Question for Scott Morris

Nat issue in L2L VPN between cisco router & non-cisco device ---------------

I have configured the router with necessary command for L2L vpn. But when I try to initiate the tunnel then it's does not comes up. After doing troubleshooting, found that the entry for source & destination IP address in nat translation table. Ex - Source (172.16.0.0/24) & Destination (10.3.12.0/22). When I do - sh ip nat translation then we found the dynamic entry for this source & destination.

So, could you please suggest any solution for it. I am waiting for your reply.

 

Comments

  • Scott will give the best solution.

    Meanwhile you can try this.

    If the NAT and VPN is sitting on the same router, the try the following:

    Configure a policy based NAT i.e., with ACLs. The first entry should be denying the VPN interesting traffic and then the "permit any any" to translate any traffic.

    You can also use route-map to do the same.

     

    If NAT is between the VPN routers, then use NAT-T.

     

    With regards

    Kings

  • I would have same reply as King with one more comment.

    Usually NAT-T would have issues between cisco and non-cisco devices. Thus I would suggest to go for first option and try to avoid natting as max as possible in L2L VPN specially when using non-cisco devices.

  • <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">





    Not sure why I'm being singled out here, but ok.  :)



    So, L2L is one thing.  NAT-T (as I saw mentioned in other devices) is
    completely different.



    Does your non-Cisco device support NAT-T?  If so, what port?  4500? 
    10000?  tcp?  udp?  something different?  ;)



    For straight IPSec, should work great.  I run "normal" IPSec L2L stuff
    all the time between C and non-C devices both myself and for
    customers.  But not NAT-T ones.



    Are we talking router or ASA/PIX?  Do you have a NAT 0 configuration?



    HTH,






     



    Scott Morris, CCIEx4
    (R&S/ISP-Dial/Security/Service Provider) #4713,

    CCDE #2009::D, JNCIE-M #153, JNCIS-ER, CISSP, et al.

    JNCI-M, JNCI-ER

    [email protected]



    Internetwork Expert, Inc.

    http://www.InternetworkExpert.com

    Toll Free: 877-224-8987

    Outside US: 775-826-4344



    Knowledge is power.

    Power corrupts.

    Study hard and be Eeeeviiiil......






    kumar wrote:

    Nat issue in L2L VPN between cisco router & non-cisco device
    ---------------

    I have configured the router with necessary command for L2L vpn.
    But when I try to initiate the tunnel then it's does not comes up.
    After doing troubleshooting, found that the entry for source &
    destination IP address in nat translation table. Ex - Source
    (172.16.0.0/24) & Destination (10.3.12.0/22). When I do - sh ip nat
    translation then we found the dynamic entry for this source &
    destination.

    So, could you please suggest any solution for it. I am waiting for
    your reply.

     







    Internetwork Expert - The Industry Leader in CCIE Preparation

    http://www.internetworkexpert.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx

Sign In or Register to comment.