Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6411
Views
5
Helpful
2
Replies

packet tracer command for VPN ACL

sambillings459
Level 1
Level 1

‎08-14-2017 06:06 AM

Hello Experts,

Can you guys please let me know.. if we can use a packet tracer command for VPN ACLs,

Also can you guys please give me some good links for IPSEC site-site VPN documentation with NAT -T enabled.

I work in a environment where we do NATTING inside the IPSEC tunnel, whenever I see some NAT statements I really get confused.

Like I will give you one example.

we have some 10 internal subnets and we are doing dynamic PAT for these subnets, and to avoid IP conflicts we give /24 or /25 subnet to third party to do NAT at their end. sometime third parties do NAT with our assigned IP subnet  and sometimes third parties do not do NAT with our assigned IP subnet

When 3rd parties don't do NAT at their end we would have to do destination NAT at our end.

Usuallay when they do NAT with our assigned IPs our NAT statements would like something below and also here we would only do NAT for source and destination would remian same

nat(inside,outside)source dynamic real_IP dynamic-PAT_IP destination static real IP real IP

for 3rd parties who cannot do NAT with our assigned subnet for some reason we would have to do NAT at our end for destination.

I'm not sure how does that statement looks like.

Any help would be really appreciable and also resources or links to any documents would be very helpful.

Thanks

Sam

Labels:
0 Helpful
2 Replies 2

Aditya Ganjoo
Cisco Employee
Cisco Employee

‎08-14-2017 07:04 AM

Hi Sam,

Yes, you can use the packet tracer command for the IPSEC ACL.

You need to use real IP's whenever you need to test packet-tracer command.

Please check this link, it is pretty clear:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/211275-Configuration-Example-of-ASA-VPN-with-Ov.html

Regards,

Aditya

Please rate helpful and mark correct answers

Mohammad Alhyari
Cisco Employee
Cisco Employee

‎08-15-2017 01:23 PM

Hi,

Keep the following in mind when dealing with NAT and crypto;

1- The crypto map sees the packet at the end before leaving the ASA. So VPN sees the traffic after being Natted. Reflecting this to the configuration of the interesting crypto access list, it should have the Natted addresses referenced in it.

2- As you mentioned a key point is to know who is doing NAT and to what they are doing it. Since you need to reflect that in your config. 

3- Packet tracer works fine with the VPN. A fact to be said, it is there to simulate all features applied to a packet passing through the ASA. But pay attention that when you simulate the traffic you need to simulate it as it is entering the ASA. I mean what ip is being seen by your internet network. A good way to figure this out is to imagine the image at which the ASA is entering the ASA from the inside interface and then doing the packet tracer based on that.

4- Useful documents

Most L2L and remote access troubleshooting solutions

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/81824-common-ipsec-trouble.html

Site to Site between an ASA and a cisco Router

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/119425-configure-ipsec-00.html

Troubleshooting access using packet tracer

https://supportforums.cisco.com/document/29601/troubleshooting-access-problems-using-packet-tracer

HTH.

Moh,

0 Helpful
Customers Also Viewed These Support Documents