ASA Site-to-site VPN Nat on one side breaks tunnel

Unanswered Question
May 25th, 2010
User Badges:

I configured a ASA Site-to-site VPN, and it passed the packet tracer. I then added Nat on one side for the server on the ASA, and it breaks the tunnel in packet tracer. As you can see in the screencap. I don't understand why it's failing with NAT.

Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Tue, 05/25/2010 - 12:45
User Badges:
  • Green, 3000 points or more

Hi,


Are you bypassing NAT for the VPN traffic?

If so, then adding a static NAT for a server should not interfere.


But if you don't have NAT bypass, then adding a static route will break the VPN communication with that server.


Federico.

kredwin74 Tue, 05/25/2010 - 13:11
User Badges:

If by bypassing you mean NAT exemption, I have removed the NAT exemption I had originally. Because now that they want to NAT the server I added a NAT statement. Do I need both? Even if I put back the NAT exemption it doesn't help.


So I have a static NAT from 192.168.1.25 to 192.168.249.25. I had the exemption from 192.168.1.25 to 10.1.1.1. The vpn has protected networks of 192.168.249.25, 192.168.1.25 going to 10.1.1.1.


Putting back the exemption didn't change the output of packet tracer.

Federico Coto F... Tue, 05/25/2010 - 13:15
User Badges:
  • Green, 3000 points or more

If you're NATing the server through the tunnel then you don't need NAT exemption.

Now,

Originally when you had NAT exemption, the interesting traffic flowed between private IPs on both LANs.

After removing NAT exemption, are you specifying the interesting traffic to the translated IP (instead than the real IP)?


Federico.

kredwin74 Tue, 05/25/2010 - 13:46
User Badges:

I tried all combinations I think, initially I left the original IP, then I added the NAT IP, then I removed the original IP, so I tried all combinations. I think I'm going to take the tunnel out, clean up the exemptions, build the plain tunnel again, and get that to pass the packet tracer, and then add the NAT, just to make sure I haven't missed something.

Actions

This Discussion