Hi, Im trying to set up a VPN site to site from a source subnet /24 to be translated (PAT) using a single public IP
so the local subnet can reach the destination subnet
site B is not using PAT, instead, they are using static nat
the tunnel is up when I generate traffic from the source LAN, but I cannot ping to the other site
could you please help me to identify what could be the culprit cause surely Im missing something in my access list or NAT statement from the other end
Im going to put the config of the objects and access list cause the tunnel is up, so its irrelevant I think
SITE A config from ASA
object-group network PRIVATE-NETWORK
Description Local Networks
network-object 192.168.10.0 255.255.255.0
exit
!
object network VPN-PAT
host 203.0.113.30
exit
!
object-group network DESTINATION-NETWORK
Description Destination NETWORKS
network-object 192.168.20.0 255.255.255.0
exit
!
-=======
nat (INSIDE,OUTSIDE) source dynamic PRIVATE-NETWORK VPN-PAT destination static DESTINATION-NETWORK DESTINATION-NETWORK
CRYPTO ACL ON ASA1:
access-list crypto-acl-lan1 extended permit ip object VPN-PAT object-group DESTINATION-NETWORK
ACCESS-LIST ON ASA1
access-list INSIDE_access_in_1 line 1 extended permit ip object-group PRIVATE-NETWORK object-group DESTINATION-NETWORK
============================================
SITE B:
object-group network LOCAL-DATA
Description DATA Networks
network-object 192.168.20.0 255.255.255.0
exit
!
object network REMOTE-PUBLIC-PAT-IP
host 203.0.113.30
exit
!
object-group network DESTINATION_NETWORK
Description Destination NETWORKS
network-object 192.168.10.0 255.255.255.0
exit
!
-=======
nat (INSIDE,OUTSIDE) source static LOCAL-DATA LOCAL-DATA destination static DESTINATION_NETWORK REMOTE-PUBLIC-PAT-IP
CRYPTO ACL ON SITE B:
access-list crypto-acl-lan extended permit ip object-group LOCAL-DATA object REMOTE-PUBLIC-PAT-IP
ACCESS-LIST ON SITE B:
access-list INSIDE_access_in_1 line 1 extended permit ip object-group LOCAL-DATA object-group DESTINATION_NETWORK
===============================================================
TUNNEL IS UP AS YOU CAN SEE on site A, same is true on site B
ASA1# show crypto isakmp sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
ASA1#
show crypto ipsec sa on site A as well as site B
#pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
SITE B:
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3
DEBUG ICMP ON ASA1
ICMP echo request translating INSIDE:192.168.20 to OUTSIDE:203.0.113.30
ICMP echo request from INSIDE:192.168.10.20 to OUTSIDE:10.238.45.160 ID=1 seq=6 len=32
ICMP echo request translating INSIDE:192.168.10.20 to OUTSIDE:203.0.113.30
ICMP echo request from INSIDE:192.168.10.20 to OUTSIDE:10.238.45.160 ID=1 seq=7 len=32
ICMP echo request translating INSIDE:192.168.10.20 to OUTSIDE:203.0.113.30
ICMP echo request from INSIDE:192.168.10.20 to OUTSIDE:10.238.45.160 ID=1 seq=8 len=32
ICMP echo request translating INSIDE:192.168.10.20 to OUTSIDE:203.0.113.30
PACKET TRACERT INPUT ON ASA 1 SITE A:
Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: allow
PACKET TRACERT INPUT ON SITE B:
Result:
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: allow
ASA2#
could you please help me to tell me what is happening and if Im missing something on the access list or NAT on site B?
what would be the correct statement command
Regards,
