09-04-2024 05:09 AM - edited 09-04-2024 05:15 AM
Bonjour à tous,
Je suis actuellement en train de configurer un VPN IPSec entre un routeur Cisco et un routeur Bintec, et je rencontre un problème que je n'arrive pas à résoudre seul.
Le tunnel VPN semble fonctionner correctement, il est bien affiché comme "UP-Active" des deux côtés. Cependant, le trafic ne passe pas, et je ne parviens pas à effectuer de ping entre les deux sous-réseaux :
J'ai quelques soupçons que cela pourrait être lié à une configuration NAT, mais je n'en suis pas certain. Voici ce que j'ai vérifié jusqu'à présent :
Je sollicite l'avis de la communauté pour m'aider à diagnostiquer ce problème. Est-ce que quelqu'un pourrait m'apporter son expertise ou des pistes supplémentaires pour avancer vers une solution ?
Merci beaucoup pour votre aide !
Solved! Go to Solution.
09-05-2024 12:15 AM
You NAT ocnfig is not correct
you need to tune ACL of NAT
I see many overload NAT and many ACL why ?
MHM
09-05-2024 12:15 AM
You NAT ocnfig is not correct
you need to tune ACL of NAT
I see many overload NAT and many ACL why ?
MHM
09-05-2024 12:25 AM
Hi,
I suspected the issue could be related to my ACLs or NAT. I've been thinking about it so much that I lost my critical sense and couldn't figure out where the problem was. As for the number of ACLs, there is one for each VLAN, as my network is segmented. Regarding the ACLs related to my VPN, it's VPN and NAT_EXCLUDE. There are several "deny" and "permit" rules because the Bintec router manages multiple VLANs with different IP addresses.
09-05-2024 12:43 AM
Dont worry I will be with you
Now
Use acl specify local and remote LAN
Then use
Debug ip nat <acl>
Do ping from local to remote and see if NAT debug show anything
MHM
09-05-2024 01:03 AM
Thank you,
When I apply the debug on the ACL that concerns my LAN to the Bintec network, nothing happens when I run a ping. I also tried the NAT_EXCLUDE and Standard 2 ACLs just to be sure, but still no output. The only thing I get is a ping with a Time Out.
09-05-2024 01:08 AM
On the remote site, we can see the outgoing information working, but nothing is coming back (in and out)
09-05-2024 01:11 AM
So run debug ip nat
There is nothing appear?
Do
Show crypto ipsec sa
Check the encryption and decryption counter
MHM
09-05-2024 01:17 AM
09-05-2024 01:23 AM
Friend you not answering me
Did you run
Debug ip nat
This sure NATing issue
MHM
09-05-2024 01:25 AM
Device# show ip nat translations verbose
Use this command to see if local LAN of VPN is Natting
MHM
09-05-2024 02:59 AM
I'm facing some internal issues: someone in a higher position, who got a bit too curious, has tampered with the VPN. Now, it can't even connect to the Bintec anymore...
I just want to cry...
09-05-2024 04:22 AM
Now, even phase 1 isn't working anymore...
09-05-2024 04:37 AM
/757 <<- the remote peer is behind NAT
Contact him
MHM
09-05-2024 04:51 AM
I have an update: I have regained the "VPN Up-Active" status. I'm still facing the same issue, but I've managed to fix the changes made by my superior. I'm happy about that!
09-05-2024 05:11 AM
show ip nat translations verbose
Regarding this command, is there a way to filter exactly what we want to see? The router is functional and therefore generates a large amount of logs, which makes it difficult to read.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide