cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
609
Views
0
Helpful
4
Replies

Site to Site VPN(VTI)

harish.pal
Level 1
Level 1

Hi all have S2S VPN connection and i am performing Nating 

10.0.0.0/16----- 47.73.223.250

by using access list 

Extended IP access list 100
    10 permit ip 10.0.0.0 0.0.255.255 145.230.12.0 0.0.0.255

And Overloaded to LoopBack1

interface Loopback1
 ip address 47.73.223.250 255.255.255.255
end


ip-10-0-0-156#show run | inc ip nat
 ip nat outside
 ip nat inside
ip nat inside source list 100 interface Loopback1 overload

 

 

interface GigabitEthernet1
 ip address dhcp
 ip nat inside
 negotiation auto
end

 

interface Tunnel1
 ip address 169.254.249.50 255.255.255.255
 ip nat outside
 ip tcp adjust-mss 1387
 tunnel source GigabitEthernet1
 tunnel mode ipsec ipv4
 tunnel destination 85.205.30.148
 tunnel protection ipsec profile ipsec-vpn-Vodafone-mgmtAWS-0
 ip virtual-reassembly
end

 

Nating is working properly but traffic after Nating to (47.73.223.250) is not entering to the tunnel interface and interface will go down

please advise and help ASAP

 

 

 

4 Replies 4

pjain2
Cisco Employee
Cisco Employee

configure the command "ip nat inside" on the loopback interface as well

Have add the ip nat inside on loopback as well

now tunnel is hwoing down

Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet1       10.0.0.156      YES DHCP   up                    up
Loopback1              47.73.223.250   YES manual up                    up
Tunnel1                169.254.249.50  YES manual up                    down
ip-10-0-0-156#

ip-10-0-0-156#Show crypto isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
85.205.30.148   10.0.0.156      QM_IDLE           1051 ACTIVE

 

ip-10-0-0-156#Show crypto ipsec sa peer  85.205.30.148

interface: Tunnel1
    Crypto map tag: Tunnel1-head-0, local addr 10.0.0.156

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 85.205.30.148 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.0.0.156, remote crypto endpt.: 85.205.30.148
     plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

 

 

and NAT-ing is aslo not working

Please help

 

 

can any one help or suggest?

your phase2 is still not up; please capture the following debugs:

debug crypto condition peer ipv4 <peer ip>

debug crypto isakmp 

debug crypto ipsec