Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

NAT 0 not working for VPN l2l tunnel

I have two ASA5520's both running 8.04 code.

I have an l2l tunnel between them.

It seems that I am having a problem with Nat exemption.

For some reason the NAT 0 statment will not work. I recieve the "no translation group" error message when trying to pass traffic. However as soon as I add a static NAT entry traffic will pass.

Here is the general layout:

     ASA5520 A                                                            ASA5520 B

192.168.1.x inside--------------------l2l tunnel------------------192.168.2.x inside

Here is what I have for config.

ASA5520 A:

<----interesting traffic ACL--------->

access-list 100 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

<----nat exemption ACL--->

access-list no_nat extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

nat (inside) 0 access-list no_nat

global (outside) 1 x.x.x.x netmask 255.255.255.255

ASA5520 B:

<----interesting traffic ACL--------->

access-list 100 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

<----nat exemption ACL--->

access-list no_nat extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list no_nat

nat (inside) 1 0.0.0.0 0.0.0.0

The only way I can get traffic to flow through tunnel successfully is if I add static NAT for subnets, so on ASA5520 A I have to add:

static (inside,outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

and ASA5520B:

static (inside,outside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

At this point traffic will flow even if I remove the no_nat access list.

Anyone have any answers for this?

5 REPLIES
Cisco Employee

Re: NAT 0 not working for VPN l2l tunnel

Rod,

Here's a thought (I'm sorry I didn't go over the whole problem properly), previously there were bugs in PIX/ASA under which modifying nat 0 access-lists didn't work. Note that this is 8.0.3 we're talking about.

Can you please try the workaround for this one? Remove nat 0 statements and add them back again.

Marcin

New Member

Re: NAT 0 not working for VPN l2l tunnel

Thanks for the reply. I did try your suggestion and it didn't work.

I did however manage to fix it and I think I know why.

On ASA5520 A there is the following:

global (outside) 1 x.x.x.x netmask x.x.x.x

What I didnt post was the nat statements that are tied to this:

nat (inside) 1 10.70.14.43 255.255.255.255
nat (inside) 1 10.70.15.75 255.255.255.255
nat (inside) 1 10.70.15.77 255.255.255.255
nat (inside) 1 10.70.20.32 255.255.255.255
nat (inside) 1 10.70.20.34 255.255.255.255

I had to add the 192.168.1.x statement:

nat (inside) 1 192.168.1.0 255.255.255.0

After I added that, I was able to work without having the static NAT statements in and the Nat Exempt ACL worked.

I may be mistaken but I believe the problem was that without the nat (inside) 1 192.168.1.0 255.255.255.0 the subnet was never being let in the first interface.

Cisco Employee

Re: NAT 0 not working for VPN l2l tunnel

Rod,

That's odd, do you have nat-control enabled?

Marcin

New Member

Re: NAT 0 not working for VPN l2l tunnel

No Nat-Control

I did try enabling it once before during inital t-shooting when I first discovered the problem and it made no difference.

Cisco Employee

Re: NAT 0 not working for VPN l2l tunnel

Rod,

Please upgrade to 8.0.5 and let's never see it again

Marcin

287
Views
0
Helpful
5
Replies