I am tying to establish LAN to LAN VPN using two VPN concentrators with public IPs assigned.
Local range 192.168.1.0/24
Remote range 10.0.0.0/8
I have configures IKE, IPsec parameters, tunnel gets established. Also defined filter rule to define traffic to be encrypted on tunnel. Routing is also proper.
But the user traffic isnt going on tunnel, not able to ping end devices.
Is NATing compulsory in this case?
Also, SA defined for filter rule is in transport mode. I tried both tunnel and transport mode.
One thing I observed is that, concentrator is forwarding user traffic to next hope/internet router but the IP header is the same, its with original IPs (private IPs, 192.xxx). The packet I am receiving on local internet router from local concentrator is with its original/private IP. Because of this router is not able to route, rather user traffic is not able to get on internet.
I guess in tunnel, all traffic should be carried under public IP of concentrator.
Is the site-to-site tunnel coming up? I guess this should be a problem with the VPN connection. If the crypto ACLs are defined properly, the packets will never pass through the VPN concentrator. NAT is not required here, as the end networks are seperate and not overlapping !!!!
Just look for the Event log to determine the problem. Select Monitoring -> Live Event log and see the error message !!!
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...