Re: OT: VPN w/NAT not able to see NAT from Piotr Kaluzny on 2013-03-09 (Ccielab archives 03/2013)

From: Piotr Kaluzny <piotrk_at_ipexpert.com>
Date: Sat, 9 Mar 2013 11:33:54 +0100

Dennis

How's the Proxy ACL on the headend ASA look like?

Regards,

--
Piotr Kaluzny
CCIE #25665 (Security), CCSP, CCNP
Sr. Technical Instructor - IPexpert, Inc.
URL: http://www.IPexpert.com
On Sat, Mar 9, 2013 at 5:30 AM, Dennis Worth <dennis.worth_at_gmail.com> wrote:
>    Config   static (INSIDE,OUTSIDE) 172.16.100.10 access-list
> INSIDE_nat_static
> nat-control
> match ip INSIDE host 10.10.10.125 OUTSIDE 10.200.0.1 255.255.255.255
> static translation to 172.16.100.10
> translate_hits = 111, untranslate_hits = 126
>
>
> On Fri, Mar 8, 2013 at 8:25 PM, Dennis Worth <dennis.worth_at_gmail.com>
> wrote:
>
> > Looks like possible routing issue. since 10.0.0.0 is inside. as a /8. so
> > FW sees the 10.200.0.0/24 back to inside.
> >
> > I created a static to 10.200.0.0/24 to outside interface IP.
> >
> > Now on packet trace i get this
> >    Type -  VPN     Subtype -  encrypt     Action -  DROP
> >
> >
> >
> >
> >
> > On Fri, Mar 8, 2013 at 5:53 PM, Brian McGahan <bmcgahan_at_ine.com> wrote:
> >
> >> Check your NAT config, IPsec proxy ACL, and routing. Post your config if
> >> you're stumped.
> >>
> >> Brian McGahan, CCIE #8593 (R&S/SP/Security), CCDE 2013::13
> >> bmcgahan_at_INE.com
> >>
> >> Internetwork Expert, Inc.
> >> http://www.INE.com
> >>
> >> On Mar 8, 2013, at 6:30 PM, "Dennis Worth" <dennis.worth_at_gmail.com>
> >> wrote:
> >>
> >> > Group,
> >> >
> >> > Probably something easy, but for life of me I can't find it.
> >> >
> >> > Phase I UP
> >> > Phase II UP
> >> >
> >> > Nating on both sides of the tunnel, but one side does not recognize
> the
> >> Nat
> >> > on one side for VPN outbound.
> >> >
> >> >
> >> >
> >> > (REMOTE SIDE)  10.10.10.10
> >> > ---ASA-10.200.0.1(NAT)-----(NAT)172.16.100.10-ASA---10.10.10.125 (HUB
> >> SIDE)
> >> >
> >> >
> >> > Hub side receives traffic but does not send traffic.
> >> >
> >> > Bad ACL's?
> >> >
> >> >
> >> >
> >> >
> >> > --
> >> > Dennis Worth
> >> >
> >> >
> >> > Blogs and organic groups at http://www.ccie.net
> >> >
> >> >
> _______________________________________________________________________
> >> > Subscription information may be found at:
> >> > http://www.groupstudy.com/list/CCIELab.html
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >>
> >
> >
> >
> > --
> > Dennis Worth
> >
> >
> >
>
>
> --
> Dennis Worth
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net

Received on Sat Mar 09 2013 - 11:33:54 ART

This archive was generated by hypermail 2.2.0 : Wed Apr 03 2013 - 19:06:19 ART