Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Issue with Site-to-Site Policy Source NAT

Dear All,

Iam facing issue with source base nat in Site-toSite VPN configuration.


We want to access the remote site server 10.67.1.5 from my end server 192.168.210.224 , my server 192.168.210.224 need to nat with 10.66.102.178 to go outside remote site. we have done the below configuration and VPN pahse1 and phase 2 is establishing fine ,but we are not able to access the remote server 10.67.1.5. Phase 2 is establishing and only packets are encapsulating not decapsulating. Remote site is having VPN terminating on router and phase 1 and phase 2 is establishing.

There is no nat exemption configured .Appreciate urgent help to identify the issue...

we already have lot f site to site tunnels up and running..but no tunnels with policy NAT

config
--------
access-list acl-NI line 1 extended permit ip host 192.168.210.224 host 10.67.1.5 (hitcnt=0) 
access-list acl-NI line 2 extended permit ip host 10.66.102.178 host 10.67.1.5 (hitcnt=2)

nat (inside) 2 192.168.210.224 255.255.255.255
global (outside) 2 10.66.102.178

crypto ipsec transform-set NI esp-3des esp-sha-hmac

crypto map ENOCMAP 22 match address acl-NI
crypto map ENOCMAP 22 set peer x.x.x.x
crypto map ENOCMAP 22 set transform-set NI
crypto map ENOCMAP 22 set security-association lifetime seconds 3600
crypto map ENOCMAP 22 set reverse-route
crypto map ENOCMAP interface outside

tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *****


======================================================================

12  IKE Peer: x.x.x.x
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE

ENOCDC-FW03# sh crypto ipsec sa peer x.x.x.x
peer address: x.x.x.x
    Crypto map tag: ENOCMAP, seq num: 22, local addr: x.x.x.x

      access-list acl-NI extended permit ip host 10.66.102.178 host 10.67.1.5
      local ident (addr/mask/prot/port): (10.66.102.178/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (10.67.1.5/255.255.255.255/0/0)
      current_peer: x.x.x.x

      #pkts encaps: 2, #pkts encrypt: 2, #pkts digest: 2
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 2, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 89BAF49F
      current inbound spi : DB36C4B6

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions

Issue with Site-to-Site Policy Source NAT

Hi,

Please try this policy nat statement below:

access-list policynat extended permit ip host 192.168.210.224 10.67.1.5

static (inside,outside) 10.66.102.178 access-list policynat

Here is some reference material regarding policy nat - http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_overview.html#wp1088419

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
2 REPLIES

Issue with Site-to-Site Policy Source NAT

Hi,

Please try this policy nat statement below:

access-list policynat extended permit ip host 192.168.210.224 10.67.1.5

static (inside,outside) 10.66.102.178 access-list policynat

Here is some reference material regarding policy nat - http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_overview.html#wp1088419

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

Re: Issue with Site-to-Site Policy Source NAT

Thanks tariq,i used this policy nat. Issue was with remote side firewall config

Thanks for your support

Sent from Cisco Technical Support iPhone App

331
Views
0
Helpful
2
Replies