NAT and VPN tunnels

mike-t · ‎01-29-2003

I have a network with the following config. Site A and site B connected via VPN tunnels thru pix. Access-list says don't nat site A to site B and permit site A to site B thu the vpn tunnel. (and vice versa) Off site A there is a stub network (site C, on another router) that site A accesses freely. Site B used to access site C via site A with a NAT'd address on the other router. (that was when site A conncted to site B via frame relay)

Now that the VPN tunnel is there, I'm having problems getting site B to connect to site C. My debug shows no NAT translations when a system at site B tries to go to site C. The "sh crypto" cmd on the pixes shows one way encapsulation on the VPN tunnels (site B to site C only)

Report Inappropriate Content · ‎02-04-2003

I presume you are using IPSec tunnels between A and B. If you want the packets to travel through the VPN tunnel, then the crypto access-list has to match packets that you want to travel through the tunnel. If you are doing NAT, then verify whether the crypto-access list matches the addresses after translation. There is a particular order of operation when you have NAT and IPSec together, and packets travel between the inside and outside network. For inside to outside, NAT is done first and IPSec next. Also, make sure you have mirror image access-lists for the crypto access-lists. Otherwise, the tunnel may not work. The documents in the following links talks about configuring IPSec and NAT together which may be helpful :

http://www.cisco.com/pcgi-bin/Support/browse/psp_view.pl?p=Internetworking:IPSec&viewall=true

http://www.cisco.com/warp/public/556/5.html

wolfrikk · ‎02-04-2003

Does your access list for the tunnel traffic allow this site B to site C traffic. If not, the PIX will not let it through the tunnel, even though it traveling through site A. A copy of the access list and VPN entries me help more. Just take out any public IP's.