Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Outbound NAT not working for one L2L VPN

We have an ASA5510 which has two LAN to LAN IPSEC VPNs configured.  The VPN tunnels themselves are up and one VPN works great.  But the other VPN doesn't correctly NAT outbound traffic (inbound is fine from all VPN endpoints).  When I ping from the ASA using 'ping inside 10.200.4.x', it works.  When I ping from a box sitting on the inside subnet I get the following error in the ASA logs:

portmap translation creation failed for udp src inside:10.26.32.2/137 dst outside:10.200.4.x/137

I would be really grateful if someone could point out what I have done wrong with the NAT or routing configuration. This is the first time I have setup two L2L VPNs on one ASA.  The relevant parts of the config are below, suitably anonymised.

Edit:  I forgot to mention that once this is working I then need to NAT incoming traffic to web.server.public.ip to 10.26.32.2 and add ACL entries for www and https.

Thanks,

Matt.

interface Ethernet0/0

nameif outside

security-level 0

ip address 1.2.3.33 255.255.255.248

!

interface Ethernet0/2

nameif inside

security-level 100

ip address 10.26.32.1 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.61.1 255.255.255.0

management-only

!

access-list outside_1_cryptomap_1 extended permit ip 10.26.32.0 255.255.255.0 192.168.0.0 255.255.0.0

access-list outside_20_cryptomap_1 extended permit ip 10.26.32.0 255.255.255.0 10.200.4.0 255.255.255.0

icmp permit any inside

arp timeout 14400

nat (inside) 0 access-list outside_1_cryptomap_1

nat (inside) 1 access-list outside_20_cryptomap_1

nat (inside) 2 0.0.0.0 0.0.0.0

route outside 10.200.4.0 255.255.255.0 broken.vpn.endpoint.ip 1

route outside 0.0.0.0 0.0.0.0 gateway.ip.address.here 1

route outside 192.168.0.0 255.255.0.0 working.vpn.endpoint.ip 1

aaa authentication ssh console LOCAL

http 192.168.61.0 255.255.255.0 management

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-SHA-256 esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-3DES-SHA

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap_1

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer working.vpn.endpoint.ip

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 1 set security-association lifetime seconds 28800

crypto map outside_map 1 set security-association lifetime kilobytes 4608000

crypto map outside_map 20 match address outside_20_cryptomap_1

crypto map outside_map 20 set pfs

crypto map outside_map 20 set peer broken.vpn.endpoint.ip

crypto map outside_map 20 set transform-set ESP-SHA-256

crypto map outside_map 20 set security-association lifetime seconds 28800

crypto map outside_map 20 set security-association lifetime kilobytes 4608000

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption aes-256

isakmp policy 20 hash sha

isakmp policy 20 group 5

isakmp policy 20 lifetime 86400

isakmp nat-traversal  20

tunnel-group working.vpn.endpoint.ip type ipsec-l2l

tunnel-group working.vpn.endpoint.ip ipsec-attributes

pre-shared-key *

tunnel-group broken.vpn.endpoint.ip type ipsec-l2l

tunnel-group broken.vpn.endpoint.ip ipsec-attributes

pre-shared-key *

telnet timeout 5

console timeout 0

management-access inside

dhcpd address 192.168.61.2-192.168.61.254 management

dhcpd lease 3600

dhcpd ping_timeout 50

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect dns maximum-length 512

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Outbound NAT not working for one L2L VPN

These 2 lines are incorrect. The access-list are crypto access-list and you shouldn't applied that to the NAT statement.

nat (inside) 0 access-list outside_1_cryptomap_1

nat (inside) 1 access-list outside_20_cryptomap_1

Please removes the 2 NAT statements above, but keep the access-list because those are applied to the crypto map.

Then you would need to configure the following:

access-list nonat extended permit ip 10.26.32.0 255.255.255.0 192.168.0.0 255.255.0.0

access-list nonat extended permit ip 10.26.32.0 255.255.255.0 10.200.4.0 255.255.255.0

nat (inside) 0 access-list nonat

After the above changes, pls perform "clear xlate"

Hope that helps.

2 REPLIES
Cisco Employee

Re: Outbound NAT not working for one L2L VPN

These 2 lines are incorrect. The access-list are crypto access-list and you shouldn't applied that to the NAT statement.

nat (inside) 0 access-list outside_1_cryptomap_1

nat (inside) 1 access-list outside_20_cryptomap_1

Please removes the 2 NAT statements above, but keep the access-list because those are applied to the crypto map.

Then you would need to configure the following:

access-list nonat extended permit ip 10.26.32.0 255.255.255.0 192.168.0.0 255.255.0.0

access-list nonat extended permit ip 10.26.32.0 255.255.255.0 10.200.4.0 255.255.255.0

nat (inside) 0 access-list nonat

After the above changes, pls perform "clear xlate"

Hope that helps.

New Member

Re: Outbound NAT not working for one L2L VPN

Thanks, Jennifer! That worked great.

937
Views
0
Helpful
2
Replies
CreatePlease login to create content