Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

RA-VPN over NAT-T troubleshooting

hi,

Currently, my vpn works fine from the outside to the router. The problem I'm not quite sure why the traffic on the inside is not finding its way to the outside (VPNclient). I tried adding interesting traffic acl on my DynamicMap, the vpn client lock would not close, but there was a QM_IDLE isakmp session established and an IPSEC tunnel. I've also tried adding a static route on all my local routers (for test only) routing 10.0.12.0 network to my vpn router 10.0.0.188, only my network device can communicate with my VPN client host when I do this, but the hosts that belong to the network cannot communicate.

I've attached config and debug outputs.

Any suggestions?

TIA,

-Fred

1 ACCEPTED SOLUTION

Accepted Solutions
Community Member

Re: RA-VPN over NAT-T troubleshooting

Hi,

Can u plz no nat acl , internal lan as source and vpn pool as destination.

Make sure that your gw router has a route towards vpn pool.

r/g

7 REPLIES

Re: RA-VPN over NAT-T troubleshooting

What is the defaut gateway for internal hosts?

Community Member

Re: RA-VPN over NAT-T troubleshooting

The GW for internal hosts is a different router 10.0.0.10.

10.0.0.10's default GW is 10.0.0.52 (.52 is PBR router) all traffic from 10.0.0.0/24 flows like this.

10.0.0.x/24 -> 10.0.0.10(inside Hosts Default GW) -> 10.0.0.52 (PBR router) -> 10.0.0.191(ASAC1)

the asa does the static nat for VPN router.

Also,

i've tried making Router 10.0.0.10 default GW to .191(ASAC1) to bypass the PBR, but still the problem existed.

On router 10.0.0.10 I've also tried adding the following statement: ip route 10.0.12.0 255.255.255.0 10.0.0.188 (RA VPN router)

The only thing that worked here, was my vpn client PC was able to successfully ping/telnet into the 10.0.0.10 router, but still no hosts on the 10.0.0.x/24 subnet were able to reach 10.0.12.x.

Re: RA-VPN over NAT-T troubleshooting

you should have a static route for the vpn pool on the router which is the defaut gateway for internal users.

Community Member

Re: RA-VPN over NAT-T troubleshooting

Sorry I was adding on to my post as you replied, adding the static route to the vpn pool for the router which is my default gw for internal users only worked for my router, but not my network.

If I add that static route for my internal hosts default gw, my vpn client can only access that router, but not the network itself.

Community Member

Re: RA-VPN over NAT-T troubleshooting

Hi,

Can u plz no nat acl , internal lan as source and vpn pool as destination.

Make sure that your gw router has a route towards vpn pool.

r/g

Community Member

Re: RA-VPN over NAT-T troubleshooting

In conclusion,

Didn't include a nonat acl on asa for my router's vpn traffic.

Thanks for your help.

Regards,

-Fred

Community Member

Re: RA-VPN over NAT-T troubleshooting

No worries:)

311
Views
3
Helpful
7
Replies
CreatePlease to create content