RE: Problem with destinatin NAT on Haripin flow config

Is this a lab environment or production? When you do a 'show nat', do you
have the translate hits? How about 'show xlate'? Can you also post 'show run
static', 'show run nat', and 'show run global' and their associated ACLs?

-ryan

From: Sathishkumar [mailto:sat.work_at_gmail.com]
Sent: Monday, May 25, 2009 2:39 PM
To: Ryan West
Cc: Cisco certification; Cisco certification; smorris_at_internetworkexpert.com;
meer.asim_at_gmail.com; amsoares_at_netcabo.pt; mgazzaz_at_hotmail.com;
adiqtanko_at_gmail.com; timcurci_at_roadrunner.com; cciebase_at_gmail.com;
ccie.weaver_at_gmail.com; lhadrava_at_ipexpert.com; ravi29635_at_gmail.com
Subject: Re: Problem with destinatin NAT on Haripin flow config

Hi
       I need to translate the destination IP for the traffic which is coming
to inside interface and then its getting into the tunnel
which is on the same (inside) interface.

Are you really sending traffic into the inside interface of your firewall and
then trying to make it exit the same interface --YES
(the tunnal is in the same interface)

  ( Other flows (from dmz to inside) are going normally through the tunnel, So
i dont face any issue on this site-site tunnel)

interface access-list
------------------------------

access-list inbound line 1 extended permit ip host 10.0.0.10 host 192.168.1.10
(hitcnt=28)
access-group inbound in interface inside
 VPN
--------
crypto map IESPC 1 match address ipsec-traffic
crypto map IESPC 1 set pfs
crypto map IESPC 1 set peer x.x.x.x
crypto map IESPC 1 set transform-set IPSEC-3DES-MD5
crypto map IESPC 1 set security-association lifetime seconds 28800
crypto map IESPC 1 set security-association lifetime kilobytes 4608000
crypto map IESPC interface inside
crypto isakmp identity address
crypto isakmp enable inside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

crypto ipsec transform-set IPSEC-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

 access-list ipsec-traffic line 1 extended permit ip host 10.0.0.10 host
172.18.20.10 (hitcnt=0) (not able to see the hitcount cos, the NATing is
not happening )

 same-security-traffic permit intra-interface

for tesing purpose i have used the below line and everything works fine and I
can able to see the traffic on the other end. But my requirement is the
desitnation IP (192.168.1.10 ) needs to change as 172.18.20.10 when enters
into the tunnel.

access-list ipsec-traffic line 1 extended permit ip host 10.0.0.10 host
192.168.1.10 (hitcnt=8)

All I have to know is how to translate the destination IP which is going to
route through the tunnel which is on the same interface.?

Thanks & Regards
Sathish...

On Mon, May 25, 2009 at 11:19 PM, Ryan West
<rwest_at_zyedge.com<mailto:rwest_at_zyedge.com>> wrote:
Hi,

Are you trying to overcome an overlap address problem? Are you really sending
traffic into the inside interface of your firewall and then trying to make it
exit the same interface or is it coming in on one tunnel and you want it to
leave out another tunnel? Can you describe your site-to-site traffic in a
little better detail, including interesting traffic on both sides of the
tunnel?

-ryan

-----Original Message-----
From: nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>
[mailto:nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>] On Behalf Of
Sathishkumar
Sent: Monday, May 25, 2009 12:12 PM
To: Cisco certification; Cisco certification;
smorris_at_internetworkexpert.com<mailto:smorris_at_internetworkexpert.com>;
meer.asim_at_gmail.com<mailto:meer.asim_at_gmail.com>;
amsoares_at_netcabo.pt<mailto:amsoares_at_netcabo.pt>;
mgazzaz_at_hotmail.com<mailto:mgazzaz_at_hotmail.com>;
adiqtanko_at_gmail.com<mailto:adiqtanko_at_gmail.com>;
timcurci_at_roadrunner.com<mailto:timcurci_at_roadrunner.com>;
cciebase_at_gmail.com<mailto:cciebase_at_gmail.com>;
ccie.weaver_at_gmail.com<mailto:ccie.weaver_at_gmail.com>;
lhadrava_at_ipexpert.com<mailto:lhadrava_at_ipexpert.com>;
ravi29635_at_gmail.com<mailto:ravi29635_at_gmail.com>
Subject: Problem with destinatin NAT on Haripin flow config
 Hi Experts,

          I am facing a problem in configuring destination static NAT when
configuring hairpin flow on the ASA firewall.
src: 10.0.0.10 dest : 192.168.1.10 ( NAT IP :172.16.10.10)

 When traffic enters the inside interface which needs to be exit the same
interface where the traffic gets into the VPN tunnel.
Hence I have configured the global configuration command to enable hairpin
flow.

*same-security-traffic permit intra-interface*

I think after arriving the trafic, it enters to the tunnel so we don't
require any NAT to allow the incoming traffic and also I don't require
source NAT, need only destination NAT.

I have tried by putting the below statement, but it seems this static
(inside,inside) works for the source NAT but it didn't work for the
destination NAT. Pls help me, Any idea would really appreciate...

 static (inside,inside) 172.18.20.10 192.168.1.10 netmask
255.255.255.255 ( not working)
 static (inside,inside) 192.168.1.10 172.18.20.10 netmask
255.255.255.255 ( not working)

Thanks & Regards
*Sathish...*

Blogs and organic groups at http://www.ccie.net<http://www.ccie.net/>
Received on Mon May 25 2009 - 16:20:47 ART