NAT VPN no traffic, 106014 deny inbound

Unanswered Question
May 20th, 2008

I'm not sure if this should go in the Security section or here, but perhaps someone can help with this configuration?

Trying to NAT the internal IP to another subnet so the destination end doesn't clash. The tunnel comes up fine, but traffic does not pass over it. If I send a ping to the destination, it gives "106014 deny inbound icmp src inside:192.168.7.20 dst outside:192.168.27.40 (type 8, code 0)". I know there's something fundamental wrong, but can't spot it.

Local site 192.168.7.0, local NAT to 192.168.17.0, remote site 192.168.27.0.

TIA!

access-list outside_access_in extended permit ip 192.168.27.0 255.255.255.0 192.168.17.0 255.255.255.0

access-list SiteName_access extended permit ip 192.168.27.0 255.255.255.0 192.168.7.0 255.255.255.0

access-list SiteName_NAT extended permit ip 192.168.7.0 255.255.255.0 192.168.27.0 255.255.255.0

access-list SiteName_cryptomap extended permit ip 192.168.17.0 255.255.255.0 192.168.27.0 255.255.255.0

!

nat (inside) 0 access-list inside_nat0_outbound

nat (outside) 0 access-list outside_nat0_outbound

static (inside,outside) 192.168.17.0 access-list SiteName_NAT

access-group outside_access_in in interface outside

route outside a.b.c.d 255.255.255.255 outside_router 1

!

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto map outside_map 3 match address SiteName_cryptomap

crypto map outside_map 3 set pfs

crypto map outside_map 3 set peer a.b.c.d

crypto map outside_map 3 set transform-set ESP-AES-256-MD5

crypto map outside_map 3 set security-association lifetime seconds 3600

crypto map outside_map 3 set reverse-route

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 20

authentication pre-share

encryption aes-256

hash md5

group 2

lifetime 28800

no crypto isakmp nat-traversal

!

group-policy SiteName internal

group-policy SiteName attributes

vpn-filter value SiteName_access

vpn-tunnel-protocol IPSec

!

tunnel-group a.b.c.d type ipsec-l2l

tunnel-group a.b.c.d general-attributes

default-group-policy SiteName

tunnel-group a.b.c.d ipsec-attributes

pre-shared-key Mykey

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
gluker7388 Wed, 11/04/2009 - 19:07

did you ever get an answer for this error? i am having the exact same problem. I have tryed everything and nothing works.

Actions

This Discussion