NAT IP on 3000 Concentrator

Answered Question
Mar 10th, 2008
User Badges:

Hi everyone just have a quick question here to make sure I'm thinking right. When you NAT on the Concentrator your network list on the local side will be the NATTed IP correct? so for instance if my original IP address is:


192.168.30.20


and I do a static nat of 10.255.140.4


my network list would contain only the NATTed ip address of 10.255.140.4/0.0.0.0


so on the remote end if I wanted to contact the local end I would ping 10.255.140.4 the natted ip and not the original ip of 192.168.30.20 right?


If the above is true and if the remote end tries to ping 10.255.140.4 but cannot then the issue is on there end not mine correct?

Correct Answer by brettmilborrow about 9 years 4 months ago

You are looking in the right place. Remember the tunnel must be up for this to show up. Try to connect to the remote network, then look under LAN to LAN sessions, you should see the connection name specified in the configuration section for the tunnel to the remote site.


The connection name should be a link, if you click on the link you should see information about the tunnel, this is where you need to look for the specific SA for the networks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
brettmilborrow Mon, 03/10/2008 - 08:41
User Badges:

Your assumption is correct in terms of the NAT, but not necessarily for the ping failure. You should check that there is an IPSEC SA for 10.255.140.X to their remote network. (look under 'Administration -> Administer Sessions" to see if an SA exists and how many packets have been encrypted and decrypted for the SA.


This should help point out where the issue may be.

wgranada1 Mon, 03/10/2008 - 08:53
User Badges:

Thanks for the info but I looked under Administration -> Administer sessions and I don't see any SAs that you are talking about.

I have a 3000Concentrator and when I go to that sections all I see is Sessions Summary, NAC Sessions Summary, Lan-to-Lan Sessions and remote access. I've looked at all and don't see any SAs, am I looking in the right place?

Correct Answer
brettmilborrow Mon, 03/10/2008 - 09:00
User Badges:

You are looking in the right place. Remember the tunnel must be up for this to show up. Try to connect to the remote network, then look under LAN to LAN sessions, you should see the connection name specified in the configuration section for the tunnel to the remote site.


The connection name should be a link, if you click on the link you should see information about the tunnel, this is where you need to look for the specific SA for the networks.

Actions

This Discussion