I have a VPN setup on a 6310 and have to hide the private IP subnet behind another private IP subnet across this VPN. The VPN is up and I can ping a server across the VPN, but they are not able to ping anything on my side of the VPN.
Private IP: 192.168.4.0/24
NAT IP Subnet: 192.168.174.0/24
Remote Subnet: 10.84.0.0/16
When I show the policy sessions, it does not show that the destination is being NAT'd:
Herringtons-Sheffield-NV6310#show ip policy-sessions
Src Vrf (if not default), Src policy class:
Protocol (TTL) [in crypto map] -> [out crypto map] Dest VRF, Dest policy-class
Src IP Address Src Port Dest IP Address Dst Port NAT IP Address NAT Port
--------------- -------- --------------- -------- ----------------- --------
Policy class "Public":
icmp (60) [VPN 110] -> Public
10.84.218.77 1 192.168.174.10 1
Configuration:
interface eth 0/1
ip address 184.74.10.158 255.255.255.252
no ip proxy-arp
ip access-policy Public
ip crypto map VPN
media-gateway ip loopback 1
no shutdown
no lldp send-and-receive
!
!
interface eth 0/2
encapsulation 802.1q
no shutdown
!
interface eth 0/2.1
vlan-id 1 native
ip address 192.168.4.1 255.255.255.0
ip dhcp relay destination 192.168.1.3
ip access-policy PrivateData
media-gateway ip loopback 1
no shutdown
.......
ip access-list extended VPN-110-vpn-selectors
permit ip 192.168.174.0 0.0.0.255 10.84.0.0 0.0.255.255
!
ip access-list extended web-acl-13
remark NAT All to Spruce
permit ip 192.168.4.0 0.0.0.255 10.84.0.0 0.0.255.255 log
!
ip access-list extended web-acl-14
remark NAT list web-acl-14
permit ip 10.84.0.0 0.0.255.255 192.168.174.0 0.0.0.255 log
!
!
!
ip nat pool Spruce static
local 192.168.4.1 192.168.4.254 global 192.168.174.1 192.168.174.254
!
.......
ip policy-class PrivateData
allow list VPN-110-vpn-selectors stateless
allow list VPN-AllowUDPStateful
allow list VPN-1-Selectors stateless
allow list AdminAccess-Private self
allow list Allow-PrivateDataToPrivateVoice policy PrivateVoice
nat source list web-acl-13 pool Spruce policy Public
nat source list NATS-PrivateData interface eth 0/1 overload policy Public
!
........
ip policy-class Public
allow reverse list VPN-110-vpn-selectors stateless
nat destination list web-acl-14 pool Spruce
allow reverse list VPN-AllowUDPStateful
allow reverse list VPN-1-Selectors stateless
allow list AdminAccess-ADTRAN self
allow list AdminAccess-Public self
!
I used "Configuring NAT Pools in AOS.pdf" as a template. Just looks like the inbound packets are not hitting the "nat destination list web-acl-14 pool Spruce" line on the Public policy
