cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5832
Views
5
Helpful
2
Replies

packet tracer command for VPN ACL

sambillings459
Level 1
Level 1

Hello Experts,

Can you guys please let me know.. if we can use a packet tracer command for VPN ACLs,

Also can you guys please give me some good links for IPSEC site-site VPN documentation with NAT -T enabled.

I work in a environment where we do NATTING inside the IPSEC tunnel, whenever I see some NAT statements I really get confused.

Like I will give you one example.

we have some 10 internal subnets and we are doing dynamic PAT for these subnets, and to avoid IP conflicts we give /24 or /25 subnet to third party to do NAT at their end. sometime third parties do NAT with our assigned IP subnet  and sometimes third parties do not do NAT with our assigned IP subnet

When 3rd parties don't do NAT at their end we would have to do destination NAT at our end.

Usuallay when they do NAT with our assigned IPs our NAT statements would like something below and also here we would only do NAT for source and destination would remian same

nat(inside,outside)source dynamic real_IP dynamic-PAT_IP destination static real IP real IP

for 3rd parties who cannot do NAT with our assigned subnet for some reason we would have to do NAT at our end for destination.

I'm not sure how does that statement looks like.

Any help would be really appreciable and also resources or links to any documents would be very helpful.

Thanks

Sam

2 Replies 2

Aditya Ganjoo
Cisco Employee
Cisco Employee

Hi Sam,

Yes, you can use the packet tracer command for the IPSEC ACL.

You need to use real IP's whenever you need to test packet-tracer command.

Please check this link, it is pretty clear:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/211275-Configuration-Example-of-ASA-VPN-with-Ov.html

Regards,

Aditya

Please rate helpful and mark correct answers

Mohammad Alhyari
Cisco Employee
Cisco Employee

Hi,

Keep the following in mind when dealing with NAT and crypto;

1- The crypto map sees the packet at the end before leaving the ASA. So VPN sees the traffic after being Natted. Reflecting this to the configuration of the interesting crypto access list, it should have the Natted addresses referenced in it.

2- As you mentioned a key point is to know who is doing NAT and to what they are doing it. Since you need to reflect that in your config. 

3- Packet tracer works fine with the VPN. A fact to be said, it is there to simulate all features applied to a packet passing through the ASA. But pay attention that when you simulate the traffic you need to simulate it as it is entering the ASA. I mean what ip is being seen by your internet network. A good way to figure this out is to imagine the image at which the ASA is entering the ASA from the inside interface and then doing the packet tracer based on that.

4- Useful documents

Most L2L and remote access troubleshooting solutions

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/81824-common-ipsec-trouble.html

Site to Site between an ASA and a cisco Router

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/119425-configure-ipsec-00.html

Troubleshooting access using packet tracer

https://supportforums.cisco.com/document/29601/troubleshooting-access-problems-using-packet-tracer

HTH.

Moh,

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: