Re: Problem with VPN traffic - Page 2

asonea · ‎06-13-2024

Hello,

I have configurated a site to site VPN and it is working ok. I can receive and send data. The VPN main configuration is the following:

- Remote Addres: X.X.0.0/15

- Local Range: Firewall Inside IP (172.16.0.1) and the range 172.16.2.2-172.16.2.255. We have been asked to NAT this IPs to the range 100.104.0.0/24. This NAT needs one to one address translation. For this I have created one NAT from 172.16.0.1 to 100.104.0.1 and other one from the range 172.16.2.2-255 to 100.104.0.2-255.

I have checked the VPN and everithing seems to be OK.

I need to send data from the firewall on the VPN. When I use packet tracer to check if everything is correct from 172.16.0.1 the traffic is denied by an Implicit Rule. But if I use one IP from the range 172.16.2.2-255 the traffic can leave the firewall and go through the VPN. I have an access rule created which allows all the trafic from inside to leave the firewall and another one created also to permit traffic from 172.16.0.1 to X.X.0.0/15.

I don't understand why I have this problem just with the firewall IP.

Could anyone help me please?

Thank you in advance.

MHM Cisco World · ‎06-25-2024

Yes But this IP is not NAT as you mention in your original post
can I see how you config NAT and how you config ACL of VPN
MHM

asonea · ‎06-25-2024

Yes,

I have two NATs created:

19 (inside) to (outside) source static firewall fw_NAT destination static Remote_network Remote_network net-to-net no-proxy-arp
translate_hits = 0, untranslate_hits = 0
20 (inside) to (outside) source static red_interna red_nat destination static Remote_network Remote_network net-to-net no-proxy-arp
translate_hits = 152, untranslate_hits = 152

The first NAT translates the Ip from the firewall 172.16.0.1 to 100.104.0.1 and the second one the range 172.16.2.2-255 to 100.104.2-255.

The ACL of the VPN is:

access-list outside_cryptomap line 1 extended permit ip 100.104.0.0 255.255.255.0 Remote_network (hitcnt=195) 0x3119a0fa

MHM Cisco World · ‎06-25-2024

19 (inside) to (outside) source static firewall fw_NAT destination static Remote_network Remote_network net-to-net no-proxy-arp
translate_hits = 0, untranslate_hits = 0

this NAT never hit
the object network firewall AND fw_NAT must have contain host IP, am I correct ?

MHM

asonea · ‎06-25-2024

Yes this NAT never hit I do not understand why. The second one all the traffic is from pings I made.

Yes the object are the following:

object network firewall
host 172.16.0.1

object network fw_NAT
host 100.104.0.1

MHM Cisco World · ‎06-28-2024

Hi Friend
I dot many test in my lab

Case1
10.0.0.0-ASA1-IPsec VPN-ASA2-20.0.0.0
VPC3 can ping ASA2 IN interface of ASA2 over IPsec when I run management-access IN

Case2
10.0.0.0-ASA1-IPsec-ASA2-220.0.0.0 NAT to 20.0.0.0
VPC3 can ping to VPC4 (static nat 220.0.0.4 to 20.0.0.4) but
VPC3 can not ping ASA2 IN interface (static nat 220.0.0.2 to 20.0.0.2)

I will try VTI and update you

MHM

asonea · ‎07-01-2024

Hello! Thank you again for your help.

I have checked again and now I see traffic on the NAT:

19 (inside) to (outside) source static firewall fw_NAT destination static Remote_network Remote_network net-to-net no-proxy-arp
translate_hits = 80, untranslate_hits = 80
20 (inside) to (outside) source static red_interna red_nat destination static Remote_network Remote_network net-to-net no-proxy-arp
translate_hits = 8, untranslate_hits = 8

I can ping from my server and see the other side of the VPN (not from the firewall).

On the NAT 19 which is the one the SNMP should use I see traffic. On the syslog I see how from the other side they make ab UDP connection and it goes through the NAT.

6

Jul 01 2024

12:56:37

X.X.X.X

19001

172.16.0.1

161

Built inbound UDP connection 1024028 for outside:X.X.X.X/19001 (X.X.X.X/19001) to inside:172.16.0.1/161 (100.104.0.1/161)

But again I check the SNMP and this traffic does not go through the VPN.

Any idea why this happens?

Thank you very much.

MHM Cisco World · ‎07-02-2024

I get same in my lab, I can NAT but the traffic not pass between two Peer Over IPsec.

MHM