2 Replies Latest reply on Apr 14, 2016 10:42 AM by quazar66

    Bi-directional NAT not working across VPN

    quazar66 New Member

      I have a VPN setup on a 6310 and have to hide the private IP subnet behind another private IP subnet across this VPN.  The VPN is up and I can ping a server across the VPN, but they are not able to ping anything on my side of the VPN.


      Private IP:

      NAT IP Subnet:

      Remote Subnet:


      When I show the policy sessions, it does not show that the destination is being NAT'd:


      Herringtons-Sheffield-NV6310#show ip policy-sessions


      Src Vrf (if not default), Src policy class:

      Protocol (TTL) [in crypto map] -> [out crypto map] Dest VRF, Dest policy-class

        Src IP Address  Src Port Dest IP Address Dst Port NAT IP Address    NAT Port

        --------------- -------- --------------- -------- ----------------- --------


      Policy class "Public":

      icmp (60) [VPN 110] -> Public    1  1



      interface eth 0/1

        ip address

        no ip proxy-arp

        ip access-policy Public

        ip crypto map VPN

        media-gateway ip loopback 1

        no shutdown

        no lldp send-and-receive



      interface eth 0/2

        encapsulation 802.1q

        no shutdown


      interface eth 0/2.1

        vlan-id 1 native

        ip address

        ip dhcp relay destination

        ip access-policy PrivateData

        media-gateway ip loopback 1

        no shutdown



      ip access-list extended VPN-110-vpn-selectors

        permit ip   


      ip access-list extended web-acl-13

        remark NAT All to Spruce

        permit ip     log


      ip access-list extended web-acl-14

        remark NAT list web-acl-14

        permit ip     log




      ip nat pool Spruce static

        local global



      ip policy-class PrivateData

        allow list VPN-110-vpn-selectors stateless

        allow list VPN-AllowUDPStateful

        allow list VPN-1-Selectors stateless

        allow list AdminAccess-Private self

        allow list Allow-PrivateDataToPrivateVoice policy PrivateVoice

        nat source list web-acl-13 pool Spruce policy Public

        nat source list NATS-PrivateData interface eth 0/1 overload policy Public



      ip policy-class Public

        allow reverse list VPN-110-vpn-selectors stateless

        nat destination list web-acl-14 pool Spruce

        allow reverse list VPN-AllowUDPStateful

        allow reverse list VPN-1-Selectors stateless

        allow list AdminAccess-ADTRAN self

        allow list AdminAccess-Public self



      I used "Configuring NAT Pools in AOS.pdf" as a template.  Just looks like the inbound packets are not hitting the "nat destination list web-acl-14 pool Spruce" line on the Public policy