Re: OT: VPN w/NAT not able to see NAT from Dennis Worth on 2013-03-12 (Ccielab archives 03/2013)

From: Dennis Worth <dennis.worth_at_gmail.com>
Date: Tue, 12 Mar 2013 06:29:56 -0700

Looks like its a bug on order of reading the crypto map. ASA 5510 8.2(4).
Although Cisco stated a reload should work, it did not.

Any thoughts on reordering crypto maps when starting from 1 sequenced up.
They said this would probably work also, but i'm thinking code upgrade.

Thanks,

On Sat, Mar 9, 2013 at 8:35 AM, Brian McGahan <bmcgahan_at_ine.com> wrote:

> Im not exactly sure what youre trying to do without seeing your full
> config. Normally you send traffic over IPsec without going through NAT,
> and regular traffic to the Internet through NAT. With NAT control on, you
> have to have a NAT statement for all traffic that transits, even if its
> not being translated (NAT 0). Do you want the traffic going over the
> tunnel to be NATed or no?****
>
> ** **
>
> ** **
>
> ** **
>
> Brian McGahan, CCIE #8593 (R&S/SP/Security), CCDE #2013::13
> bmcgahan_at_INE.com
>
> Internetwork Expert, Inc.
> http://www.INE.com <http://www.ine.com/>
>
> ****
>
> ** **
>
> *From:* Dennis Worth [mailto:dennis.worth_at_gmail.com]
> *Sent:* Saturday, March 09, 2013 9:43 AM
> *To:* Brian McGahan
> *Cc:* Cisco certification
>
> *Subject:* Re: OT: VPN w/NAT not able to see NAT****
>
> ** **
>
> Yes, Nat control is on. So with the NATing the inside source to the 172
> address at ASA, I still need to have a NAT 0 as well?****
>
> On Sat, Mar 9, 2013 at 7:39 AM, Brian McGahan <bmcgahan_at_ine.com> wrote:***
> *
>
> Is NAT control on? If so you need a NAT 0 to exempt the traffic that you
> want to go through the IPsec tunnel.****
>
> ****
>
> ****
>
> ****
>
> Brian McGahan, CCIE #8593 (R&S/SP/Security), CCDE #2013::13****
>
>
> bmcgahan_at_INE.com
>
> Internetwork Expert, Inc.
> http://www.INE.com <http://www.ine.com/>****
>
> ****
>
> *From:* Dennis Worth [mailto:dennis.worth_at_gmail.com]
> *Sent:* Saturday, March 09, 2013 9:25 AM
> *To:* Piotr Kaluzny
> *Cc:* Brian McGahan; Cisco certification
> *Subject:* Re: OT: VPN w/NAT not able to see NAT****
>
> ****
>
> I see hits on my ACL.****
>
> ****
>
> access-list OUTSIDE_8_cryptomap line 1 extended permit ip host
> 172.16.100.10 10.200.0.1 255.255.255.255 (hitcnt=1478) 0x596f7fe4 ****
>
> ****
>
> On Sat, Mar 9, 2013 at 2:33 AM, Piotr Kaluzny <piotrk_at_ipexpert.com> wrote:
> ****
>
> Dennis
>
> How's the Proxy ACL on the headend ASA look like?
>
> Regards,
> ****
>
> --
> Piotr Kaluzny
> CCIE #25665 (Security), CCSP, CCNP
> Sr. Technical Instructor - IPexpert, Inc.
> URL: http://www.IPexpert.com****
>
> ****
>
> On Sat, Mar 9, 2013 at 5:30 AM, Dennis Worth <dennis.worth_at_gmail.com>
> wrote:****
>
> Config static (INSIDE,OUTSIDE) 172.16.100.10 access-list
> INSIDE_nat_static
> nat-control
> match ip INSIDE host 10.10.10.125 OUTSIDE 10.200.0.1 255.255.255.255
> static translation to 172.16.100.10
> translate_hits = 111, untranslate_hits = 126****
>
>
>
> On Fri, Mar 8, 2013 at 8:25 PM, Dennis Worth <dennis.worth_at_gmail.com>
> wrote:
>
> > Looks like possible routing issue. since 10.0.0.0 is inside. as a /8. so
> > FW sees the 10.200.0.0/24 back to inside.
> >
> > I created a static to 10.200.0.0/24 to outside interface IP.
> >
> > Now on packet trace i get this
> > Type - VPN Subtype - encrypt Action - DROP
> >
> >
> >
> >
> >
> > On Fri, Mar 8, 2013 at 5:53 PM, Brian McGahan <bmcgahan_at_ine.com> wrote:
> >
> >> Check your NAT config, IPsec proxy ACL, and routing. Post your config if
> >> you're stumped.
> >>
> >> Brian McGahan, CCIE #8593 (R&S/SP/Security), CCDE 2013::13
> >> bmcgahan_at_INE.com
> >>
> >> Internetwork Expert, Inc.
> >> http://www.INE.com
> >>
> >> On Mar 8, 2013, at 6:30 PM, "Dennis Worth" <dennis.worth_at_gmail.com>
> >> wrote:
> >>
> >> > Group,
> >> >
> >> > Probably something easy, but for life of me I can't find it.
> >> >
> >> > Phase I UP
> >> > Phase II UP
> >> >
> >> > Nating on both sides of the tunnel, but one side does not recognize
> the
> >> Nat
> >> > on one side for VPN outbound.
> >> >
> >> >
> >> >
> >> > (REMOTE SIDE) 10.10.10.10
> >> > ---ASA-10.200.0.1(NAT)-----(NAT)172.16.100.10-ASA---10.10.10.125 (HUB
> >> SIDE)
> >> >
> >> >
> >> > Hub side receives traffic but does not send traffic.
> >> >
> >> > Bad ACL's?
> >> >
> >> >
> >> >
> >> >
> >> > --
> >> > Dennis Worth
> >> >
> >> >
> >> > Blogs and organic groups at http://www.ccie.net
> >> >
> >> >
> _______________________________________________________________________
> >> > Subscription information may be found at:
> >> > http://www.groupstudy.com/list/CCIELab.html
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >>
> >
> >
> >
> > --
> > Dennis Worth
> >
> >
> >
>
>
> --
> Dennis Worth
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
> ****
>
> ****
>
>
>
> ****
>
> ****
>
> --
> Dennis Worth****
>
> ****
>
> ****
>
>
>
> ****
>
> ** **
>
> --
> Dennis Worth****
>
> ** **
>
> ** **
>

--
Dennis Worth
Blogs and organic groups at http://www.ccie.net

Received on Tue Mar 12 2013 - 06:29:56 ART

This archive was generated by hypermail 2.2.0 : Wed Apr 03 2013 - 19:06:19 ART