ASA vpn nat question

Tejas Kunte · ‎12-06-2011

i have an ASA 5520 ver 8.4 with the following config

WAN

207.211.25.34

Production

10.11.12.1 255.255.255.0

Mgmt

10.11.11.1 255.255.255.0

i need to create a peer-2-peer VPN to a remote site ASP16 from both Prod and Mgmt

what would my nat statement look like ?

currently i have the following but can only ping from Mgmt not Prod (ASP17 is an network object group that contain the Prod and Mgmt subnets )

nat (Production,WAN) source static ASP17_VPN ASP17_VPN destination static ASP16 ASP16 no-proxy-arp route-lookup

nat (Mgmt,WAN) source static ASP17_VPN ASP17_VPN destination static ASP8_Prod ASP8_Prod

Julio Carvajal · ‎12-06-2011

Hello Tejas,

The configuration for the nat is the one required ( No nat on 8.4.2)

You will need to check if you have any ACL on the Prod interface that might be blocking that traffic.

Please rate helpful posts.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Julio Carvajal · ‎12-07-2011

Hello Tejas,

After reading your configuration I can see that the crypto-maps are applyed to the outside interface, and the Access-list for the interesting traffic has both networks (Managment and production) so you should be able to access the other network from this site.

Can you do the following packet tracers to see the features the ICMP packet is hitting when the Request is sent.

I will need the output of the following commands:

1- Packet-tracer input Mgmt icmp 10.11.34.15 8 0 10.30.6.15

2-Packet-tracer input Production icmp 10.11.35.15 8 0 10.30.6.15

Please rate helpful posts,

Julio!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC