I've done this in the past but can't find my notes on it. Situation is remote site has overlapping private IP space as local IP space. So I need to NAT to another private space before the tunnel. Tunnel is up, a NAT is in place, but it is not NAT'ing my local private to the NAT private the remote end should be using, thus traffic is failing. This is on 9.1 code.
object network LPA subnet 172.16.66.8 255.255.255.248 object network obj-172.17.120.102 host 172.17.120.102 object network obj-172.17.120.104 host 172.17.120.104 access-list LPA extended permit ip 172.17.120.0 255.255.255.0 172.16.66.8 255.255.255.248 route OUTSIDE 172.16.66.8 255.255.255.248 <local peer GW> 1 crypto map OUTSIDE_map 2 match address LPA crypto map OUTSIDE_map 2 set peer <remote peer> crypto map OUTSIDE_map 2 set ikev2 ipsec-proposal CSM_IP_1 crypto map OUTSIDE_map 2 set security-association lifetime seconds 86400 crypto map OUTSIDE_map 2 set reverse-route crypto map OUTSIDE_map interface OUTSIDE nat (INSIDE,OUTSIDE) source static obj-192.168.1.102 obj-172.17.120.102 destination static LPA LPA no-proxy-arp nat (INSIDE,OUTSIDE) source static obj-192.168.1.104 obj-172.17.120.104 destination static LPA LPA no-proxy-arp
Packet Capture sample
1275: 03:25:14.680964 802.1Q vlan#2 P0 192.168.1.104.53148 > 172.16.66.10. 51968: P 2449571792:2449572069(277) ack 2804733924 win 64535 1276: 03:25:14.736366 802.1Q vlan#2 P0 172.16.66.10.51968 > 192.168.1.104. 53148: P 2804733924:2804734025(101) ack 2449572069 win 63768 1277: 03:25:14.737327 802.1Q vlan#2 P0 192.168.1.104.53148 > 172.16.66.10. 51968: P 2449572069:2449572298(229) ack 2804734025 win 64434
As you can see, it's maintaining the original real IP of the 192 subnet and not translating to a 172 subnet. This did work, but a rebuild of the config had to happen after the device was replaced and no back up config was available. I have the NATs as static to a subnet, should that be dynamic? Not sure what I'm missing here.
No comments:
Post a Comment