I have a network with the following config. Site A and site B connected via VPN tunnels thru pix. Access-list says don't nat site A to site B and permit site A to site B thu the vpn tunnel. (and vice versa) Off site A there is a stub network (site C, on another router) that site A accesses freely. Site B used to access site C via site A with a NAT'd address on the other router. (that was when site A conncted to site B via frame relay)
Now that the VPN tunnel is there, I'm having problems getting site B to connect to site C. My debug shows no NAT translations when a system at site B tries to go to site C. The "sh crypto" cmd on the pixes shows one way encapsulation on the VPN tunnels (site B to site C only)
I presume you are using IPSec tunnels between A and B. If you want the packets to travel through the VPN tunnel, then the crypto access-list has to match packets that you want to travel through the tunnel. If you are doing NAT, then verify whether the crypto-access list matches the addresses after translation. There is a particular order of operation when you have NAT and IPSec together, and packets travel between the inside and outside network. For inside to outside, NAT is done first and IPSec next. Also, make sure you have mirror image access-lists for the crypto access-lists. Otherwise, the tunnel may not work. The documents in the following links talks about configuring IPSec and NAT together which may be helpful :
Does your access list for the tunnel traffic allow this site B to site C traffic. If not, the PIX will not let it through the tunnel, even though it traveling through site A. A copy of the access list and VPN entries me help more. Just take out any public IP's.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...