Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

Troubleshooting
Research
Professional Opinions
Ask a Question
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

troubleshooting Question

Problem with VPN Policy Nat on Cisco ASA

Avatar of cns13
cns13Flag for United States of America asked on
Hardware Firewalls
4 Comments1 Solution1730 ViewsLast Modified:
I have a Cisco ASA policy nat issue that's vexing me.  I'm trying to build a vpn between my customer's ASA and an outside vendor.  My customer has an inside range of 10.1.1.x/24, so I am policy natting it on my side.  My customer has a server at 10.1.1.16 that must be visible across the vpn.   The vendor has asked me to nat it to 10.95.93.1.  (The vendor's subnet is 10.69.100.0/24).  So I've put the following lines in my config:

access-list vpn extended permit ip host 10.95.93.1 10.69.100.0 255.255.255.0
access-list nat extended permit ip host 10.1.1.16 10.69.100.0 255.255.255.0
static (inside,outside) 10.95.93.1  access-list nat

When I do a "show xlate" command I see the following:

Global 10.95.93.1 Local 10.1.1.16

That suggests my translation is working.  And when I do a "show nat" command I get:

  match ip inside host 10.1.1.16 outside 10.69.100.0 255.255.255.0
    static translation to 10.95.93.1
    translate_hits = 0, untranslate_hits = 54

I'm wondering there if the 0 translated hits is a problem or not.

The issue is this.  The tunnel comes up fine.  And the vendor can send traffic to me, but I send no return traffic to him.  When I do a "sho crypto" command I see the following:

    Crypto map tag: VPN, seq num: 3, local addr: 64.69.xxx.xxx

      access-list vpn permit ip host 10.95.93.1 10.69.100.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.95.93.1/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (10.69.100.0/255.255.255.0/0/0)
      current_peer: 198.245.xxx.xxx

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 169, #pkts decrypt: 169, #pkts verify: 169
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

So I have gotten 169 packets but haven't sent any back.  And in my log files I'm seeing the following:

Jan 22 2009 13:04:50: %ASA-3-106014: Deny inbound icmp src inside:10.1.1.16 dst inside:10.69.100.54 (type 0, code 0)

That seems odd to me, as the 10.69.100.54 address shouldn't show as an "inside" address if it's the other end of a vpn tunnel, should it?

It seems like something isn't set quite right.

Ben
ASKER CERTIFIED SOLUTION
Avatar of JFrederick29
Commented:
This problem has been solved!
Unlock 1 Answer and 4 Comments.
See Answers