Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ISR Site to Site VPN Trouble communicating with NATed hosts

Hello,

I have a IPSEC VPN tunnel between my Cisco 891 and a Sonicwall

Communication between sites works, execept for any host on the Cisco side that has a nat entry

example:

ip nat inside source static 192.168.200.26 WANIP

sh cry ipsec sa  shows packets encap/decaping, with no errors

Has anyone encountered this issue before and know of a good solution?

Thanks

4 REPLIES

ISR Site to Site VPN Trouble communicating with NATed hosts

check what all IP's are allowed to communicate over the IPSEC

please paste the output for the command

sh crypto ipsec sa

New Member

Re: ISR Site to Site VPN Trouble communicating with NATed hosts

Sure (Local LAN is 192.168.200.0, remote LAN is 172.16.4.0. Both /24)

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (172.16.4.0/255.255.255.0/0/0)

   current_peer PUBLICIP port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 128267, #pkts encrypt: 128267, #pkts digest: 128267

    #pkts decaps: 193479, #pkts decrypt: 193479, #pkts verify: 193479

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: LOCALWANIP, remote crypto endpt.: PUBLICIP

     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0

     current outbound spi: 0x4942D21A(1229115930)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

      spi: 0x3978ABB0(964209584)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 52, flow_id: Onboard VPN:52, sibling_flags 80000040, crypto map: IPSEC-MAP

        sa timing: remaining key lifetime (k/sec): (4202221/13656)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0x4942D21A(1229115930)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 53, flow_id: Onboard VPN:53, sibling_flags 80000040, crypto map: IPSEC-MAP

        sa timing: remaining key lifetime (k/sec): (4204685/13656)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

Relevant ACLs

Extended IP access list NAT_ACL

    40 deny ip 192.168.200.0 0.0.0.255 172.16.4.0 0.0.0.255 (128911 matches)

    100 permit ip 192.168.200.0 0.0.0.255 any (144311 matches)

Extended IP access list VPN-ACL

    40 permit ip 192.168.200.0 0.0.0.255 172.16.4.0 0.0.0.255 (128784 matches)

Re: ISR Site to Site VPN Trouble communicating with NATed hosts

the result shows good.

you are trying to reach the ip 192.168.200.16 which follow under 192.168.200.0/24.

now tell us what problem you are facing ?

New Member

Re: ISR Site to Site VPN Trouble communicating with NATed hosts

The tunnel is up and functional; I can hit 192.168.200.1 from the 172.16.4.0 subnet

However, if I try to ping/access any 192.168.200.X host that has a 1 to 1 nat, that fails. I assume it has something to do with the one to one NAT

134
Views
0
Helpful
4
Replies