Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

noNAT and NAT between VPN

Hello,

I have network infrastructure:

192.168.217.0/24(non-cisco)----VPN S2S----ASA5510----INSIDE(192.168.0.0/21)
                                                                           |----DYSTR(10.10.10.0/24)----ASA5505----INSIDE(192.168.2.0/24)

There is nat (via 10.10.10.0/24) between 192.168.0.0/21 and 192.168.2.0/24, which was correctly configured.

My goal is access from remote vpn site (192.168.217.0/24) to ASA5505 inside 192.168.2.0/24 via nat 10.10.10.0/24.

part of result command sh run nat on ASA5510:
\\nat between network 192.168.0.0/21 and 10.10.10.0/24 =>it is working correctly
nat (inside,dystr) source dynamic 192.168.0.0 255.255.240.0 10.10.10.110 destination static 10.10.10.0 255.255.255.0 10.10.10.0 255.255.255.0

\\no nat between network 192.168.0.0/21 and 192.168.217.0/24 =>it is working correctly
nat (inside,outside) source static 192.168.0.0 255.255.240.0 192.168.0.0 255.255.240.0 destination static 192.168.217.0 255.255.255.0 192.168.217.0 255.255.255.0

\\nat between network 192.168.217.0/24 and 10.10.10.0/24 =>it is not working
nat (outside,dystr) source dynamic 192.168.217.0 255.255.255.0 10.10.10.110 destination static 10.10.10.0 255.255.255.0 10.10.10.0 255.255.255.0

I checked that packets from 192.168.217.0 are translated to 10.10.10.0, but packet tracer drops packets:

hl-asa-1(config)# packet-tracer input outside icmp 192.168.217.254 8 0 10.10.10.101

Phase: 11
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 out id=0xaeac5930, priority=70, domain=encrypt, deny=false
        hits=31, user_data=0x0, cs_id=0xad035a28, reverse, flags=0x0, protocol=0
        src ip/id=10.10.10.0, mask=255.255.255.0, port=0
        dst ip/id=192.168.217.0, mask=255.255.255.0, port=0, dscp=0x0
        input_ifc=any, output_ifc=outside

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: dystr
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

crypto-map for vpn traffic cointains both networks:

crypto map outside_map 3 match address outside_3_cryptomap
access-list outside_3_cryptomap extended permit ip object 192.168.0.0 255.255.240.0 object 192.168.217.0 255.255.255.0
access-list outside_3_cryptomap extended permit ip object 10.10.10.0 255.255.255.0 object 192.168.217.0 255.255.255.0

What can be wrong in my configuration? ASA5510 ver. 8.4.4.

2 REPLIES
VIP Green

What exactly are you trying

What exactly are you trying to do here?

nat (outside,dystr) source dynamic 192.168.217.0 255.255.255.0 10.10.10.110 destination static 10.10.10.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list outside_3_cryptomap extended permit ip object 10.10.10.0 255.255.255.0 object 192.168.217.0 255.255.255.0

Here it looks like you are translating the source address to 10.10.10.110 for all traffic from 192.168.217.0/24 destined for the 10.10.10.0/24 network...or at least that is what the NAT statement is saying.  Then you are stating in your crypto ACL that a source address of 10.10.10.0/25 going to 192.168.217.0/24 is to be encrypted.  It seems that you have your crypto ACL wrongly configured.

Make sure they are correct (mirror images of eachother) at both ends.  And make sure that the source and destination subnets in the ACLs are correct. 

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
VIP Green

Also keep in mind that the

Also keep in mind that the remote network is on the 10.10.10.0/24 network, so the return traffic will be seen as a directly connected subnet on one of the interfaces and will most likely also not be encrypted. Is there any reason why you are not keeping the 192.168.217.0/24 over the VPN?

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
65
Views
0
Helpful
2
Replies