2 Replies Latest reply on Apr 14, 2016 10:42 AM by quazar66

    Bi-directional NAT not working across VPN

    quazar66 New Member

      I have a VPN setup on a 6310 and have to hide the private IP subnet behind another private IP subnet across this VPN.  The VPN is up and I can ping a server across the VPN, but they are not able to ping anything on my side of the VPN.

       

      Private IP: 192.168.4.0/24

      NAT IP Subnet: 192.168.174.0/24

      Remote Subnet: 10.84.0.0/16

       

      When I show the policy sessions, it does not show that the destination is being NAT'd:

       

      Herringtons-Sheffield-NV6310#show ip policy-sessions

       

      Src Vrf (if not default), Src policy class:

      Protocol (TTL) [in crypto map] -> [out crypto map] Dest VRF, Dest policy-class

        Src IP Address  Src Port Dest IP Address Dst Port NAT IP Address    NAT Port

        --------------- -------- --------------- -------- ----------------- --------

       

      Policy class "Public":

      icmp (60) [VPN 110] -> Public

        10.84.218.77    1        192.168.174.10  1

       

      Configuration:


      interface eth 0/1

        ip address  184.74.10.158  255.255.255.252

        no ip proxy-arp

        ip access-policy Public

        ip crypto map VPN

        media-gateway ip loopback 1

        no shutdown

        no lldp send-and-receive

      !

      !

      interface eth 0/2

        encapsulation 802.1q

        no shutdown

      !

      interface eth 0/2.1

        vlan-id 1 native

        ip address  192.168.4.1  255.255.255.0

        ip dhcp relay destination 192.168.1.3

        ip access-policy PrivateData

        media-gateway ip loopback 1

        no shutdown

       

      ....... 

      ip access-list extended VPN-110-vpn-selectors

        permit ip 192.168.174.0 0.0.0.255  10.84.0.0 0.0.255.255   

      !

      ip access-list extended web-acl-13

        remark NAT All to Spruce

        permit ip 192.168.4.0 0.0.0.255  10.84.0.0 0.0.255.255     log

      !

      ip access-list extended web-acl-14

        remark NAT list web-acl-14

        permit ip 10.84.0.0 0.0.255.255  192.168.174.0 0.0.0.255     log

      !

      !

      !

      ip nat pool Spruce static

        local 192.168.4.1 192.168.4.254 global 192.168.174.1 192.168.174.254

      !

      .......

      ip policy-class PrivateData

        allow list VPN-110-vpn-selectors stateless

        allow list VPN-AllowUDPStateful

        allow list VPN-1-Selectors stateless

        allow list AdminAccess-Private self

        allow list Allow-PrivateDataToPrivateVoice policy PrivateVoice

        nat source list web-acl-13 pool Spruce policy Public

        nat source list NATS-PrivateData interface eth 0/1 overload policy Public

      !

      ........

      ip policy-class Public

        allow reverse list VPN-110-vpn-selectors stateless

        nat destination list web-acl-14 pool Spruce

        allow reverse list VPN-AllowUDPStateful

        allow reverse list VPN-1-Selectors stateless

        allow list AdminAccess-ADTRAN self

        allow list AdminAccess-Public self

      !

       

      I used "Configuring NAT Pools in AOS.pdf" as a template.  Just looks like the inbound packets are not hitting the "nat destination list web-acl-14 pool Spruce" line on the Public policy