Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

small help with ASA site-site vpn with Natting potected network

hi all ,

 

i have asa with ios 9.x and running sit-site vpn

 

the two protected networks on both sides are shown below :

192.168.10.0/24

192.168.1.0/24

the current topology when the vpn works is :

192.168.10.0/24------asa1---------internet-----asa2------192.168.12.0/24

with the topology above , the vpn works !

 

now , i made some changes in network and it seems that network 192.168.10.0/24 is not available now and replaced with 10.0.0.0/24

10.0.0.0/24-------asa1-----internet----asa2---192.168.12.0/24

also , i dont have an access to asa2 , so the only way i can is modify asa1

 

the question is :

wt do i need to modify asa1 so that it get the vpn working ???

i added a nat rule on asa1 that nat the src ips of 10.0.0.0/24-----> to ----->192.168.10.0/24 when it go to 192.168.12.0/24

 

but still vpn is down ?

 

im asking now , do i need to do any other thing to let it works ?

 

regards

with 

1 ACCEPTED SOLUTION

Accepted Solutions

Hi Ahmed, By default isakmp

Hi Ahmed,

 

By default isakmp nat-traversal is enabled on cisco firewalls..... I have tested it in my lab and it worked like charm.... might be u r missiing something very basic....

 

Regards

Karthik

5 REPLIES
Silver

Have you modified a cryptoto

Have you modified a cryptoto ACL as well ?

 

Can you please provide a show run of the ASA.

 

Also I would recommend you to run a packet tracer with debug crypto IPSEC 125 and debug crypto ISAKMP 128 in order to troubleshoot .

 

-RANDY -

New Member

hi , thanks for answers ,but

hi , 

thanks for answers ,

but im just asking , do i need more things more than doing NAT ???

 

does in this case NAT-T must be enabled at both sides of vpn ?

 

i  will soon , post the config here ,

 

regards

Hi Ahmed, By default isakmp

Hi Ahmed,

 

By default isakmp nat-traversal is enabled on cisco firewalls..... I have tested it in my lab and it worked like charm.... might be u r missiing something very basic....

 

Regards

Karthik

New Member

Hi ,  thank you all ,the

Hi , 

 

thank you all ,

the problem was beyond the ASA it was routing issue out of the ASA.

 

i just want to thank you for replying and your time.

 

==> yes , as i mentioned no need to modify anything if i need nating , because the nat is done before the crypto look up.

 

now it works like a charm.

 

regards

Hi,can you enable debug on

Hi,

can you enable debug on asa1 and check where it is not coming up...

 

debug crypto ipsec 255 or debug crypto ipsec 7

Hope you shouldn't have the problem with phase 1.....

 

Have you checked on the NAT traversal  enabled on the firewalls?

 

 

Regards

Karthik

34
Views
10
Helpful
5
Replies