ā09-04-2024 05:09 AM - edited ā09-04-2024 05:15 AM
Bonjour Ć tous,
Je suis actuellement en train de configurer un VPN IPSec entre un routeur Cisco et un routeur Bintec, et je rencontre un problĆØme que je n'arrive pas Ć rĆ©soudre seul.
Le tunnel VPN semble fonctionner correctement, il est bien affichĆ© comme "UP-Active" des deux cĆ“tĆ©s. Cependant, le trafic ne passe pas, et je ne parviens pas Ć effectuer de ping entre les deux sous-rĆ©seaux :
J'ai quelques soupƧons que cela pourrait ĆŖtre liĆ© Ć une configuration NAT, mais je n'en suis pas certain. Voici ce que j'ai vĆ©rifiĆ© jusqu'Ć prĆ©sent :
Je sollicite l'avis de la communautĆ© pour m'aider Ć diagnostiquer ce problĆØme. Est-ce que quelqu'un pourrait m'apporter son expertise ou des pistes supplĆ©mentaires pour avancer vers une solution ?
Merci beaucoup pour votre aide !
Solved! Go to Solution.
ā09-05-2024 12:15 AM
You NAT ocnfig is not correct
you need to tune ACL of NAT
I see many overload NAT and many ACL why ?
MHM
ā09-05-2024 12:15 AM
You NAT ocnfig is not correct
you need to tune ACL of NAT
I see many overload NAT and many ACL why ?
MHM
ā09-05-2024 12:25 AM
Hi,
I suspected the issue could be related to my ACLs or NAT. I've been thinking about it so much that I lost my critical sense and couldn't figure out where the problem was. As for the number of ACLs, there is one for each VLAN, as my network is segmented. Regarding the ACLs related to my VPN, it's VPN and NAT_EXCLUDE. There are several "deny" and "permit" rules because the Bintec router manages multiple VLANs with different IP addresses.
ā09-05-2024 12:43 AM
Dont worry I will be with you
Now
Use acl specify local and remote LAN
Then use
Debug ip nat <acl>
Do ping from local to remote and see if NAT debug show anything
MHM
ā09-05-2024 01:03 AM
Thank you,
When I apply the debug on the ACL that concerns my LAN to the Bintec network, nothing happens when I run a ping. I also tried the NAT_EXCLUDE and Standard 2 ACLs just to be sure, but still no output. The only thing I get is a ping with a Time Out.
ā09-05-2024 01:08 AM
āOn the remote site, we can see the outgoing information working, but nothing is coming back (in and out)
ā09-05-2024 01:11 AM
So run debug ip nat
There is nothing appear?
Do
Show crypto ipsec sa
Check the encryption and decryption counter
MHM
ā09-05-2024 01:17 AM
ā09-05-2024 01:23 AM
Friend you not answering me
Did you run
Debug ip nat
This sure NATing issue
MHM
ā09-05-2024 01:25 AM
Device# show ip nat translations verbose
Use this command to see if local LAN of VPN is Natting
MHM
ā09-05-2024 02:59 AM
I'm facing some internal issues: someone in a higher position, who got a bit too curious, has tampered with the VPN. Now, it can't even connect to the Bintec anymore...
I just want to cry...
ā09-05-2024 04:22 AM
Now, even phase 1 isn't working anymore...
ā09-05-2024 04:37 AM
/757 <<- the remote peer is behind NAT
Contact him
MHM
ā09-05-2024 04:51 AM
I have an update: I have regained the "VPN Up-Active" status. I'm still facing the same issue, but I've managed to fix the changes made by my superior. I'm happy about that!
ā09-05-2024 05:11 AM
show ip nat translations verbose
Regarding this command, is there a way to filter exactly what we want to see? The router is functional and therefore generates a large amount of logs, which makes it difficult to read.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide