Re: OT: VPN w/NAT not able to see NAT from Dennis Worth on 2013-03-12 (Ccielab archives 03/2013)

From: Dennis Worth <dennis.worth_at_gmail.com>
Date: Tue, 12 Mar 2013 07:10:23 -0700

Ok, So I decided just to just change the priority to 1 number higher to
just test it, and what do you know....BAM!! it started working.

Such a pain.. :|

On Tue, Mar 12, 2013 at 6:29 AM, Dennis Worth <dennis.worth_at_gmail.com>wrote:

> Looks like its a bug on order of reading the crypto map. ASA 5510 8.2(4).
> Although Cisco stated a reload should work, it did not.
>
> Any thoughts on reordering crypto maps when starting from 1 sequenced up.
> They said this would probably work also, but i'm thinking code upgrade.
>
> Thanks,
>
>
> On Sat, Mar 9, 2013 at 8:35 AM, Brian McGahan <bmcgahan_at_ine.com> wrote:
>
>> Im not exactly sure what youre trying to do without seeing your full
>> config. Normally you send traffic over IPsec without going through NAT,
>> and regular traffic to the Internet through NAT. With NAT control on, you
>> have to have a NAT statement for all traffic that transits, even if its
>> not being translated (NAT 0). Do you want the traffic going over the
>> tunnel to be NATed or no?****
>>
>> ** **
>>
>> ** **
>>
>> ** **
>>
>> Brian McGahan, CCIE #8593 (R&S/SP/Security), CCDE #2013::13
>> bmcgahan_at_INE.com
>>
>> Internetwork Expert, Inc.
>> http://www.INE.com <http://www.ine.com/>
>>
>> ****
>>
>> ** **
>>
>> *From:* Dennis Worth [mailto:dennis.worth_at_gmail.com]
>> *Sent:* Saturday, March 09, 2013 9:43 AM
>> *To:* Brian McGahan
>> *Cc:* Cisco certification
>>
>> *Subject:* Re: OT: VPN w/NAT not able to see NAT****
>>
>> ** **
>>
>> Yes, Nat control is on. So with the NATing the inside source to the 172
>> address at ASA, I still need to have a NAT 0 as well?****
>>
>> On Sat, Mar 9, 2013 at 7:39 AM, Brian McGahan <bmcgahan_at_ine.com> wrote:**
>> **
>>
>> Is NAT control on? If so you need a NAT 0 to exempt the traffic that
>> you want to go through the IPsec tunnel.****
>>
>> ****
>>
>> ****
>>
>> ****
>>
>> Brian McGahan, CCIE #8593 (R&S/SP/Security), CCDE #2013::13****
>>
>>
>> bmcgahan_at_INE.com
>>
>> Internetwork Expert, Inc.
>> http://www.INE.com <http://www.ine.com/>****
>>
>> ****
>>
>> *From:* Dennis Worth [mailto:dennis.worth_at_gmail.com]
>> *Sent:* Saturday, March 09, 2013 9:25 AM
>> *To:* Piotr Kaluzny
>> *Cc:* Brian McGahan; Cisco certification
>> *Subject:* Re: OT: VPN w/NAT not able to see NAT****
>>
>> ****
>>
>> I see hits on my ACL.****
>>
>> ****
>>
>> access-list OUTSIDE_8_cryptomap line 1 extended permit ip host
>> 172.16.100.10 10.200.0.1 255.255.255.255 (hitcnt=1478) 0x596f7fe4 ****
>>
>> ****
>>
>> On Sat, Mar 9, 2013 at 2:33 AM, Piotr Kaluzny <piotrk_at_ipexpert.com>
>> wrote:****
>>
>> Dennis
>>
>> How's the Proxy ACL on the headend ASA look like?
>>
>> Regards,
>> ****
>>
>> --
>> Piotr Kaluzny
>> CCIE #25665 (Security), CCSP, CCNP
>> Sr. Technical Instructor - IPexpert, Inc.
>> URL: http://www.IPexpert.com****
>>
>> ****
>>
>> On Sat, Mar 9, 2013 at 5:30 AM, Dennis Worth <dennis.worth_at_gmail.com>
>> wrote:****
>>
>> Config static (INSIDE,OUTSIDE) 172.16.100.10 access-list
>> INSIDE_nat_static
>> nat-control
>> match ip INSIDE host 10.10.10.125 OUTSIDE 10.200.0.1 255.255.255.255
>> static translation to 172.16.100.10
>> translate_hits = 111, untranslate_hits = 126****
>>
>>
>>
>> On Fri, Mar 8, 2013 at 8:25 PM, Dennis Worth <dennis.worth_at_gmail.com>
>> wrote:
>>
>> > Looks like possible routing issue. since 10.0.0.0 is inside. as a /8. so
>> > FW sees the 10.200.0.0/24 back to inside.
>> >
>> > I created a static to 10.200.0.0/24 to outside interface IP.
>> >
>> > Now on packet trace i get this
>> > Type - VPN Subtype - encrypt Action - DROP
>> >
>> >
>> >
>> >
>> >
>> > On Fri, Mar 8, 2013 at 5:53 PM, Brian McGahan <bmcgahan_at_ine.com> wrote:
>> >
>> >> Check your NAT config, IPsec proxy ACL, and routing. Post your config
>> if
>> >> you're stumped.
>> >>
>> >> Brian McGahan, CCIE #8593 (R&S/SP/Security), CCDE 2013::13
>> >> bmcgahan_at_INE.com
>> >>
>> >> Internetwork Expert, Inc.
>> >> http://www.INE.com
>> >>
>> >> On Mar 8, 2013, at 6:30 PM, "Dennis Worth" <dennis.worth_at_gmail.com>
>> >> wrote:
>> >>
>> >> > Group,
>> >> >
>> >> > Probably something easy, but for life of me I can't find it.
>> >> >
>> >> > Phase I UP
>> >> > Phase II UP
>> >> >
>> >> > Nating on both sides of the tunnel, but one side does not recognize
>> the
>> >> Nat
>> >> > on one side for VPN outbound.
>> >> >
>> >> >
>> >> >
>> >> > (REMOTE SIDE) 10.10.10.10
>> >> > ---ASA-10.200.0.1(NAT)-----(NAT)172.16.100.10-ASA---10.10.10.125 (HUB
>> >> SIDE)
>> >> >
>> >> >
>> >> > Hub side receives traffic but does not send traffic.
>> >> >
>> >> > Bad ACL's?
>> >> >
>> >> >
>> >> >
>> >> >
>> >> > --
>> >> > Dennis Worth
>> >> >
>> >> >
>> >> > Blogs and organic groups at http://www.ccie.net
>> >> >
>> >> >
>> _______________________________________________________________________
>> >> > Subscription information may be found at:
>> >> > http://www.groupstudy.com/list/CCIELab.html
>> >> >
>> >> >
>> >> >
>> >> >
>> >> >
>> >> >
>> >> >
>> >>
>> >
>> >
>> >
>> > --
>> > Dennis Worth
>> >
>> >
>> >
>>
>>
>> --
>> Dennis Worth
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>> ****
>>
>> ****
>>
>>
>>
>> ****
>>
>> ****
>>
>> --
>> Dennis Worth****
>>
>> ****
>>
>> ****
>>
>>
>>
>> ****
>>
>> ** **
>>
>> --
>> Dennis Worth****
>>
>> ** **
>>
>> ** **
>>
>
>
>
> --
> Dennis Worth
>
>
>

--
Dennis Worth
Blogs and organic groups at http://www.ccie.net

Received on Tue Mar 12 2013 - 07:10:23 ART

This archive was generated by hypermail 2.2.0 : Wed Apr 03 2013 - 19:06:19 ART