Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
623
Views
0
Helpful
3
Replies

NAT VPN no traffic, 106014 deny inbound

HairyM0nster
Level 1
Level 1

‎05-20-2008 09:56 AM - edited ‎02-21-2020 03:43 PM

I'm not sure if this should go in the Security section or here, but perhaps someone can help with this configuration?

Trying to NAT the internal IP to another subnet so the destination end doesn't clash. The tunnel comes up fine, but traffic does not pass over it. If I send a ping to the destination, it gives "106014 deny inbound icmp src inside:192.168.7.20 dst outside:192.168.27.40 (type 8, code 0)". I know there's something fundamental wrong, but can't spot it.

Local site 192.168.7.0, local NAT to 192.168.17.0, remote site 192.168.27.0.

TIA!

access-list outside_access_in extended permit ip 192.168.27.0 255.255.255.0 192.168.17.0 255.255.255.0

access-list SiteName_access extended permit ip 192.168.27.0 255.255.255.0 192.168.7.0 255.255.255.0

access-list SiteName_NAT extended permit ip 192.168.7.0 255.255.255.0 192.168.27.0 255.255.255.0

access-list SiteName_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.27.0 255.255.255.0

!

nat (inside) 0 access-list inside_nat0_outbound

nat (outside) 0 access-list outside_nat0_outbound

static (inside,outside) 192.168.17.0 access-list SiteName_NAT

access-group outside_access_in in interface outside

route outside a.b.c.d 255.255.255.255 outside_router 1

!

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto map outside_map 3 match address SiteName_cryptomap

crypto map outside_map 3 set pfs

crypto map outside_map 3 set peer a.b.c.d

crypto map outside_map 3 set transform-set ESP-AES-256-MD5

crypto map outside_map 3 set security-association lifetime seconds 3600

crypto map outside_map 3 set reverse-route

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 20

authentication pre-share

encryption aes-256

hash md5

group 2

lifetime 28800

no crypto isakmp nat-traversal

!

group-policy SiteName internal

group-policy SiteName attributes

vpn-filter value SiteName_access

vpn-tunnel-protocol IPSec

!

tunnel-group a.b.c.d type ipsec-l2l

tunnel-group a.b.c.d general-attributes

default-group-policy SiteName

tunnel-group a.b.c.d ipsec-attributes

pre-shared-key Mykey

Labels:
0 Helpful
3 Replies 3

andrew.prince
Level 10
Level 10

‎05-21-2008 06:19 AM

Without seeing you no-nat rules, it's hard to say.

Below is a config example of NAT'ing & VPN's - which is what you are trying to do.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml

HTH.

0 Helpful

andrew.prince
Level 10
Level 10
In response to andrew.prince

‎05-21-2008 06:24 AM

it also looks like you have an ACL on the inside interface inbound? Is this the case?

0 Helpful

gluker7388
Level 1
Level 1

‎11-04-2009 07:07 PM

did you ever get an answer for this error? i am having the exact same problem. I have tryed everything and nothing works.

0 Helpful
Customers Also Viewed These Support Documents