Solved: Hello mdussana,

Mohammad Zubair · ‎07-15-2016

Hi Team,

Particular host Traffic is not passing through Site to site VPN tunnel(please see the diagram).

From Host 10.0.0.54 i am unable to ping to destination 10.250.145.7 (VPN Site to site Tunnel).

from host 10.0.0.54 i am able to ping destination 192.168.10.31(of other VPN site to site tunnel) .

from host 10.0.0.101 we are able to ping 10.250.145.7 ..

Please help me on this .

Thanks,

Zubair

mdussana · ‎07-18-2016

Hi Mohammad,

You do have a "No NAT" statement for traffic going from 10.0.0.54 to 192.168.10.31, from packet-3.txt we can see the following:

Phase: 4
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static obj-10.0.0.0 obj-10.0.0.0 destination static obj-192.168.10.0 obj-192.168.10.0 no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.10.31/0 to 192.168.10.31/0

If you do not want to remove any NAT statement, there is a workaround as well. Create an specific NAT Exemption statement for 10.0.0.54 when it wants to go to 10.250.145.6.

object network obj-10.0.0.54_32
 host 10.0.0.54
 
nat (inside,outside) 1 source static obj-10.0.0.54_32 obj-10.0.0.54_32 destination static Zayo_10.250.145.0 Zayo_10.250.145.0 no-proxy-arp route-lookup

You may see a warning after applying the NAT statement, you can ignore it.

View solution in original post

mdussana · ‎07-15-2016

Hi,

If you are on an ASA you should be able to use the packet tracer command to help you troubleshooting and understand the flow of the traffic, since you are telling you have an specific NAT statement for 10.0.0.54.

Do:

packet-tracer input inside icmp 10.0.0.54 8 0 10.250.145.7 detailed
packet-tracer input inside icmp 10.0.0.101 8 0 10.250.145.7 detailed

Packet tracer will show you important information in regards of those two flows, ACL, NAT statements, VPN, Route Look up.

Mohammad Zubair · ‎07-15-2016

thanks for support.

Yes ...i have done that from ASDM ..please see the screen shot .

packet-tracert from asdm...

source ip:10.0.0.101 destination ip:10.250.145.7

and with 10.0.0.54 destination ip 192.168.10.31 .

Mohammad Zubair · ‎07-15-2016

please find the output of both commands .

mdussana · ‎07-15-2016

Hi Mohammad,

From packet-1.txt we are using the following NAT translation, were 10.0.0.54 will always be translated to 107.0.121.230. Since the ASA do NAT before VPN and 107.0.121.230 is not part of your encryption domain (I think) the VPN won't work.

nat (inside,outside) source static obj-10.0.0.54 obj-107.0.121.230
Additional Information:
Static translate 10.0.0.54/0 to 107.0.121.230/0

From packet-2.txt we are using a NAT exemption statement, since NAT happens before VPN, we match our encryption domain and the packet uses the VPN tunnel.

nat (inside,outside) source static obj-10.0.0.0 obj-10.0.0.0 destination static Zayo_10.250.145.0 Zayo_10.250.145.0 no-proxy-arp route-lookup description Zayo-To-PCC

So, if you want to ping from 10.0.0.54 to 10.250.145.7 your NAT exemption statement needs to match first.

Putting your NAT exemption at the top should fix your issue:

no nat (inside,outside) source static obj-10.0.0.0 obj-10.0.0.0 destination static Zayo_10.250.145.0 Zayo_10.250.145.0 no-proxy-arp route-lookup description Zayo-To-PCC
!
nat (inside,outside) 1 source static obj-10.0.0.0 obj-10.0.0.0 destination static Zayo_10.250.145.0 Zayo_10.250.145.0 no-proxy-arp route-lookup description Zayo-To-PCC

Mohammad Zubair · ‎07-17-2016

Dear mdussan,

Thanks for reply ..

present tunnel is up and asa is in production.

Directly i have to remove the present nat statement ? and i will executive the above statement(as you mention above).

question :-as my question is from the source(10.0.0.54) to destination 192.168.10.31(other site to site vpn tunne )able to ping .

a)i have not seen any no nat statement in running configuration file.

Details:Cisco ASA 5524 version 9.2.

Thanks,

Zubair Mohammad.

Mohammad Zubair · ‎07-18-2016

Dear mdussan ,

My firewall ;-

Cisco Adaptive Security Appliance Software Version 9.1(2)
Device Manager Version 7.1(3).

i think No nat statement won't work .?

mdussana · ‎07-18-2016

Hi Mohammad,

You do have a "No NAT" statement for traffic going from 10.0.0.54 to 192.168.10.31, from packet-3.txt we can see the following:

Phase: 4
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static obj-10.0.0.0 obj-10.0.0.0 destination static obj-192.168.10.0 obj-192.168.10.0 no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.10.31/0 to 192.168.10.31/0

If you do not want to remove any NAT statement, there is a workaround as well. Create an specific NAT Exemption statement for 10.0.0.54 when it wants to go to 10.250.145.6.

object network obj-10.0.0.54_32
 host 10.0.0.54
 
nat (inside,outside) 1 source static obj-10.0.0.54_32 obj-10.0.0.54_32 destination static Zayo_10.250.145.0 Zayo_10.250.145.0 no-proxy-arp route-lookup

You may see a warning after applying the NAT statement, you can ignore it.

Mohammad Zubair · ‎07-21-2016

Hello mdussana,

Thanks for your support .

As i have go through the configuration in Manual NAT Policies i have bring the rule from 122 to 35 .

i have move this rule to above .

nat (inside,outside) source static obj-10.0.0.54 obj-107.0.121.230

nat (inside,outside) source static obj-10.0.0.0 obj-10.0.0.0 destination static Zayo_10.250.145.0 Zayo_10.250.145.0 no-proxy-arp route-lookup description Zayo-To-PCC

issuse is resolved and i am able to ping from 10.0.0.54 to 10.250.145.7 .

once again thanks for your support.

Mohammad Zubair · ‎07-15-2016

i am able to communicate from source 10.0.0.54 to destination 192.168.10.31(its a different site to site VPN tunnel ).

please find the output of the command "

packet-tracer input inside icmp 10.0.0.54 8 0 192.168.10.31 detailed

Site to site VPN traffice is not passing for particular host