08-02-2012 04:56 AM
Dear All,
Iam facing issue with source base nat in Site-toSite VPN configuration.
We want to access the remote site server 10.67.1.5 from my end server 192.168.210.224 , my server 192.168.210.224 need to nat with 10.66.102.178 to go outside remote site. we have done the below configuration and VPN pahse1 and phase 2 is establishing fine ,but we are not able to access the remote server 10.67.1.5. Phase 2 is establishing and only packets are encapsulating not decapsulating. Remote site is having VPN terminating on router and phase 1 and phase 2 is establishing.
There is no nat exemption configured .Appreciate urgent help to identify the issue...
we already have lot f site to site tunnels up and running..but no tunnels with policy NAT
config
--------
access-list acl-NI line 1 extended permit ip host 192.168.210.224 host 10.67.1.5 (hitcnt=0)
access-list acl-NI line 2 extended permit ip host 10.66.102.178 host 10.67.1.5 (hitcnt=2)
nat (inside) 2 192.168.210.224 255.255.255.255
global (outside) 2 10.66.102.178
crypto ipsec transform-set NI esp-3des esp-sha-hmac
crypto map ENOCMAP 22 match address acl-NI
crypto map ENOCMAP 22 set peer x.x.x.x
crypto map ENOCMAP 22 set transform-set NI
crypto map ENOCMAP 22 set security-association lifetime seconds 3600
crypto map ENOCMAP 22 set reverse-route
crypto map ENOCMAP interface outside
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *****
======================================================================
12 IKE Peer: x.x.x.x
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
ENOCDC-FW03# sh crypto ipsec sa peer x.x.x.x
peer address: x.x.x.x
Crypto map tag: ENOCMAP, seq num: 22, local addr: x.x.x.x
access-list acl-NI extended permit ip host 10.66.102.178 host 10.67.1.5
local ident (addr/mask/prot/port): (10.66.102.178/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.67.1.5/255.255.255.255/0/0)
current_peer: x.x.x.x
#pkts encaps: 2, #pkts encrypt: 2, #pkts digest: 2
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 2, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 89BAF49F
current inbound spi : DB36C4B6
Solved! Go to Solution.
08-02-2012 09:06 AM
Hi,
Please try this policy nat statement below:
access-list policynat extended permit ip host 192.168.210.224 10.67.1.5
static (inside,outside) 10.66.102.178 access-list policynat
Here is some reference material regarding policy nat - http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_overview.html#wp1088419
Thanks,
Tarik Admani
*Please rate helpful posts*
08-02-2012 09:06 AM
Hi,
Please try this policy nat statement below:
access-list policynat extended permit ip host 192.168.210.224 10.67.1.5
static (inside,outside) 10.66.102.178 access-list policynat
Here is some reference material regarding policy nat - http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_overview.html#wp1088419
Thanks,
Tarik Admani
*Please rate helpful posts*
08-08-2012 03:27 AM
Thanks tariq,i used this policy nat. Issue was with remote side firewall config
Thanks for your support
Sent from Cisco Technical Support iPhone App
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: