Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4581
Views
5
Helpful
9
Replies

Site to Site VPN with Natting Internal IP address range?

Go to solution
Ven Diesel
Level 1
Level 1

‎05-21-2012 06:06 AM

This is our actual Internal LAN address: 10.40.120.0/26 (Internal Range) and I want to translate to

Translated address: 10.254.9.64.255.255.255.192(Internal)

Our remote local address is: 10.254.5.64 255.255.255.192(Remote site Internal Ip add range)

Based on above parameters I done this configuration

access-list outside_cryptomap permit ip 10.254.9.64 255.255.255.192 10.254.5.64 255.255.255.192
access-list policy-nat permit ip 10.40.120.0 255.255.255.192 10.254.5.64 255.255.255.192
static (inside,outside) 10.254.9.64 access-list policy-nat

I got all the Phase1 and Phase 2 parameters required and peer public ip add,

I had set up vpn using ASDM before but this scenario is new for me, all I am wondering is there anything I need to configure to succesfully setup VPN

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Ven Diesel

‎05-28-2012 06:27 PM

If you are seeing TX increasing but not RX that means traffic is being sent to the remote end however there is no reply.

I would suggest that you check in with the remote VPN end to see where the problem is. Most likely it is issue on the remote end.

View solution in original post

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Ven Diesel

‎05-30-2012 02:36 PM

Can you please remove the following:

static (inside,outside) 10.254.7.64 access-list policy-nat

and change it to:

nat (inside) 5 access-list policy-nat

global (outside) 5 10.254.7.64

Then "clear xlate" again.

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎05-21-2012 06:10 AM

Both NAT and crypto ACL has been correctly configured.

Which phase is the VPN failing at? can you run some debugs and share the debug output?

Go to solution
Ven Diesel
Level 1
Level 1
In response to Jennifer Halim

‎05-22-2012 04:33 AM

Thank you so much Jenni, I will update you asap

0 Helpful

Go to solution
Ven Diesel
Level 1
Level 1
In response to Ven Diesel

‎05-28-2012 11:51 AM

Hi

Thanks a lot jenni done exactly the above and from the following link http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b37d0b.shtml

The VPN is up as we are able to see the interesting traffic but Tx= is increasing and Rx=0 ? dont know what is going wrong, moreover far site is only accepting RDP access from our site and I am not able to access it? I am wondering do i need to do any additional configuration apart from the above to get RDP access

Assistance appreciated guys please

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Ven Diesel

‎05-28-2012 06:27 PM

If you are seeing TX increasing but not RX that means traffic is being sent to the remote end however there is no reply.

I would suggest that you check in with the remote VPN end to see where the problem is. Most likely it is issue on the remote end.

0 Helpful

Go to solution
Ven Diesel
Level 1
Level 1
In response to Jennifer Halim

‎05-30-2012 03:01 AM

Hi mate,

yeah issue on far site they arent allowing access to the port we are trying to access, and they made it up and we are good to g now,

One thing I am worried is only one IP add is able to access the resources, I mean i created an add range of 192.168.x.0/26, however only 192.168.x.3 one of our server is able to access the far site, havent got a clue

config is as folllows:

access-list pp-vpn extended permit ip 10.254.7.64 255.255.255.192 10.254.6.64 255.255.255.192

access-list policy-nat---- extended permit ip 192.168.x.0 255.255.255.192 10.254.6.64 255.255.255.192

static (inside,outside) 10.254.7.64 access-list policy-nat

crypto ipsec transform-set esp-aes256-sha esp-md5-hmac

crypto map outside_map 20 match address pp-vpn

crypto map outside_map 20 set peer 172.162.1.2

crypto map outside_map 20 set transform-set vpn1

crypto map outside_map interface outside

crypto isakmp identity address

crypto isakmp policy 65 encyptio

authentication pre-share         

encryption des

hash md5

group 2

lifetime 86400

tunnel type ipsec-l2l

tunnel-group 172.162.1.2 ipsec-attributes

pre-shared-key *

Thank you immensly for all your assitance

ven

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Ven Diesel

‎05-30-2012 05:39 AM

Did you "clear xlate" after making changes to the static NAT statement?

Also, do you have any access-list on the inside interface that might be blocking the access?

0 Helpful

Go to solution
Ven Diesel
Level 1
Level 1
In response to Jennifer Halim

‎05-30-2012 01:30 PM

Hi Jenni I tried both of the above, but still it remains the same, no inside access rules as well.

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Ven Diesel

‎05-30-2012 02:36 PM

Can you please remove the following:

static (inside,outside) 10.254.7.64 access-list policy-nat

and change it to:

nat (inside) 5 access-list policy-nat

global (outside) 5 10.254.7.64

Then "clear xlate" again.

0 Helpful

Go to solution
Ven Diesel
Level 1
Level 1
In response to Jennifer Halim

‎06-01-2012 02:35 PM

That did it. Spot on, thanks! Thanks a lot Jenni!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents