102.178

crypto ipsec transform-set NI esp-3des esp-sha-hmac

crypto map ENOCMAP 22 match address acl-NI
crypto map ENOCMAP 22 set peer x.x.x.x
crypto map ENOCMAP 22 set transform-set NI
crypto map ENOCMAP 22 set security-association lifetime seconds 3600
crypto map ENOCMAP 22 set reverse-route
crypto map ENOCMAP interface outside

tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *****

======================================================================

12 IKE Peer: x.x.x.x
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE

ENOCDC-FW03# sh crypto ipsec sa peer x.x.x.x
peer address: x.x.x.x
Crypto map tag: ENOCMAP, seq num: 22, local addr: x.x.x.x

      access-list acl-NI extended permit ip host 10.66.102.178 host 10.67.1.5
      local ident (addr/mask/prot/port): (10.66.102.178/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (10.67.1.5/255.255.255.255/0/0)
      current_peer: x.x.x.x

      #pkts encaps: 2, #pkts encrypt: 2, #pkts digest: 2
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 2, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 89BAF49F
      current inbound spi : DB36C4B6

Tarik Admani · ‎08-02-2012

Hi,

Please try this policy nat statement below:

access-list policynat extended permit ip host 192.168.210.224 10.67.1.5

static (inside,outside) 10.66.102.178 access-list policynat

Here is some reference material regarding policy nat - http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_overview.html#wp1088419

Thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

Tarik Admani · ‎08-02-2012

Hi,

Please try this policy nat statement below:

access-list policynat extended permit ip host 192.168.210.224 10.67.1.5

static (inside,outside) 10.66.102.178 access-list policynat

Here is some reference material regarding policy nat - http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_overview.html#wp1088419

Thanks,

Tarik Admani
*Please rate helpful posts*

shanilkumar2003 · ‎08-08-2012

Thanks tariq,i used this policy nat. Issue was with remote side firewall config

Thanks for your support

Sent from Cisco Technical Support iPhone App