Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1638
Views
0
Helpful
7
Replies

Need Help on Site to Site VPN configuration

acthakrar
Level 1
Level 1

‎12-09-2013 11:49 AM

I have Site to Site VPN between myself and my client. I have done PAT for my Internal LAN subnets and have established tunnel between myself and client. I am able to access their servers from my LAN over VPN and it works fine.

Now there is a requirement where client require to access one of the server over S2S vpn in my LAN. I added that Server IP in the encryption domain and its getting PAT as other LAN Subnets. The client also allowed that access into their firewall. The client can see the packets hitting their firewall but i don't see any hits on my firewall. I ran capture and also added an acl to allow that access over the outside interface.

I configured capture and  found that packets are reaching firewall but i am seeing SaAB flag in show connection detail output. Does it mean that PAT is not working properly and i need to create Static NAT for that access.

Thanks in Advance.

Regards,

Ankit

Labels:
0 Helpful
7 Replies 7

JORGE RODRIGUEZ
Level 10
Level 10

‎12-09-2013 07:16 PM

Hi Ankit,

Your description sounds a NAT issue , the conenction flags mean waiting for sync ACKs -  if you are not trying to hide the server private IP you can use nat exempt rule [nonat] as part of your tunnel policy,  you do not need  static NAT in that case.    

Regards

Jorge Rodriguez
0 Helpful

acthakrar
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎12-10-2013 12:05 AM

There is conflict in the Internal LAN Subnets which is the reason i am doing PAT on my side and same as other side.

Regards,

0 Helpful

JORGE RODRIGUEZ
Level 10
Level 10
In response to acthakrar

‎12-10-2013 04:18 AM

Hi Ankit, 

You need to nat the traffic if you have conflicting networks at each end ,  what  applience  are you using.. asa what code,  router? 

This is typical example for S2S   on asa 7.x-8.2.x  with overlapping networks

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b37d0b.shtml

Jorge Rodriguez
0 Helpful

acthakrar
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎12-10-2013 04:39 AM

I am doing PAT for my Internal Subnets and it works fine for accessing client tools. Now requirement is client wants to access one of the tool in my network and i added that server in interesting traffic and same has been done on client side but it doesn't work.

Regards,

0 Helpful

aschhabr
Level 1
Level 1
In response to acthakrar

‎12-10-2013 11:36 AM

Hello Ankit,

Let me know if I'm wrong.

Current setup:

192.168.1.0/24 -> overloaded on 1.1.1.1 accesses 192.168.2.0/24 across the tunnel.

At the moment, you want 192.168.2.0/24 to access 192.168.1.10.

With the current setup, this will not work.

You will need to add this server to the crypto acl and a reverse for the same on the far end (assuming you have already done this). Now, you'll need to add a nat exempt statement allowing traffic to go without getting translated from 192.168.1.10 to 192.168.2.0/24.

Let me know if you have any queries about the above or if I was wrong in understanding your setup.

Regards,

Aseem

0 Helpful

acthakrar
Level 1
Level 1
In response to aschhabr

‎12-10-2013 11:48 AM

I can't put nonat as my subnet conflicts with their subnet somewhere in their LAN.

Regards,

Ankit

0 Helpful

aschhabr
Level 1
Level 1
In response to acthakrar

‎12-10-2013 11:55 AM

You can however do the following.

Setup a policy based static nat for traffic going from 192.168.1.10 to 192.168.2.0/24. Translate this to something that does not overlap. Assuming we translate this to 192.168.3.10. Then you'll put 3.10 in the crypto acl going towards 192.168.2.0/24 and vice versa on the far end.

Regards,

Aseem

**** You can forward this email invitation to attendees ****

Hello ,

Please join my meeting that is currently in progress.

Topic: VPN
Date: Tuesday, December 10, 2013
Time: 11:52 am, Pacific Standard Time (San Francisco, GMT-08:00)
Meeting Number: 202 081 664
Meeting Password: cisco


-------------------------------------------------------
To join the online meeting (Now from mobile devices!)
-------------------------------------------------------
1. Go to https://ciscosales.webex.com/ciscosales/e.php?AT=MI&EventID=247556192&UID=0&PW=NNDk5MzQxYzEz&RT=MiM0
2. Enter your name and email address.
3. Enter the meeting password: cisco
4. Click "Join Now".
5. Follow the instructions that appear on your screen.

To view in other time zones or languages, please click the link:
https://ciscosales.webex.com/ciscosales/e.php?AT=MI&EventID=247556192&UID=0&PW=NNDk5MzQxYzEz&ORT=MiM0

----------------------------------------------------------------
ALERT – PLEASE READ: DO NOT DIAL THE TOLL FREE NUMBERS FROM WITHIN THE (408) OR (919) AREA CODES
----------------------------------------------------------------
Please dial the local access number for your area from the list below:
- San Jose/Milpitas (408) area: 525-6800
- RTP (919) area: 392-3330

Dialing the WebEx toll free numbers from within 408 or 919 area codes is not enabled (non-Cisco phones). “ If you dial the toll-free numbers within the 408 or 919 area codes you will be instructed to hang up and dial the local access number.” Please use the call-back option whenever possible and otherwise dial local numbers only. The affected toll free numbers are: (866) 432-9903 for the San Jose/Milpitas area and (866) 349-3520 for the RTP area.

-------------------------------------------------------
To join the teleconference only
-------------------------------------------------------
1. Dial into Cisco WebEx (view all Global Access Numbers at
http://cisco.com/en/US/about/doing_business/conferencing/index.html
2. Follow the prompts to enter the Meeting Number (listed above) or Access Code followed by the # sign.

San Jose, CA: +1.408.525.6800 RTP: +1.919.392.3330

US/Canada: +1.866.432.9903 United Kingdom: +44.20.8824.0117

India: +91.80.4350.1111 Germany: +49.619.6773.9002

Japan: +81.3.5763.9394 China: +86.10.8515.5666

-------------------------------------------------------
For assistance
-------------------------------------------------------
1. Go to https://ciscosales.webex.com/ciscosales/mc
2. On the left navigation bar, click "Support".

You can contact me at:
aschhabr@cisco.com
1-408-895 7679




http://www.webex.com

CCP:+14085256800x202081664#

IMPORTANT NOTICE: This WebEx service includes a feature that allows audio and any documents and other materials exchanged or viewed during the session to be recorded. By joining this session, you automatically consent to such recordings. If you do not consent to the recording, discuss your concerns with the meeting host prior to the start of the recording or do not join the session. Please note that any such recordings may be subject to discovery in the event of litigation.

Regards,

Regards,

Aseem

Regards,

Aseem

Regards,

Aseem

Regards,

Aseem

Regards,

AseemRRe

0 Helpful
Customers Also Viewed These Support Documents