09-01-2011 07:21 AM
I am needing to setup communication between my local LAN segment and a remote LAN segment using private IP addresses. We currently have a VPN tunnel up between the two sites, and we currently NAT our private traffic to a public IP and send that over to another public NAT on the remote site. I am unable to see traffic from the remote site via private IP and when I use packet tracer in the ASDM, the packet is dropped at the first "VPN" statement. Anything I need to do different since I am using a NAT exempt statement?
Solved! Go to Solution.
09-01-2011 02:37 PM
Daniel,
Have you modified your crypto ACLs so that they include the private LANs as well?
Right now they are probably configured to use the public IP Addresses but how about the Private ones?
Please check this and let us know what you find.
Thanks.
Raga
09-02-2011 07:40 AM
The ACL in your NAT Exemption should reference the private IP addresses on both sides. Also ensure that you either have a route for the destination address (remote private IP space) on each end pointing to the next hop public IP address of the outgoing (WAN) interface OR configure a reverse-route under the CRYPTO map that is applied to the outside interface. Verify ISAKMP is enabled on the outside interface. crypto iskamp enable outside.
Hope it works. If not attach a copy of the configuration files for further review.
09-01-2011 02:37 PM
Daniel,
Have you modified your crypto ACLs so that they include the private LANs as well?
Right now they are probably configured to use the public IP Addresses but how about the Private ones?
Please check this and let us know what you find.
Thanks.
Raga
09-02-2011 07:40 AM
The ACL in your NAT Exemption should reference the private IP addresses on both sides. Also ensure that you either have a route for the destination address (remote private IP space) on each end pointing to the next hop public IP address of the outgoing (WAN) interface OR configure a reverse-route under the CRYPTO map that is applied to the outside interface. Verify ISAKMP is enabled on the outside interface. crypto iskamp enable outside.
Hope it works. If not attach a copy of the configuration files for further review.
09-02-2011 08:13 AM
Thanks guys, we had an incorrect NAT statement.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide