09-21-2015 03:44 AM
Hi all have S2S VPN connection and i am performing Nating
10.0.0.0/16----- 47.73.223.250
by using access list
Extended IP access list 100
10 permit ip 10.0.0.0 0.0.255.255 145.230.12.0 0.0.0.255
And Overloaded to LoopBack1
interface Loopback1
ip address 47.73.223.250 255.255.255.255
end
ip-10-0-0-156#show run | inc ip nat
ip nat outside
ip nat inside
ip nat inside source list 100 interface Loopback1 overload
interface GigabitEthernet1
ip address dhcp
ip nat inside
negotiation auto
end
interface Tunnel1
ip address 169.254.249.50 255.255.255.255
ip nat outside
ip tcp adjust-mss 1387
tunnel source GigabitEthernet1
tunnel mode ipsec ipv4
tunnel destination 85.205.30.148
tunnel protection ipsec profile ipsec-vpn-Vodafone-mgmtAWS-0
ip virtual-reassembly
end
Nating is working properly but traffic after Nating to (47.73.223.250) is not entering to the tunnel interface and interface will go down
please advise and help ASAP
09-21-2015 08:04 PM
configure the command "ip nat inside" on the loopback interface as well
09-22-2015 12:31 AM
Have add the ip nat inside on loopback as well
now tunnel is hwoing down
Interface IP-Address OK? Method Status Protocol
GigabitEthernet1 10.0.0.156 YES DHCP up up
Loopback1 47.73.223.250 YES manual up up
Tunnel1 169.254.249.50 YES manual up down
ip-10-0-0-156#
ip-10-0-0-156#Show crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
85.205.30.148 10.0.0.156 QM_IDLE 1051 ACTIVE
ip-10-0-0-156#Show crypto ipsec sa peer 85.205.30.148
interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 10.0.0.156
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 85.205.30.148 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.0.0.156, remote crypto endpt.: 85.205.30.148
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
and NAT-ing is aslo not working
Please help
09-23-2015 02:05 AM
can any one help or suggest?
09-23-2015 05:19 PM
your phase2 is still not up; please capture the following debugs:
debug crypto condition peer ipv4 <peer ip>
debug crypto isakmp
debug crypto ipsec
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide