Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Site to Site VPN with NAT

Scenario:

L2L VPN Tunnel to client’s remote networks.  I am required to NAT my private network to a publicly routable unique network.

Technical Information

Local network: 192.168.1.0

NAT to Network: 71.x.x.96 255.255.255.224 (Range provided by ISP)

Outside INT of ASA: 71.x.x.115

Remote Network: 10.10.10.0

Crypto ACL

access-list crypto extended permit ip 71.x.x.96 255.255.255.224 10.10.10.0 255.255.255.0

The tunnel comes up, but my internal hosts are unable to access the tunnel because I am not NAT’ing the inside to the NAT to addresses correctly.  Below is what I have tried. 

Use of Policy NAT

Access-list policy-nat extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0

Static (inside,outside) 71.x.x.0 access-list policy NAT

This doesn’t work as when I show xlate, I show the following over and over again. 

Global 71.x.x.0 Local 192.168.1.0.  It never translates the next host for example Global 71.x.x.97 Local 192.168.0.1.  Traffic does not pass through the tunnel to allow access to the host.

If anyone can please help I would greatly appreciate it.  I’ve also found another possibility but not exactly sure how to implement it.

http://www.experts-exchange.com/Networking/Security/IPSec/Q_22490812.html#discussion

15 REPLIES

Re: Site to Site VPN with NAT

Hi,

Try this to see if you can reach the other site:

access-list POLICYNAT permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0

nat (inside) 1 access-list POLICYNAT

global (outside) 1 71.x.x.96 255.255.255.224

The crypto ACL you leave it as it is.

Check if you see packets being transmitted through the tunnel when you initiate traffic to 10.10.10.x

You can do this using:  sh cry ipse sa peer x.x.x.x   -->  x.x.x.x is the public IP of the other's site end of the tunnel.

Federico.

New Member

Re: Site to Site VPN with NAT

Thank you for your help.  My job is on the line with this one....Very important new client.

New Member

Re: Site to Site VPN with NAT

?I'm not seeing the xlate for my internal to external. nor can I access resources on the other end.

Re: Site to Site VPN with NAT

You're encrypting the traffic when sending to 10.10.10.0/24

But you're not decrypting any.

This means, the other side of the tunnel is not responding or not sending the traffic back to you.

This is sometimes because they don't have a route to your network pointing in the right direction (assuming the default gateway won't do it).

Can you check if the other site, has the correct routes in place and that they are receiving your encrypted packets, and if so, if they are encrypting their packets back to you?  (Again, because you're not receiving any).

Federico.

New Member

Re: Site to Site VPN with NAT

Yes I can do that.  I do have a question if you don't mind...  Should I see a translation for my host in the sho xlate?

Re: Site to Site VPN with NAT

Yes,

You should see a translation when connecting from 192.168.1.x to 10.10.10.x

sh xlate should show you the translation being build.
This will happen before encryption, then the traffic will be encrypted and sent through the tunnel as it shows on the
sh cry ips sa peer x.x.x.x

Federico.

New Member

Re: Site to Site VPN with NAT

When I do a show xlate the translation for the host I'm testing from does not show up.  Any idea what

could be causing that?

Re: Site to Site VPN with NAT

Could you post all static/nat & global commands you have in the firewall ?

Make sure you do a clear xlate when you change nat configurations.

New Member

Re: Site to Site VPN with NAT

static (inside,outside) tcp 71.x.x.116 smtp 192.168.1.5 smtp netmask 255.255.255.255  dns
static (inside,outside) 71.x.x.117 192.168.2.16 netmask 255.255.255.255 dns

global (outside) 1 interface
global (outside) 1 71.x.x.96 netmask 255.255.255.224

nat (inside) 0 access-list management_nat0_outbound_1 - Cisco VPN Client tunnel from remot access
nat (inside) 1 access-list policy-nat dns
nat (inside) 1 0.0.0.0 0.0.0.0 dns

Cisco Employee

Re: Site to Site VPN with NAT

Can you also post ACL: management_nat0_outbound_1 please.

New Member

Re: Site to Site VPN with NAT

I've attached my entire config I know something has to be wrong somewhere.  I'm no expert on this

and am going by documentation.  If you don't mind please review the config and tell me where I'm wrong.

Cisco Employee

Re: Site to Site VPN with NAT

Sorry but you haven't configured the policy NAT suggested by Federico. Your configuration does not have that configured, and I also see different ip address range in your configuration than you originally requested.

Can you advise which subnet do you actually want to NAT and going to which remote subnet as again ip addressing are different to the one you specified initially.

New Member

Re: Site to Site VPN with NAT

I was trying not to show my config to much...  I got it working turned out my config was good.  However, I'm still not natting correctly.  It is using the PAT address of the outside interface to go through the tunnel instead of the range I specified.

THANK YOU FOR THE HELP IT IS GREATLY APPRECIATED.

Cisco Employee

Re: Site to Site VPN with NAT

Can you advise your latest nating statement?

sh run nat

sh run global

sh run static

and please also include the access-list from the above output.

Thanks.

New Member

Re: Site to Site VPN with NAT

I figured it out.  It was a two part issue.

Part 1:  Client neglected to inform us that we are required to authenticate to their firewall prior to traffic being send to remote hosts.  This solved the connectivity problem.

Part 2:  NAT is being done with policy-nat in the following manor

access-list policy-nat extended permit ip 192.168.1.0 255.255.255.0 object-group VPN

Global (outside) 1 10.10.10.96-10.10.10.127 netmask 255.255.255.224

Global (outside 1 interface

Since the tunnel terminates on my outside interface, and the network I am natting to is the same as the outside interface, I am able to use a combination of a global pool, and PAT for natting accross the tunnel.  works like a charm.  The only  draw back PAT is only used when the pool runs out of addresses, and each user that goes to the web get a natted address from the pool.  Actually I don't see the pool for internet access as a draw back as it gives me better information when monitoring what certain users are doing.

Thanks to all for the help on this issue.  I was quite challenging, and this is for a new client so I didn't want to start finger pointing without being 100% sure that my config was correct.  Worst part is I asked about the firewall authentication prior to even starting this project and of course I was assured that it was not required.  Then after 4 days of my time being wasted, they realized that it was required.

6410
Views
3
Helpful
15
Replies
CreatePlease to create content