11-10-2011 08:15 AM
Hello, I have a curious issue with a VPN that I hope somone can shed some light on. I have a site-to-site VPN with one location having both overload and static NATs on the same interface as the VPN. I have connectivity and verified that the VPN is working.
The problem is when I try to access a host that has a static NAT from across the VPN, the traffic doesn't come across. I am assuming that the return packets are being translated and never arriving. Below are the relavant sections from both configs. If someone could let me know what I'm missing that would help me out of a pinch!
Thanks
GR (172.17.0.0/16)
crypto map GRO-ROO 1 ipsec-isakmp
set peer X.X.X.X
set transform-set CDHSET
match address 115
ip nat inside source route-map nonat interface BVI99 overload
ip nat inside source static 172.17.10.96 X.X.X.X (Public IP)
access-list 110 deny ip 172.17.0.0 0.0.255.255 172.18.0.0 0.0.255.255
access-list 110 deny ip host 172.17.10.96 any
access-list 110 deny ip host 172.17.10.71 any
access-list 110 deny ip host 172.17.10.60 any
access-list 110 deny ip host 172.17.10.51 any
access-list 110 deny ip host 172.17.10.76 any
access-list 110 deny ip host 172.17.10.94 any
access-list 110 deny ip host 172.17.10.77 any
access-list 110 deny ip host 172.17.10.72 any
access-list 110 deny ip host 172.17.10.53 any
access-list 110 deny ip host 172.17.10.56 any
access-list 110 permit ip 172.17.0.0 0.0.255.255 any
access-list 115 permit ip 172.17.0.0 0.0.255.255 172.18.0.0 0.0.255.255
route-map nonat permit 10
match ip address 110
RO (172.18.0.0/16)
crypto map GRO-ROO 1 ipsec-isakmp
set peer Y.Y.Y.Y
set transform-set CDHSET
match address 115
ip nat inside source route-map nonat interface FastEthernet0/0 overload
access-list 110 deny ip 172.18.0.0 0.0.255.255 172.17.0.0 0.0.255.255
access-list 110 permit ip 172.18.0.0 0.0.255.255 any
access-list 115 permit ip 172.18.0.0 0.0.255.255 172.17.0.0 0.0.255.255
route-map nonat permit 10
match ip address 110
06-02-2014 05:44 PM
Hi Mike,
As per crypto access-list 115 , I see the allowed source subnet is actual LAN(172.17.x.x). One thing to note is when you configure NAT for vpn traffic , one will have to use source subnet in the crypto access-list as NATed IP subnet because crypto access-list look up happens after the NAT.
HTH,
Santhosh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide