From: Jian Gu (guxiaojian@gmail.com)
Date: Sun Jul 20 2008 - 05:55:33 ART
Hi, Christian,
Thank you very much for your detailed reply, please see inline, and I did
have configuration posted when replying Tony's email, please check all
emails or this thread.
I will try your suggestions during next maintenance window.
Jian
On Sun, Jul 20, 2008 at 1:13 AM, Christian Zeng <christian@zengl.net> wrote:
> Hi,
>
> * Jian Gu wrote:
>
>> Interesting, my understanding of PIX configuration is that you configure
>> NAT
>> on an interface that has higher security level for traffic destinated to
>> lower security level. In my case mpls interface security level is 90,
>> outside interface security level is 0, by configuring NAT exemption on
>> mpls
>> interface, traffic sourced from private address space to RA VPN pool
>> address
>> space will not be NATed and connection from RA VPN can be initiated. This
>> is
>> exactly the same idea of configuring NAT exemption on inside interface for
>> internal traffic and traffic to RA VPN pool, which works fine.
>>
>
> Correct.
>
> Verify if this acl contains *all* the subnets available behind this
> interface (including remote subnets).
>
> Other troubleshooting hints:
>
> - look for stale xlate entries (and do a clear xlate)
> - verify routing on both sides (again)
> - turn on reverse-route injection if you use addresses off an inside
> subnet, and advertise this towards the MPLS cloud if required
> - if you have "nat-control" enabled, turn it off if don't need this
> behavior
> - remove the static identity nat entries posted earlier - if you use nat 0,
> there is no need for them
> - verify split tunnel acls (if any)
> - if you have RA crypto map acls, check if they include the remote site
> subnet - also, remove/disable the old L2L tunnel crypto map
> - if you have vpn-filter ACLs, add the remote subnet there
>
> If this leads to nothing, post your configs.
>
> HTH,
>
>
> Christian
This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:56 ART