ip address 192.168.2.1 255.255.255.0
ip nat inside
no shutdown
!
ip nat inside source list NAT interface fastEthernet0/0 overload extended !
ip access-list extended crypto _ACL
permit ip 192.168.2.0 0.0.0.255 any
You issue the show crypto ipsec sa command and see that the tunnel is up, but no packets are encrypted or decrypted on either side. To test connectivity, you sourced a ping from the private interface of each router , destined to the private interface of the far-end router. You ask a VPN expert to help you troubleshoot. The expert has verified that ESP is not being blocked , and the routing is correct.
After some troubleshooting, the expert makes which of these determinations?
A.
The problem is with the encryption ACL. As you were testing with ICMP, you reeded to allow ICMP in both encryption ACLs
Router1:permit icmp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 Router2:permit icmp 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
B.
The problem is with the NAT ACL. VPN traffic should be denied in the NAT ACL so that the ACL looks like the following
Router1:
ip access-list ext NAT
deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.1.0 any
Router2:
ip access-list ext NAT
deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.1.0 any
C.
The problem is that it is not possible to do NAT along with VPN on a XXX
D.
The problem is NAT Transparency is enabled. Dxxxxxxx
no crypto ipsec nat-transparency udp-encapsulation.