[c-nsp] traffic not coming on ipsec tunnel for NAT IP

Justin M. Streiner streiner at cluebyfour.org
Thu Apr 24 04:39:38 EDT 2014 

On Thu, 24 Apr 2014, Daljit Singh wrote:

> Actually I am trying to configure ipsec tunnel between two asa 5520 ver 8.0(3) and advertising static nat IP towards tunnel. But whenever my remote trying to initiate traffic then  tunnel established but nothing is happening, I cant even see the logs on asdm if I filter remote ip.
> Is there any other configuration needs to be done.

192.168.x.x addresses are not globally routable.  Do these two devices 
have globally routable addresses, for the purpose of things like 
terminating VPN tunnels?  Assuming these devices aren't on some sort of 
private network (in other words: trying to communicate over the Internet), 
they will need globally routable addresses to talk to each other, or 
traffic between these two devices will need to be NAT'd to globally 
routable addresses.  Keep in mind that NAT and IPSEC don't always play 
nicely with each other.

jms

> FW1# sh ip
> System IP Addresses:
> Interface                Name                   IP address      Subnet mask     Method
> GigabitEthernet0/0       Internet-Link          192.168.215.6   255.255.255.240 CONFIG
> GigabitEthernet0/1       Inside-Seachange 192.168.216.129 255.255.255.240 CONFIG
>
> crypto map outside_map 5 match address Internet-Link_2_cryptomap
> crypto map outside_map 5 set peer 192.168.41.68
> crypto map outside_map 5 set transform-set ESP-3DES-SHA
> crypto map outside_map 5 set security-association lifetime seconds 28800
> crypto map outside_map 5 set security-association lifetime kilobytes 4608000
> crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
> crypto map outside_map interface Internet-Link
>
>
> access-list Internet-Link_2_cryptomap extended permit ip host 192.168.215.142 host 192.168.42.170
>
> static (Inside-Seachange,Internet-Link) 192.168.215.142 172.31.25.12 netmask 255.255.255.255
>
>
> I DON'T have a config of remote firewall.
>
>
> Regards
> Daljit Singh
>
> Disclaimer: This e-mail & attachment(s) within it are for sole use of intended recipient(s) & may contain confidential & privileged information. If you are not the intended recipient, please intimate the sender by replying to this email & destroy all copies & the original message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this email or any action taken in reliance on this e-mail is strictly prohibited & unlawful. The recipient acknowledges that COMPANY , its subsidiaries, associated companies or persons authorized by it (collectively "THE Group"), are unable to exercise control, ensure, guarantee the integrity of/over the contents of the information contained in e-mail transmissions & further acknowledges that any views expressed in this message are those of the individual sender & no binding nature of the message shall be implied or assumed unless the sender does so expressly with due authority of THE Group.
>
> Disclaimer:
>
> This e-mail & attachment(s) within it are for sole use of intended recipient(s) & may contain confidential & privileged information. If you are not the intended recipient, please intimate the sender by replying to this email & destroy all copies & the original message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this email or any action taken in reliance on this e-mail is strictly prohibited & unlawful. The recipient acknowledges that COMPANY , its subsidiaries, associated companies or persons authorized by it (collectively "THE Group"), are unable to exercise control, ensure, guarantee the integrity of/over the contents of the information contained in e-mail transmissions & further acknowledges that any views expressed in this message are those of the individual sender & no binding nature of the message shall be implied or assumed unless the sender does so expressly with due authority of THE Group.
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list