VPN Site to Site With NAT

Unanswered Question
Oct 8th, 2007

Hi all,

Can someone help me please

An inside server (192.168.92.6) need to access to a remote network 192.168.31.0.

A VPN site to site is established between Pix outside (192.168.111.6) and Multitech Firewall (192.168.111.200).

Now my inside server should connect to the remote network with this IP 172.20.20.6. So I have to Nat my inside server IP (192.168.92.6) to 172.20.20.6.

The remote network should connect to inside network by the 172.20.20.6.

My problem is I can establish a connexion to my inside network from the remote network but I cannot establish connexion (tcp) from my inside network to the remote network.

The weird thing is I can ping from both network each other.

This is my config below

access-list Outside_1_cryptomap extended permit ip 172.20.20.0 255.255.255.0 192.168.31.0 255.255.255.0

access-list Inside_nat_static extended permit ip host I92.168.92.6 192.168.31.0 255.255.255.0

static (Inside,Outside) Ip_172.20.20.6 access-list Inside_nat_static dns

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map Outside_map 1 match address Outside_1_cryptomap

crypto map Outside_map 1 set pfs

crypto map Outside_map 1 set peer 192.168.111.200

crypto map Outside_map 1 set transform-set ESP-3DES-SHA

crypto map Outside_map interface Outside

crypto isakmp enable Outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal

service-policy global_policy global

tunnel-group 192.168.111.200 type ipsec-l2l

tunnel-group 192.168.111.200 ipsec-attributes

pre-shared-key *

Thanks for answers

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
p.vdvoort Mon, 10/08/2007 - 03:39

Hi fallkaired,

I would say that if you change your NAT to:

static (inside,outside) 172.20.20.6 192.168.92.6 netmask 255.255.255.255

things should work.

Good luck!

Peter

fallkaired Mon, 10/08/2007 - 05:57

thanks for your answer but it still not working. I have the same problem

p.vdvoort Thu, 10/11/2007 - 01:01

ok, first thing to check here is your crypto ACL on the remote site. Is it an exact mirror of the ACL on the local site?

Do you have ACLs on the remote site possibly blocking your TCP traffic?

Then, what kind of messages do you get when trying to connect to the outside?

At least you should see a packet coming in from 192.168.92.6 and you should see messages like "building xlate entry for... " pointing to the fact translation occurs.

After that you should see the tunnel being built (terminal monitor), you should get isakmp sa's and after that ipsec sa's.

When that is all going as expected, you should be able to see your packets getting encrypted e.g. being transferred through the tunnel (show crypto ipsec sa).

If your connection get this far, the remote site should be reviewed.

Peter

fallkaired Thu, 10/11/2007 - 04:06

Its working fine now. Your 're rigth the TCP traffic was not permit on the remote site.

thank for your help

Actions

This Discussion