cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1522
Views
5
Helpful
52
Replies

Tunnel IPSEC (UP-ACTIVE) But No Traffic (ping)

Thomas27100
Level 1
Level 1

Bonjour à tous,

Je suis actuellement en train de configurer un VPN IPSec entre un routeur Cisco et un routeur Bintec, et je rencontre un problème que je n'arrive pas à résoudre seul.

Le tunnel VPN semble fonctionner correctement, il est bien affiché comme "UP-Active" des deux côtés. Cependant, le trafic ne passe pas, et je ne parviens pas à effectuer de ping entre les deux sous-réseaux :

  • Lorsque j'essaie de pinguer depuis le sous-réseau du site Bintec vers le sous-réseau Cisco, le ping échoue (il s'envoie j'ai le résultat mais surement pas de réponse).
  • Le ping dans l'autre sens (du sous-réseau Cisco vers le sous-réseau Bintec) échoue simplement.

J'ai quelques soupçons que cela pourrait être lié à une configuration NAT, mais je n'en suis pas certain. Voici ce que j'ai vérifié jusqu'à présent :

  • Les routes semblent correctement configurées sur les deux routeurs.
  • Les ACLs/IPsec policies sont en place et semblent correctes.
  • J'ai vérifié les règles NAT, et a priori, elles ne devraient pas bloquer le trafic.
  • Le tunnel VPN reste actif, donc le problème ne semble pas venir de l'IPSec lui-même.

Je sollicite l'avis de la communauté pour m'aider à diagnostiquer ce problème. Est-ce que quelqu'un pourrait m'apporter son expertise ou des pistes supplémentaires pour avancer vers une solution ?

Merci beaucoup pour votre aide !

52 Replies 52

Everything stays up and running properly, and the 90 address is the public IP of the Cisco router with its ISP.

Thomas27100_3-1725608709683.png

 

Thomas27100_1-1725608192102.png

 

And as we can see, everything comes in, but nothing goes out...Thomas27100_2-1725608243806.png

 

 

friend VPN ACL have no match and also the ACL of NAT will have no match at all ??
can I see show ip route 

MHM

No problem, here are the IP routes.

Thomas27100_0-1725609398447.png

 

It can the router not show match for NAT and VPN ACL and show match only for security ACL

Can you do this 

Remove ip nat outside from interface and check ping. 

If there is encrypted decrypt in show ipsec sa then

Retrun ip nat outside under interface 

And one by one remove the NAT command see which one effect Ipsec 

MHM

By removing the ip nat outside command, encryption is happening (without finding the recipient, which is normal). Could you explain the next steps to follow?

Thomas27100_1-1725613046300.png

 

ip nat inside source list NAT_EXCLUDE interface GigabitEthernet0/0/1 overload
ip nat inside source list 2 interface GigabitEthernet0/0/1 overload
ip nat inside source list 3 interface GigabitEthernet0/0/1 overload
ip nat inside source list 4 interface GigabitEthernet0/0/1 overload
ip nat inside source list 5 interface GigabitEthernet0/0/1 overload
ip nat inside source list 6 interface GigabitEthernet0/0/1 overload
ip nat inside source list 7 interface GigabitEthernet0/0/1 overload
ip nat inside source list 30 interface GigabitEthernet0/0/1 overload

These NAT in your router'

Remove first check ping and show ipsec is it effect if not return it and the  remove second..etc.

Do that until see which NAT effect the ipsec' I was help you but all prefix is 19e.168.x. so I dont know what is prefìx

It easy do by yourself after you get NAT effect the ipsec add 

Deny local LAN remote LAN in acl of NAT and hop issue will solve

MHM

I have identified the rule causing the issue between the two sites. Once that is done, what should I apply in the ACL?

Since it's a standard ACL, what should I do next?

identified the rule <<- can you more elaborate about this point 

Thanks 

MHM

ip nat inside source list 2 interface GigabitEthernet0/0/1 overload
ip nat inside source list 3 interface GigabitEthernet0/0/1 overload
ip nat inside source list 4 interface GigabitEthernet0/0/1 overload
ip nat inside source list 5 interface GigabitEthernet0/0/1 overload
ip nat inside source list 6 interface GigabitEthernet0/0/1 overload
ip nat inside source list 7 interface GigabitEthernet0/0/1 overload
ip nat inside source list NAT_EXCLUDE interface GigabitEthernet0/0/1 overload
ip route 0.0.0.0 0.0.0.0 90.X
!
!
ip access-list extended NAT_EXCLUDE
10 deny ip 192.168.12.0 0.0.0.255 192.168.1.0 0.0.0.255
20 deny ip 192.168.13.0 0.0.0.255 192.168.1.0 0.0.0.255
30 permit ip 192.168.12.0 0.0.0.255 any
40 permit ip 192.168.13.0 0.0.0.255 any
ip access-list extended VPN
10 permit ip 192.168.12.0 0.0.0.255 192.168.1.0 0.0.0.255
30 permit ip 192.168.13.0 0.0.0.255 192.168.1.0 0.0.0.255
!
ip access-list standard 2
10 permit 192.168.12.0 0.0.0.255
ip access-list standard 3
10 permit 192.168.13.0 0.0.0.255
ip access-list standard 4
10 permit 192.168.14.0 0.0.0.255
ip access-list standard 5
10 permit 192.168.15.0 0.0.0.255
ip access-list standard 6
10 permit 192.168.16.0 0.0.0.255
ip access-list standard 7
10 permit 192.168.17.0 0.0.0.255
ip access-list extended 100
10 deny tcp any any eq telnet
20 permit ip any any

 

I replaced the IPs with examples. The problematic one is the standard ACL 3; when I disable it, it at least allows me to encrypt the traffic.

This NAT  of below ACL

ip access-list standard 3
10 permit 192.168.13.0 0.0.0.255

Not need at all

Why you use it?

Delete it 

MHM

Good news: the VPN is now receiving and sending, but issues persist.

The first issue is that the ping still isn't working.

The second issue is that I'm unable to execute the command no ip nat inside source list 3 interface GigabitEthernet0/0/1 overload. I receive the error "%Dynamic mapping in use, cannot remove," even though the ACL no longer exists.

Update: The ping works from Bintec to Cisco, but not the other way around.

 

The ping should OK' 

Did you sucess remove NAT?

MHM

PC connect to bintec network to Cisco OK:

Thomas27100_2-1725621521568.png

 

But PC Cisco Network to Bintec don't work:

Thomas27100_1-1725621435073.png

And i din't sucess to remove NAT..

To remove dynamic NAT

1- remove Ip NAT outside from interface 

2- clear NAt

3- remove NAT by no ip nat inside source list.....etc.

4- add again ip nat outside under interface 

Do above and check ping from cisco side

MHM