Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Michael_Horne
Advisor

VPN connection with Destination NAT not working

Hello,

I am having trouble getting a destination NAT working for a VPN connection working.  I am sure it is a simple issue, but I have been banging my head against the wall with it for a couple of days.

I have a domain based VPN for a site to site VPN. The VPN doman is configured and working as I can bring up the VPN for some other connections that are not using destination NAT. The Interoperable Device is configure with a VPN Domain that includes the "real" and "NAT IP":

Remote                Local
192.168.2.10/32 10.0.0.0/8
10.191.34.10/32 10.0.0.0/8

The Access Policy is configure for testing to match from a host HTTP traffic with the VPN configured:

The NAT Policy is configured for a destination NAT from NAT_Server (192.168.2.10) to the H_Server (10.191.34.10)

My understanding is that this should map the NAT_Server (192.168.2.10) to the H_Server (10.191.34.10).  This does appear to work as I see with "fw monitor" the traffic arriving on the firewall on the expected eth1 and trying to leave on the expected eth3:

The problem is that the packet stops on the outbound chain "o".  In the log files I see the message about encryption failure: Different community ID, possible NAT problem (VPN Error code 01)

If someone is able to guide me in the right direction to solve this, it would be much appreciated.

Many thanks,

6 Replies
G_W_Albrecht
Legend Legend
Legend

Looks like the issue from sk25867 "Different community ID, possible NAT problem (VPN Error code 02)" error on packet drop

There is also sk108600 VPN Site-to-Site with 3rd party  that may help...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Michael_Horne
Advisor

Hello,

I have been through many SKs, recently, but I will check them out.  I believe I have not looked at sk108600 yet.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

sk108600 is very helpfull for VPN with 3rd Party GWs.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
G_W_Albrecht
Legend Legend
Legend

Were you able to resolve the issue yet ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Michael_Horne
Advisor

Hi,  I checked with support and Domain based VPN does not work when the encryption domains overlap.

G_W_Albrecht
Legend Legend
Legend

That is certainly true 😉

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events