cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
New Contributor III

Bi-directional NAT not working across VPN

Jump to solution

I have a VPN setup on a 6310 and have to hide the private IP subnet behind another private IP subnet across this VPN.  The VPN is up and I can ping a server across the VPN, but they are not able to ping anything on my side of the VPN.

Private IP: 192.168.4.0/24

NAT IP Subnet: 192.168.174.0/24

Remote Subnet: 10.84.0.0/16

When I show the policy sessions, it does not show that the destination is being NAT'd:

Herringtons-Sheffield-NV6310#show ip policy-sessions

Src Vrf (if not default), Src policy class:

Protocol (TTL) [in crypto map] -> [out crypto map] Dest VRF, Dest policy-class

  Src IP Address  Src Port Dest IP Address Dst Port NAT IP Address    NAT Port

  --------------- -------- --------------- -------- ----------------- --------

Policy class "Public":

icmp (60) [VPN 110] -> Public

  10.84.218.77    1        192.168.174.10  1

Configuration:


interface eth 0/1

  ip address  184.74.10.158  255.255.255.252

  no ip proxy-arp

  ip access-policy Public

  ip crypto map VPN

  media-gateway ip loopback 1

  no shutdown

  no lldp send-and-receive

!

!

interface eth 0/2

  encapsulation 802.1q

  no shutdown

!

interface eth 0/2.1

  vlan-id 1 native

  ip address  192.168.4.1  255.255.255.0

  ip dhcp relay destination 192.168.1.3

  ip access-policy PrivateData

  media-gateway ip loopback 1

  no shutdown

....... 

ip access-list extended VPN-110-vpn-selectors

  permit ip 192.168.174.0 0.0.0.255  10.84.0.0 0.0.255.255   

!

ip access-list extended web-acl-13

  remark NAT All to Spruce

  permit ip 192.168.4.0 0.0.0.255  10.84.0.0 0.0.255.255     log

!

ip access-list extended web-acl-14

  remark NAT list web-acl-14

  permit ip 10.84.0.0 0.0.255.255  192.168.174.0 0.0.0.255     log

!

!

!

ip nat pool Spruce static

  local 192.168.4.1 192.168.4.254 global 192.168.174.1 192.168.174.254

!

.......

ip policy-class PrivateData

  allow list VPN-110-vpn-selectors stateless

  allow list VPN-AllowUDPStateful

  allow list VPN-1-Selectors stateless

  allow list AdminAccess-Private self

  allow list Allow-PrivateDataToPrivateVoice policy PrivateVoice

  nat source list web-acl-13 pool Spruce policy Public

  nat source list NATS-PrivateData interface eth 0/1 overload policy Public

!

........

ip policy-class Public

  allow reverse list VPN-110-vpn-selectors stateless

  nat destination list web-acl-14 pool Spruce

  allow reverse list VPN-AllowUDPStateful

  allow reverse list VPN-1-Selectors stateless

  allow list AdminAccess-ADTRAN self

  allow list AdminAccess-Public self

!

I used "Configuring NAT Pools in AOS.pdf" as a template.  Just looks like the inbound packets are not hitting the "nat destination list web-acl-14 pool Spruce" line on the Public policy

Labels (2)
0 Kudos
Reply
1 Solution

Accepted Solutions
Highlighted
Anonymous
Not applicable

Re: Bi-directional NAT not working across VPN

Jump to solution

You need to remove "allow list VPN-110-vpn-selectors stateless" from the PrivateData policy class and "allow reverse list VPN-110-vpn-selectors stateless" from the Public policy class, so the traffic will get to the NAT statements instead of being allowed through without being NATed.

View solution in original post

0 Kudos
Reply
2 Replies
Highlighted
Anonymous
Not applicable

Re: Bi-directional NAT not working across VPN

Jump to solution

You need to remove "allow list VPN-110-vpn-selectors stateless" from the PrivateData policy class and "allow reverse list VPN-110-vpn-selectors stateless" from the Public policy class, so the traffic will get to the NAT statements instead of being allowed through without being NATed.

View solution in original post

0 Kudos
Reply
Highlighted
New Contributor III

Re: Bi-directional NAT not working across VPN

Jump to solution

Thanks.  That did the trick

0 Kudos
Reply