07-12-2007 01:30 PM - edited 02-21-2020 03:09 PM
I am havening trouble with NAT over VPN. with the current configs below it will complete phase one of the tunnel then stop because the ip is not natted. if i put a permit any in the permit statement it will nat to the internet from the host but not over the vpn. if i put in a static nat statement it will nat and attempt to create a tunnel but i receive the error (incrementing error counter on sa, attempt 1 of 5: retransmit phase 1)
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname BatsVpnRouter
!
boot-start-marker
boot system flash c1700-k9o3sy7-mz.122-13.T.bin
boot-end-marker
!
no logging console
enable secret xxx
enable password xxx
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
no ip subnet-zero
!
ip cef
ip audit po max-events 100
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxx address 190.0.0.1
!
!
crypto ipsec transform-set BATS esp-3des esp-sha-hmac
!
crypto map bats_map 2 ipsec-isakmp
set peer 190.0.0.1
set transform-set BATS
--More-- match address BATSACL
!
!
!
interface Ethernet0
ip address 11.0.x.x.255.255.224
ip nat outside
full-duplex
crypto map bats_map
!
interface FastEthernet0
ip address 192.168.1.2 255.255.255.0
ip nat inside
speed 100
full-duplex
!
ip nat inside source list bats-nat interface Ethernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 11.0.0.1
no ip http server
no ip http secure-server
!
ip access-list extended BATSACL
permit ip host 11.0.0.5 host 200.0.0.1
permit ip host 192.168.1.100 host 200.0.0.1
permit ip host 11.0.0.5 host 200.0.0.2
permit ip host 192.168.1.100 host 200.0.0.2
permit ip host 11.0.0.5 host 200.0.0.3
permit ip host 192.168.1.100 host 200.0.0.3
ip access-list extended bats-nat
permit ip host 192.168.1.100 host 200.0.0.1 log
permit ip host 192.168.1.100 host 200.0.0.2
permit ip host 192.168.1.100 host 200.0.0.3
!
snmp-server community public RO
snmp-server enable traps tty
alias exec clip clear ip rou *
alias exec crs copy run start
alias exec deb187 debug ip pack det 187
alias exec ospfnei sh ip ospf nei
alias exec ship sho ip route
alias exec shr sho run
alias exec siib show ip inter brief
alias exec sip sho ip pro
alias exec tr traceroute
alias exec ss sho sess
alias exec sl sho line
alias exec cl clear line
!
line con 0
line aux 0
line vty 0 4
password xxx
login
Solved! Go to Solution.
07-13-2007 11:38 AM
Ok. You need to make sure that the ACl:s are identical (but mirrored) on both sides, which means you probably need to remove some lines on router 1. The ACL should look like this:
ip access-list extended BATSACL
permit ip host 11.0.0.5 host 200.0.0.1
permit ip host 11.0.0.5 host 200.0.0.2
permit ip host 11.0.0.5 host 200.0.0.3
Then remove the 'log' keyword from this line:
ip access-list extended bats-nat
permit ip host 192.168.1.100 host 200.0.0.1 log
Ok now you have cleaned up, try to bring up the tunnel again, try with both 200.0.0.1 and 200.0.0.2.
Then check the remote debug again.
07-12-2007 02:43 PM
Hi, the problem is that NAT with access-lists don't give you a detailed control over the translation entries.
with the route-map method you ensure that the decision of the address to translate to is done on a per flow basis rather than once.
route-map nat-me permit 10
match ip address bats-nat
ip nat inside source route-map nat-me interface Ethernet0 overload
07-13-2007 08:35 AM
I edited the configs as attached below. when i first did the statement it completed phase 1 but i could not transfer traffic through the tunnel. I saved the configs and restarted to get a debug of the action from the start. upon debugging after the restart no data was natted. i have attached my debug file, thank you
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname BatsVpnRouter
!
boot-start-marker
boot system flash c1700-k9o3sy7-mz.122-13.T.bin
boot-end-marker
!
no logging console
enable secret xxx
enable password xxx
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
no ip subnet-zero
!
ip cef
ip audit po max-events 100
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxx address 190.0.0.1
!
!
crypto ipsec transform-set BATS esp-3des esp-sha-hmac
!
crypto map bats_map 2 ipsec-isakmp
set peer 190.0.0.1
set transform-set BATS
match address BATSACL
!
interface Ethernet0
ip address 11.x.x.5 255.255.255.224
ip nat outside
full-duplex
crypto map bats_map
!
interface FastEthernet0
ip address 192.168.1.2 255.255.255.0
ip nat inside
speed 100
full-duplex
!
ip nat inside source route-map nat-me interface Ethernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 11.0.0.1
no ip http server
no ip http secure-server
!
ip access-list extended BATSACL
permit ip host 11.0.0.5 host 200.0.0.1
permit ip host 192.168.1.100 host 200.0.0.1
permit ip host 11.0.0.5 host 200.0.0.2
permit ip host 192.168.1.100 host 200.0.0.2
permit ip host 11.0.0.5 host 200.0.0.3
permit ip host 192.168.1.100 host 200.0.0.3
ip access-list extended bats-nat
permit ip host 192.168.1.100 host 200.0.0.1 log
permit ip host 192.168.1.100 host 200.0.0.2
permit ip host 192.168.1.100 host 200.0.0.3
!
route-map nat-me permit 10
match ip address bats-nat
!
snmp-server community public RO
snmp-server enable traps tty
alias exec clip clear ip rou *
alias exec crs copy run start
alias exec deb187 debug ip pack det 187
alias exec ospfnei sh ip ospf nei
alias exec ship sho ip route
alias exec shr sho run
alias exec siib show ip inter brief
alias exec sip sho ip pro
alias exec tr traceroute
alias exec ss sho sess
alias exec sl sho line
alias exec cl clear line
!
line con 0
line aux 0
line vty 0 4
password xxx
login
07-13-2007 09:29 AM
Ok, the debug is from the initiator side and does not really give you an explanation. Can you get the debug from the other side?
But first check your access-lists used in the crypto map on both sides, that is a common cause for this to happen!
Otherwise attach the debug from the other end of the tunnel.
07-13-2007 11:11 AM
Here is the debug info from the remote firewall
Jul 10 16:49:48 [IKEv1]: Group = 11.0.0.5, IP = 11.0.0.5, Static Crypto Map check, map = outside_map, seq = 50, ACL does not match proxy IDs src:192.168.1.100 dst:200.0.0.1
07-13-2007 11:38 AM
Ok. You need to make sure that the ACl:s are identical (but mirrored) on both sides, which means you probably need to remove some lines on router 1. The ACL should look like this:
ip access-list extended BATSACL
permit ip host 11.0.0.5 host 200.0.0.1
permit ip host 11.0.0.5 host 200.0.0.2
permit ip host 11.0.0.5 host 200.0.0.3
Then remove the 'log' keyword from this line:
ip access-list extended bats-nat
permit ip host 192.168.1.100 host 200.0.0.1 log
Ok now you have cleaned up, try to bring up the tunnel again, try with both 200.0.0.1 and 200.0.0.2.
Then check the remote debug again.
07-12-2007 10:16 PM
Hello.
Is this still an issue?
So if your looking to NAT across the tunnel, then remove the host lines in BATSACL referring to the 192.168.1.x hosts.
Likewise the other end should be the same.
Hope that helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide