cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1164
Views
0
Helpful
6
Replies

ASA Site-to-site VPN Nat on one side breaks tunnel

kredwin74
Level 1
Level 1

I configured a ASA Site-to-site VPN, and it passed the packet tracer. I then added Nat on one side for the server on the ASA, and it breaks the tunnel in packet tracer. As you can see in the screencap. I don't understand why it's failing with NAT.

6 Replies 6

Hi,

Are you bypassing NAT for the VPN traffic?

If so, then adding a static NAT for a server should not interfere.

But if you don't have NAT bypass, then adding a static route will break the VPN communication with that server.

Federico.

If by bypassing you mean NAT exemption, I have removed the NAT exemption I had originally. Because now that they want to NAT the server I added a NAT statement. Do I need both? Even if I put back the NAT exemption it doesn't help.

So I have a static NAT from 192.168.1.25 to 192.168.249.25. I had the exemption from 192.168.1.25 to 10.1.1.1. The vpn has protected networks of 192.168.249.25, 192.168.1.25 going to 10.1.1.1.

Putting back the exemption didn't change the output of packet tracer.

If you're NATing the server through the tunnel then you don't need NAT exemption.

Now,

Originally when you had NAT exemption, the interesting traffic flowed between private IPs on both LANs.

After removing NAT exemption, are you specifying the interesting traffic to the translated IP (instead than the real IP)?

Federico.

I tried all combinations I think, initially I left the original IP, then I added the NAT IP, then I removed the original IP, so I tried all combinations. I think I'm going to take the tunnel out, clean up the exemptions, build the plain tunnel again, and get that to pass the packet tracer, and then add the NAT, just to make sure I haven't missed something.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: