Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1069
Views
0
Helpful
4
Replies

natting L-2-L vpn traffic

jpablolorenzetti
Level 1
Level 1

‎10-15-2011 10:09 PM

Hi, i have an ASA 8.2 and i set up a site to site vpn, the vpn is established correctly but only from the opposite side, i can not start it from my side. i m suppossed to NAT all traffic that goes to the tunnel from one host in the inside network using my public ip, the public ip is used as the encryption domain for the tunnel. the other end is also natting using its public ip, they can ping from the remote side but i can not ping from my side or start any traffic from my side and that is why i can not establish the vpn from my side. i do not know what the problem is but i just suspect that the nat is not correct so i troubleshooted the nat and i noticed that the nat is not being seen, i use packet tracer and i saw that it does not pick up the nat rule for this source interface and destination interface, it sees a different nat done for the same inside server but a different outbound interface. i do not know if the issue with the nat is related with the issue of the vpn but i guess they are related. this is my set up:

my site: 111.111.111.111

remote site: 222.222.222.222

inside host: 10.21.0.164

this is the vpn tunnel set up:

access-list VPN_CRYPTO_MAP_ACL extended permit ip host 222.222.222.222 interface InternetNetwork

crypto ipsec transform-set INTERNETNETWORK_TRANSFORM_SET esp-3des esp-sha-hmac

crypto map INTERNETNETWORK_CRYPTO_MAP 202 match address VPN_CRYPTO_MAP_ACL

crypto map INTERNETNETWORK_CRYPTO_MAP 202 set pfs

crypto map INTERNETNETWORK_CRYPTO_MAP 202 set peer 222.222.222.222

crypto map INTERNETNETWORK_CRYPTO_MAP 202 set transform-set INTERNETNETWORK_TRANSFORM_SET

crypto map INTERNETNETWORK_CRYPTO_MAP interface InternetNetwork

tunnel-group 222.222.222.222 type ipsec-l2l

tunnel-group 222.222.222.222 ipsec-attributes

pre-shared-key *

this is the set up for the nat:

access-list INTERNETNETWORK_SMSC_NAT extended permit tcp host 10.21.0.164 eq 30000 host 222.222.222.222

access-list INTERNETNETWORK_SMSC_NAT extended permit tcp host 10.21.0.164 host 222.222.222.222

static (ServiceNetwork,InternetNetwork) tcp interface 30000 access-list INTERNETNETWORK_SMSC_NAT

this is the static nat that i see in the packet-tracer bwgin picked up:

static (ServiceNetwork,HQNetwork) tcp interface 30000 10.21.0.164 30000 netmask 255.255.255.255

Note:

ServiceNetwork: is the inside network

HQNetwork: a lower secutiry network

InternetNetwork: public interface, used for the tunnel.

Any help will be greatly appreciated. thanks!

Labels:
0 Helpful
4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

‎10-16-2011 03:46 AM

Firstly, the VPN crypto ACL is incorrect, it should be:

access-list VPN_CRYPTO_MAP_ACL extended permit ip interface InternetNetwork host 222.222.222.222

Secondly, you should have a route for 222.222.222.222 out via InternetNetwork interface, otherwise, if you have route for 222.222.222.222 via HQNetwork, that particular static NAT will be used instead.

Lastly, the ACL "INTERNETWORK_SMSC_NAT" should only have 1 line and it should say as follows:

access-list INTERNETNETWORK_SMSC_NAT extended permit tcp host 10.21.0.164 eq 30000 host 222.222.222.222 eq 30000

Once you modify the above, please also clear the xlate.

0 Helpful

jpablolorenzetti
Level 1
Level 1
In response to Jennifer Halim

‎10-16-2011 08:23 AM

thank you Jennifer, i corrected the cypto map so the vpn config is like this:

crypto isakmp nat-traversal 60

crypto ipsec transform-set INTERNETNETWORK_TRANSFORM_SET esp-3des esp-sha-hmac

crypto map INTERNETNETWORK_CRYPTO_MAP 202 match address VPN_CRYPTO_MAP_ACL

crypto map INTERNETNETWORK_CRYPTO_MAP 202 set pfs

crypto map INTERNETNETWORK_CRYPTO_MAP 202 set peer 222.222.222.222

crypto map INTERNETNETWORK_CRYPTO_MAP 202 set transform-set INTERNETNETWORK_TRANSFORM_SET

access-list VPN_CRYPTO_MAP_ACL extended permit ip interface InternetNetwork host 222.222.222.222

Regarding the NAT, this one inside server needs to be natted on

HQNetwork and InternetNetwork, that is why i have to statics for this, and on the

InternetNetwork interface needs to be natted for more than one destination, i have 2 so far, that is why 2 sentences (before it was an test i was doing):

access-list INTERNETNETWORK_SMSC_NAT extended permit tcp host 10.21.0.164 eq 30000 host 222.222.222.222

access-list INTERNETNETWORK_SMSC_NAT extended permit tcp host 10.21.0.164 eq 30000 host 333.333.333.333

static (ServiceNetwork,InternetNetwork) tcp interface 30000 access-list INTERNETNETWORK_SMSC_NAT

when i do the packet tracert this is the one getting picked:

static (ServiceNetwork,HQNetwork) tcp interface 30000 10.21.0.164 30000 netmask 255.255.255.255

this is the routing table that i have:

S    222.222.222.222 255.255.255.255 [1/0] via AAA.AA.AAA.AA, InternetNetwork

S*   0.0.0.0 0.0.0.0 [1/0] via AAA.AA.AAA.AA , InternetNetwork

after doing most of the changes you asked me i cleared xlate and tested  but got the same results.  thanks!!

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to jpablolorenzetti

‎10-18-2011 08:06 PM

and I assume that if you temporarily remove the following static, and clear xlate, it works, right?:

static (ServiceNetwork,HQNetwork) tcp interface 30000 10.21.0.164 30000 netmask 255.255.255.255

0 Helpful

jpablolorenzetti
Level 1
Level 1
In response to Jennifer Halim

‎10-21-2011 05:42 PM

Sorry for replying this late, i followed what you told me about the ACL for the crypto map ,i deleted the static and it started working so after playing with the natting and doing some packet tracert i understood a bit more about the process and more importantly about the flow so i made the neccessary configurations and it worked. thanks so much!

0 Helpful
Customers Also Viewed These Support Documents