From: Christian Zeng (christian@zengl.net)
Date: Sun Jul 20 2008 - 05:13:26 ART
Hi,
* Jian Gu wrote:
> Interesting, my understanding of PIX configuration is that you configure NAT
> on an interface that has higher security level for traffic destinated to
> lower security level. In my case mpls interface security level is 90,
> outside interface security level is 0, by configuring NAT exemption on mpls
> interface, traffic sourced from private address space to RA VPN pool address
> space will not be NATed and connection from RA VPN can be initiated. This is
> exactly the same idea of configuring NAT exemption on inside interface for
> internal traffic and traffic to RA VPN pool, which works fine.
Correct.
Verify if this acl contains *all* the subnets available behind this
interface (including remote subnets).
Other troubleshooting hints:
- look for stale xlate entries (and do a clear xlate)
- verify routing on both sides (again)
- turn on reverse-route injection if you use addresses off an inside
subnet, and advertise this towards the MPLS cloud if required
- if you have "nat-control" enabled, turn it off if don't need this behavior
- remove the static identity nat entries posted earlier - if you use nat
0, there is no need for them
- verify split tunnel acls (if any)
- if you have RA crypto map acls, check if they include the remote site
subnet - also, remove/disable the old L2L tunnel crypto map
- if you have vpn-filter ACLs, add the remote subnet there
If this leads to nothing, post your configs.
HTH,
Christian
This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:56 ART