Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA Site-to-site VPN Nat on one side breaks tunnel

I configured a ASA Site-to-site VPN, and it passed the packet tracer. I then added Nat on one side for the server on the ASA, and it breaks the tunnel in packet tracer. As you can see in the screencap. I don't understand why it's failing with NAT.

6 REPLIES

Re: ASA Site-to-site VPN Nat on one side breaks tunnel

Hi,

Are you bypassing NAT for the VPN traffic?

If so, then adding a static NAT for a server should not interfere.

But if you don't have NAT bypass, then adding a static route will break the VPN communication with that server.

Federico.

New Member

Re: ASA Site-to-site VPN Nat on one side breaks tunnel

If by bypassing you mean NAT exemption, I have removed the NAT exemption I had originally. Because now that they want to NAT the server I added a NAT statement. Do I need both? Even if I put back the NAT exemption it doesn't help.

So I have a static NAT from 192.168.1.25 to 192.168.249.25. I had the exemption from 192.168.1.25 to 10.1.1.1. The vpn has protected networks of 192.168.249.25, 192.168.1.25 going to 10.1.1.1.

Putting back the exemption didn't change the output of packet tracer.

Re: ASA Site-to-site VPN Nat on one side breaks tunnel

If you're NATing the server through the tunnel then you don't need NAT exemption.

Now,

Originally when you had NAT exemption, the interesting traffic flowed between private IPs on both LANs.

After removing NAT exemption, are you specifying the interesting traffic to the translated IP (instead than the real IP)?

Federico.

New Member

Re: ASA Site-to-site VPN Nat on one side breaks tunnel

I tried all combinations I think, initially I left the original IP, then I added the NAT IP, then I removed the original IP, so I tried all combinations. I think I'm going to take the tunnel out, clean up the exemptions, build the plain tunnel again, and get that to pass the packet tracer, and then add the NAT, just to make sure I haven't missed something.

Re: ASA Site-to-site VPN Nat on one side breaks tunnel

Re: ASA Site-to-site VPN Nat on one side breaks tunnel

737
Views
0
Helpful
6
Replies