RE: OT: VPN w/NAT not able to see NAT from Brian McGahan on 2013-03-09 (Ccielab archives 03/2013)

From: Brian McGahan <bmcgahan_at_ine.com>
Date: Sat, 9 Mar 2013 09:39:05 -0600

Is NAT control on? If so you need a "NAT 0" to exempt the traffic that you
want to go through the IPsec tunnel.

Brian McGahan, CCIE #8593 (R&S/SP/Security), CCDE #2013::13
bmcgahan_at_INE.com<mailto:bmcgahan_at_INE.com>

Internetwork Expert, Inc.
http://www.INE.com<http://www.ine.com/>

From: Dennis Worth [mailto:dennis.worth_at_gmail.com]
Sent: Saturday, March 09, 2013 9:25 AM
To: Piotr Kaluzny
Cc: Brian McGahan; Cisco certification
Subject: Re: OT: VPN w/NAT not able to see NAT

I see hits on my ACL.

access-list OUTSIDE_8_cryptomap line 1 extended permit ip host 172.16.100.10
10.200.0.1 255.255.255.255 (hitcnt=1478) 0x596f7fe4

On Sat, Mar 9, 2013 at 2:33 AM, Piotr Kaluzny
<piotrk_at_ipexpert.com<mailto:piotrk_at_ipexpert.com>> wrote:
Dennis

How's the Proxy ACL on the headend ASA look like?

Regards,

--
Piotr Kaluzny
CCIE #25665 (Security), CCSP, CCNP
Sr. Technical Instructor - IPexpert, Inc.
URL: http://www.IPexpert.com
On Sat, Mar 9, 2013 at 5:30 AM, Dennis Worth
<dennis.worth_at_gmail.com<mailto:dennis.worth_at_gmail.com>> wrote:
   Config   static (INSIDE,OUTSIDE) 172.16.100.10 access-list
INSIDE_nat_static
nat-control
match ip INSIDE host 10.10.10.125 OUTSIDE 10.200.0.1 255.255.255.255
static translation to 172.16.100.10
translate_hits = 111, untranslate_hits = 126
On Fri, Mar 8, 2013 at 8:25 PM, Dennis Worth
<dennis.worth_at_gmail.com<mailto:dennis.worth_at_gmail.com>> wrote:
> Looks like possible routing issue. since 10.0.0.0 is inside. as a /8. so
> FW sees the 10.200.0.0/24<http://10.200.0.0/24> back to inside.
>
> I created a static to 10.200.0.0/24<http://10.200.0.0/24> to outside
interface IP.
>
> Now on packet trace i get this
>    Type -  VPN     Subtype -  encrypt     Action -  DROP
>
>
>
>
>
> On Fri, Mar 8, 2013 at 5:53 PM, Brian McGahan
<bmcgahan_at_ine.com<mailto:bmcgahan_at_ine.com>> wrote:
>
>> Check your NAT config, IPsec proxy ACL, and routing. Post your config if
>> you're stumped.
>>
>> Brian McGahan, CCIE #8593 (R&S/SP/Security), CCDE 2013::13
>> bmcgahan_at_INE.com<mailto:bmcgahan_at_INE.com>
>>
>> Internetwork Expert, Inc.
>> http://www.INE.com
>>
>> On Mar 8, 2013, at 6:30 PM, "Dennis Worth"
<dennis.worth_at_gmail.com<mailto:dennis.worth_at_gmail.com>>
>> wrote:
>>
>> > Group,
>> >
>> > Probably something easy, but for life of me I can't find it.
>> >
>> > Phase I UP
>> > Phase II UP
>> >
>> > Nating on both sides of the tunnel, but one side does not recognize the
>> Nat
>> > on one side for VPN outbound.
>> >
>> >
>> >
>> > (REMOTE SIDE)  10.10.10.10
>> > ---ASA-10.200.0.1(NAT)-----(NAT)172.16.100.10-ASA---10.10.10.125 (HUB
>> SIDE)
>> >
>> >
>> > Hub side receives traffic but does not send traffic.
>> >
>> > Bad ACL's?
>> >
>> >
>> >
>> >
>> > --
>> > Dennis Worth
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>>
>
>
>
> --
> Dennis Worth
>
>
>
--
Dennis Worth
Blogs and organic groups at http://www.ccie.net

Received on Sat Mar 09 2013 - 09:39:05 ART

This archive was generated by hypermail 2.2.0 : Wed Apr 03 2013 - 19:06:19 ART