11-15-2016 11:46 PM
Solved! Go to Solution.
11-16-2016 10:33 AM
Your nat statement does not match the one you posted earlier and is incorrect.
nat (OUTSIDE,OUTSIDE) 6 source static LAN_NATTED LAN_NATTED destination static REMORE_HOST REMORE_HOST no-proxy-arp route-lookup
Inbound interface should be inside, Original Source Ip should be HOST_LAN and route-lookup is not required.
This should do the trick:
nat (INSIDE,OUTSIDE) 6 source static HOST_LAN LAN_NATTED destination static REMORE_HOST REMORE_HOST no-proxy-arp
11-16-2016 01:52 AM
net-to-net is not required, but should not be an issue. Make sure your SA contains 192.168.199.1 (or the whole /24 depending on your configuration) using show crypto ipsec sa and check your translation table using show xlate to verify NAT is being applied.
You may also use the packet-tracer command to verify that your NAT rule matches for traffic from HOST_LAN to REMOTE_HOST.
Let me know the results and if you need anything else to track this down.
11-16-2016 10:19 AM
Hi kaisero,
thanks for answer.
On tunnel vpn there will be only one host 192.168.199.1 and not a subnet, same thing for the remote network where it will always be a single host on tunnel.
do you think that the nat configuration is correct?
Thanks.
11-16-2016 10:27 AM
I add also the SA configuration (ip public is not the original one):
access-list OUTSIDE_cryptomap line 1 extended permit ip object LAN_NATTED object REMORE_HOST
group-policy GroupPolicy_8.8.8.8 internal
group-policy GroupPolicy_8.8.8.8 attributes
vpn-tunnel-protocol ikev2 ikev1
exit
tunnel-group 8.8.8.8 type ipsec-l2l
tunnel-group 8.8.8.8 general-attributes
default-group-policy GroupPolicy_8.8.8.8
tunnel-group 8.8.8.8 ipsec-attributes
ikev1 pre-shared-key **********
ikev2 remote-authentication pre-shared-key **********
ikev2 local-authentication pre-shared-key **********
isakmp keepalive threshold 10 retry 2
crypto ikev2 policy 1
group 2 5
encryption aes-256
crypto ikev2 policy 10
group 2 5
encryption aes-192
crypto ikev2 policy 20
group 2 5
encryption aes
crypto ikev2 policy 30
group 2 5
crypto ikev2 policy 40
group 2 5
encryption des
crypto ikev2 enable OUTSIDE
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto map OUTSIDE_map 1 match address OUTSIDE_cryptomap
crypto map OUTSIDE_map 1 set peer 8.8.8.8
crypto map OUTSIDE_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map OUTSIDE_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
nat (OUTSIDE,OUTSIDE) 6 source static LAN_NATTED LAN_NATTED destination static REMORE_HOST REMORE_HOST no-proxy-arp route-lookup
11-16-2016 10:33 AM
Your nat statement does not match the one you posted earlier and is incorrect.
nat (OUTSIDE,OUTSIDE) 6 source static LAN_NATTED LAN_NATTED destination static REMORE_HOST REMORE_HOST no-proxy-arp route-lookup
Inbound interface should be inside, Original Source Ip should be HOST_LAN and route-lookup is not required.
This should do the trick:
nat (INSIDE,OUTSIDE) 6 source static HOST_LAN LAN_NATTED destination static REMORE_HOST REMORE_HOST no-proxy-arp
11-16-2016 11:09 PM
I used packet-tracer command to verify that NAT rule matches:
ASA-D01# packet-tracer input LAN tcp 192.168.32.114 http 192.168.247.1 http
Result:
input-interface: LAN
input-status: up
input-line-status: up
Action: drop
Drop-reason: (no-route) No route to host
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide