06-13-2024 05:46 AM
Hello,
I have configurated a site to site VPN and it is working ok. I can receive and send data. The VPN main configuration is the following:
- Remote Addres: X.X.0.0/15
- Local Range: Firewall Inside IP (172.16.0.1) and the range 172.16.2.2-172.16.2.255. We have been asked to NAT this IPs to the range 100.104.0.0/24. This NAT needs one to one address translation. For this I have created one NAT from 172.16.0.1 to 100.104.0.1 and other one from the range 172.16.2.2-255 to 100.104.0.2-255.
I have checked the VPN and everithing seems to be OK.
I need to send data from the firewall on the VPN. When I use packet tracer to check if everything is correct from 172.16.0.1 the traffic is denied by an Implicit Rule. But if I use one IP from the range 172.16.2.2-255 the traffic can leave the firewall and go through the VPN. I have an access rule created which allows all the trafic from inside to leave the firewall and another one created also to permit traffic from 172.16.0.1 to X.X.0.0/15.
I don't understand why I have this problem just with the firewall IP.
Could anyone help me please?
Thank you in advance.
06-25-2024 02:23 AM
Yes But this IP is not NAT as you mention in your original post
can I see how you config NAT and how you config ACL of VPN
MHM
06-25-2024 04:54 AM
Yes,
I have two NATs created:
19 (inside) to (outside) source static firewall fw_NAT destination static Remote_network Remote_network net-to-net no-proxy-arp
translate_hits = 0, untranslate_hits = 0
20 (inside) to (outside) source static red_interna red_nat destination static Remote_network Remote_network net-to-net no-proxy-arp
translate_hits = 152, untranslate_hits = 152
The first NAT translates the Ip from the firewall 172.16.0.1 to 100.104.0.1 and the second one the range 172.16.2.2-255 to 100.104.2-255.
The ACL of the VPN is:
access-list outside_cryptomap line 1 extended permit ip 100.104.0.0 255.255.255.0 Remote_network (hitcnt=195) 0x3119a0fa
06-25-2024 05:10 AM
19 (inside) to (outside) source static firewall fw_NAT destination static Remote_network Remote_network net-to-net no-proxy-arp
translate_hits = 0, untranslate_hits = 0
this NAT never hit
the object network firewall AND fw_NAT must have contain host IP, am I correct ?
MHM
06-25-2024 05:17 AM
Yes this NAT never hit I do not understand why. The second one all the traffic is from pings I made.
Yes the object are the following:
object network firewall
host 172.16.0.1
object network fw_NAT
host 100.104.0.1
06-28-2024 01:06 PM
Hi Friend
I dot many test in my lab
Case1
10.0.0.0-ASA1-IPsec VPN-ASA2-20.0.0.0
VPC3 can ping ASA2 IN interface of ASA2 over IPsec when I run management-access IN
Case2
10.0.0.0-ASA1-IPsec-ASA2-220.0.0.0 NAT to 20.0.0.0
VPC3 can ping to VPC4 (static nat 220.0.0.4 to 20.0.0.4) but
VPC3 can not ping ASA2 IN interface (static nat 220.0.0.2 to 20.0.0.2)
I will try VTI and update you
MHM
07-01-2024 04:01 AM
Hello! Thank you again for your help.
I have checked again and now I see traffic on the NAT:
19 (inside) to (outside) source static firewall fw_NAT destination static Remote_network Remote_network net-to-net no-proxy-arp
translate_hits = 80, untranslate_hits = 80
20 (inside) to (outside) source static red_interna red_nat destination static Remote_network Remote_network net-to-net no-proxy-arp
translate_hits = 8, untranslate_hits = 8
I can ping from my server and see the other side of the VPN (not from the firewall).
On the NAT 19 which is the one the SNMP should use I see traffic. On the syslog I see how from the other side they make ab UDP connection and it goes through the NAT.
6 | Jul 01 2024 | 12:56:37 | X.X.X.X | 19001 | 172.16.0.1 | 161 | Built inbound UDP connection 1024028 for outside:X.X.X.X/19001 (X.X.X.X/19001) to inside:172.16.0.1/161 (100.104.0.1/161) |
But again I check the SNMP and this traffic does not go through the VPN.
Any idea why this happens?
Thank you very much.
07-02-2024 03:12 AM
I get same in my lab, I can NAT but the traffic not pass between two Peer Over IPsec.
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide