06-12-2013 02:03 AM
Hello,
I've configured a site to site vpn, but I seem to have some problems configuring nat exemption.
I've configured nat exemption but ,I also have a static nat for that ip.
From what I can figure out the ip is still translated using static nat.
Shouldn't nat 0 exclude all other nat ?
NAT configuration:
access-list NAT_ZERO_inside line 1 extended permit ip host 192.168.1.2 192.168.0.0 255.255.0.0
nat (inside) 0 access-list NAT_ZERO_inside
static (inside,outside) <public_ip> 192.168.1.2 netmask 255.255.255.255
Crypto acl:
access-list encrypt_acl extended permit ip host 192.168.1.2 192.168.51.2 255.255.255.248
Packet tracer:
ciscoasa# packet-tracer input inside tcp 192.168.1.2 1234 192.168.51.3 80
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.51.2 255.255.255.248 outside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_ACL in interface inside
access-list inside_ACL extended permit tcp host 192.168.1.2 any
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip inside host 192.168.1.2 outside 192.168.0.0 255.255.0.0
NAT exempt
translate_hits = 4, untranslate_hits = 0
Additional Information:
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
static (inside,outside) <public_ip> 192.168.1.2 netmask 255.255.255.255
match ip inside host 192.168.1.2 outside any
static translation to <public_ip>
translate_hits = 91922501, untranslate_hits = 9551831
Additional Information:
Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) <public_ip> 192.168.1.2 netmask 255.255.255.255
match ip inside host 192.168.1.2 outside any
static translation to <public_ip>
translate_hits = 91922503, untranslate_hits = 9551831
Additional Information:
Phase: 7
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
06-12-2013 02:37 AM
Hi,
The NAT0 configuration overrides any Static NAT configuration.
Even though you see the Static NAT in the output of the "packet-tracer" it doesnt mean that it gets applied. If it was you would see the actual translation in the field "Additional Information"
The more likely reason seems to be that your L2L VPN configuratin isnt matching between your site and the remote site.
Though while using the "packet-tracer" to test connections applying to a L2L VPN you will pretty much always issue the command twice since the first "packet-tracer" command will always fail with the VPN Phase drop as the L2L VPN is just beginnin the negotiation.
So can you issue the command twice and copy/paste the second output here. If its different from the above that is.
If the VPN Phase still doesnt go through that means that there is problem with the VPN parameters for the connection.
And thats a totally different troubleshooting scenario again.
- Jouni
06-12-2013 04:03 AM
Thank you Jouni !
I did now about the "Additional Information" field.
I did a "debug crypto isakmp" and it is a L2L VPN.
Jun 12 13:50:58 [IKEv1]: Group =
Jun 12 13:50:58 [IKEv1]: Group =
I guess crypto acl is not mirrored on the other side.
Confirmation may take a awhile , because I don't have access to the other side.
Regards,
Bogdan
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: