RE: OT: VPN w/NAT not able to see NAT

I'm not exactly sure what you're trying to do without seeing your full config.
Normally you send traffic over IPsec without going through NAT, and regular
traffic to the Internet through NAT. With NAT control on, you have to have a
NAT statement for all traffic that transits, even if it's not being translated
(NAT 0). Do you want the traffic going over the tunnel to be NATed or no?

Brian McGahan, CCIE #8593 (R&S/SP/Security), CCDE #2013::13
bmcgahan_at_INE.com<mailto:bmcgahan_at_INE.com>

Internetwork Expert, Inc.
http://www.INE.com<http://www.ine.com/>

From: Dennis Worth [mailto:dennis.worth_at_gmail.com]
Sent: Saturday, March 09, 2013 9:43 AM
To: Brian McGahan
Cc: Cisco certification
Subject: Re: OT: VPN w/NAT not able to see NAT

Yes, Nat control is on. So with the NATing the inside source to the 172
address at ASA, I still need to have a NAT 0 as well?
On Sat, Mar 9, 2013 at 7:39 AM, Brian McGahan
<bmcgahan_at_ine.com<mailto:bmcgahan_at_ine.com>> wrote:
Is NAT control on? If so you need a "NAT 0" to exempt the traffic that you
want to go through the IPsec tunnel.

Brian McGahan, CCIE #8593 (R&S/SP/Security), CCDE #2013::13

bmcgahan_at_INE.com<mailto:bmcgahan_at_INE.com>

Internetwork Expert, Inc.
http://www.INE.com<http://www.ine.com/>

From: Dennis Worth
[mailto:dennis.worth_at_gmail.com<mailto:dennis.worth_at_gmail.com>]
Sent: Saturday, March 09, 2013 9:25 AM
To: Piotr Kaluzny
Cc: Brian McGahan; Cisco certification
Subject: Re: OT: VPN w/NAT not able to see NAT

I see hits on my ACL.

access-list OUTSIDE_8_cryptomap line 1 extended permit ip host 172.16.100.10
10.200.0.1 255.255.255.255 (hitcnt=1478) 0x596f7fe4

On Sat, Mar 9, 2013 at 2:33 AM, Piotr Kaluzny
<piotrk_at_ipexpert.com<mailto:piotrk_at_ipexpert.com>> wrote:
Dennis

How's the Proxy ACL on the headend ASA look like?

Regards,

--
Piotr Kaluzny
CCIE #25665 (Security), CCSP, CCNP
Sr. Technical Instructor - IPexpert, Inc.
URL: http://www.IPexpert.com
On Sat, Mar 9, 2013 at 5:30 AM, Dennis Worth
<dennis.worth_at_gmail.com<mailto:dennis.worth_at_gmail.com>> wrote:
   Config   static (INSIDE,OUTSIDE) 172.16.100.10 access-list
INSIDE_nat_static
nat-control
match ip INSIDE host 10.10.10.125 OUTSIDE 10.200.0.1 255.255.255.255
static translation to 172.16.100.10
translate_hits = 111, untranslate_hits = 126
On Fri, Mar 8, 2013 at 8:25 PM, Dennis Worth
<dennis.worth_at_gmail.com<mailto:dennis.worth_at_gmail.com>> wrote:
> Looks like possible routing issue. since 10.0.0.0 is inside. as a /8. so
> FW sees the 10.200.0.0/24<http://10.200.0.0/24> back to inside.
>
> I created a static to 10.200.0.0/24<http://10.200.0.0/24> to outside
interface IP.
>
> Now on packet trace i get this
>    Type -  VPN     Subtype -  encrypt     Action -  DROP
>
>
>
>
>
> On Fri, Mar 8, 2013 at 5:53 PM, Brian McGahan
<bmcgahan_at_ine.com<mailto:bmcgahan_at_ine.com>> wrote:
>
>> Check your NAT config, IPsec proxy ACL, and routing. Post your config if
>> you're stumped.
>>
>> Brian McGahan, CCIE #8593 (R&S/SP/Security), CCDE 2013::13
>> bmcgahan_at_INE.com<mailto:bmcgahan_at_INE.com>
>>
>> Internetwork Expert, Inc.
>> http://www.INE.com
>>
>> On Mar 8, 2013, at 6:30 PM, "Dennis Worth"
<dennis.worth_at_gmail.com<mailto:dennis.worth_at_gmail.com>>
>> wrote:
>>
>> > Group,
>> >
>> > Probably something easy, but for life of me I can't find it.
>> >
>> > Phase I UP
>> > Phase II UP
>> >
>> > Nating on both sides of the tunnel, but one side does not recognize the
>> Nat
>> > on one side for VPN outbound.
>> >
>> >
>> >
>> > (REMOTE SIDE)  10.10.10.10
>> > ---ASA-10.200.0.1(NAT)-----(NAT)172.16.100.10-ASA---10.10.10.125 (HUB
>> SIDE)
>> >
>> >
>> > Hub side receives traffic but does not send traffic.
>> >
>> > Bad ACL's?
>> >
>> >
>> >
>> >
>> > --
>> > Dennis Worth
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>>
>
>
>
> --
> Dennis Worth
>
>
>
--
Dennis Worth
Blogs and organic groups at http://www.ccie.net