- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-04-2024 05:09 AM - edited 09-04-2024 05:15 AM
Bonjour à tous,
Je suis actuellement en train de configurer un VPN IPSec entre un routeur Cisco et un routeur Bintec, et je rencontre un problème que je n'arrive pas à résoudre seul.
Le tunnel VPN semble fonctionner correctement, il est bien affiché comme "UP-Active" des deux côtés. Cependant, le trafic ne passe pas, et je ne parviens pas à effectuer de ping entre les deux sous-réseaux :
- Lorsque j'essaie de pinguer depuis le sous-réseau du site Bintec vers le sous-réseau Cisco, le ping échoue (il s'envoie j'ai le résultat mais surement pas de réponse).
- Le ping dans l'autre sens (du sous-réseau Cisco vers le sous-réseau Bintec) échoue simplement.
J'ai quelques soupçons que cela pourrait être lié à une configuration NAT, mais je n'en suis pas certain. Voici ce que j'ai vérifié jusqu'à présent :
- Les routes semblent correctement configurées sur les deux routeurs.
- Les ACLs/IPsec policies sont en place et semblent correctes.
- J'ai vérifié les règles NAT, et a priori, elles ne devraient pas bloquer le trafic.
- Le tunnel VPN reste actif, donc le problème ne semble pas venir de l'IPSec lui-même.
Je sollicite l'avis de la communauté pour m'aider à diagnostiquer ce problème. Est-ce que quelqu'un pourrait m'apporter son expertise ou des pistes supplémentaires pour avancer vers une solution ?
Merci beaucoup pour votre aide !
Solved! Go to Solution.
- Labels:
-
Routing Protocols
-
WAN
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-05-2024 12:15 AM
You NAT ocnfig is not correct
you need to tune ACL of NAT
I see many overload NAT and many ACL why ?
MHM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-05-2024 12:15 AM
You NAT ocnfig is not correct
you need to tune ACL of NAT
I see many overload NAT and many ACL why ?
MHM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-05-2024 12:25 AM
Hi,
I suspected the issue could be related to my ACLs or NAT. I've been thinking about it so much that I lost my critical sense and couldn't figure out where the problem was. As for the number of ACLs, there is one for each VLAN, as my network is segmented. Regarding the ACLs related to my VPN, it's VPN and NAT_EXCLUDE. There are several "deny" and "permit" rules because the Bintec router manages multiple VLANs with different IP addresses.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-05-2024 12:43 AM
Dont worry I will be with you
Now
Use acl specify local and remote LAN
Then use
Debug ip nat <acl>
Do ping from local to remote and see if NAT debug show anything
MHM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-05-2024 01:03 AM
Thank you,
When I apply the debug on the ACL that concerns my LAN to the Bintec network, nothing happens when I run a ping. I also tried the NAT_EXCLUDE and Standard 2 ACLs just to be sure, but still no output. The only thing I get is a ping with a Time Out.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-05-2024 01:08 AM
On the remote site, we can see the outgoing information working, but nothing is coming back (in and out)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-05-2024 01:11 AM
So run debug ip nat
There is nothing appear?
Do
Show crypto ipsec sa
Check the encryption and decryption counter
MHM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-05-2024 01:17 AM
When I ping from the Bintec to the Cisco, a tunnel is still created, but I don't receive anything back.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-05-2024 01:23 AM
Friend you not answering me
Did you run
Debug ip nat
This sure NATing issue
MHM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-05-2024 01:25 AM
Device# show ip nat translations verbose
Use this command to see if local LAN of VPN is Natting
MHM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-05-2024 02:59 AM
I'm facing some internal issues: someone in a higher position, who got a bit too curious, has tampered with the VPN. Now, it can't even connect to the Bintec anymore...
I just want to cry...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-05-2024 04:22 AM
Now, even phase 1 isn't working anymore...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-05-2024 04:37 AM
/757 <<- the remote peer is behind NAT
Contact him
MHM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-05-2024 04:51 AM
I have an update: I have regained the "VPN Up-Active" status. I'm still facing the same issue, but I've managed to fix the changes made by my superior. I'm happy about that!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-05-2024 05:11 AM
show ip nat translations verbose
Regarding this command, is there a way to filter exactly what we want to see? The router is functional and therefore generates a large amount of logs, which makes it difficult to read.