Help with VPN using NAT.

Unanswered Question
Jan 8th, 2008

Hi,

I'm in need of some urgent help please.

I have configured my VPN following this:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800b07ed.shtml

Basically I'm NATting a whole subnet before sending it over the tunnel.

The only thing that differs is that I've used a route-map with my static translation:

ip nat inside source static network 172.24.0.0 172.25.0.0 /16 route-map CAP

route-map CAP permit 10

match ip address 115

access-list 115 permit ip 172.24.0.0 0.0.255.255 10.2.0.0 0.0.255.255

access-list 115 permit ip 172.24.0.0 0.0.255.255 10.3.0.0 0.0.255.255

I can see that it is being translated:

router#sh ip nat trans

Pro Inside global Inside local Outside local Outside global

--- 172.25.1.43 172.24.1.43 --- ---

Subnet translation:

Inside global Inside local Outside local Outside global /prefix

172.25.0.0 172.24.0.0 --- --- /16

But it does not bring the tunnel up. In debug it appears to not even be attempting to initiate. I can see that the access list applied to the crypto map is not being hit.

HOWEVER when I add the untranslated subnet to the access-list, i.e.,:

access-list 173 permit ip 172.25.0.0 0.0.255.255 10.3.0.0 0.0.255.255

access-list 173 permit ip 172.24.0.0 0.0.255.255 10.3.0.0 0.0.255.255

I can see the hit count incrementing for 172.24.0.0/16!!! I'm not sure how this is possible when it has been translated. This also brings the tunnel up (but not fully, as it's not configured on the other end, I'm just using it for testing).

Any ideas? Do I need a next hop address configured on my route map?

Any comments would be very much appreciated.

Thanks,

J

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
hadbou Mon, 01/14/2008 - 09:44

For instructions on how to configure a Network Address Translation Traversal (NAT-T) between Cisco VPN Clients located behind a Port Address Translation (PAT)/NAT device and a remote Cisco VPN Concentrator, refer to Configuring Multiple VPN Clients to a Cisco VPN 3000 Concentrator Using NAT-Traversal.

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008010edf4.shtml

Actions

This Discussion