Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1736
Views
0
Helpful
19
Replies

Site to Site VPN with PAT option working fine as initiator, but not working as a responder

Vinay Harish
Level 1
Level 1

‎08-24-2013 12:03 AM

Hi All,

      If any of you have come across an issue of this sort, request your help here.  I have configured a S2S VPN on ASA 5550 version 8.1(4) IOS.  Everything works fine when I generate the traffic towards the customer end.  I have configured the S2S VPN with PAT configured, so that when traffic leaves my firewall it would get PATed to a public ip and then goes out.

   I was recently assigned with another addition to this, where in I was asked to have the S2S VPN up and running when the customer initiates the traffic to our end.  I did the normal configuration where in I did use the Static NAT to PAT translation where in the tunnel came up, but no traffic seems to go through the tunnel. 

     If any one can help me with the configuration I can have a check on the same to sort out the issue. 

Thanks & Regards

   Vinay Harish

Labels:
0 Helpful
19 Replies 19

Santhosha Shetty
Cisco Employee
Cisco Employee
In response to Vinay Harish

‎08-29-2013 05:56 AM

Hi Vinay,

Please send me "sh run " as private message, it should be fine.

Thanks

0 Helpful

Santhosha Shetty
Cisco Employee
Cisco Employee
In response to Santhosha Shetty

‎08-30-2013 12:01 AM

Hi Vinay,

I have figured out the problem, since dynamic nat rule is placed above the new static rule we have configured ,the new NAT rule is never been hit by new NAT rule. Please re-arrange the NAT rules as described below:

******************

object network DevTestServer

no nat (BlueYellowRed,Outside) static 115.X.X.130 service tcp 1XX39 1XX39 //** remove th new nat rule that already been configured.

+Create a object service for the static NAT port:

object service O-1xx39

service tcp source eq 1xx39

+Remove the dynamic nat rule that pre-exist:

no nat (BlueYellowRed,Outside) source dynamic INDIA obj-115.X.X.130 destination static SCE SCE

+Configure new static port NAT rule:

nat (BlueYellowRed,Outside) source static DevTestServer obj-115.254.8.130 destination static SCE SCE service O-1xx39 O-1xx39

+Configure the dynamic PAT rule:

nat (BlueYellowRed,Outside) source dynamic INDIA obj-115.X.X.130 destination static SCE SCE

This was if you check "sh nat detail" , you will see static rule placed above dynamic rule and it should work as per your requirement.

Configure the same , verify packet-tracer.

Thanks

0 Helpful

Vinay Harish
Level 1
Level 1
In response to Santhosha Shetty

‎08-30-2013 12:05 AM

Thanks Santhosha for the reply, let me have a check configuring the same and would get back to you.

0 Helpful

Santhosha Shetty
Cisco Employee
Cisco Employee
In response to Vinay Harish

‎09-02-2013 08:34 AM

Hi Vinay,

Can you update on this issue? Did it work?

0 Helpful

Vinay Harish
Level 1
Level 1
In response to Santhosha Shetty

‎09-03-2013 12:13 AM

Hi Santhosha,

            Actually we need to go through process before we implement any change, this normally can happen only on a weekend if we have all approvals in place.  So, I have not yet got the time window for the change as such till now and following up on the same.. So, would surely update it on the same to you.  Thanks for the details Santhosha.. Myself looking forward on this change as well..

0 Helpful
Customers Also Viewed These Support Documents