Solved: NAT through VPN

jimwysocki · ‎07-12-2007

I am havening trouble with NAT over VPN. with the current configs below it will complete phase one of the tunnel then stop because the ip is not natted. if i put a permit any in the permit statement it will nat to the internet from the host but not over the vpn. if i put in a static nat statement it will nat and attempt to create a tunnel but i receive the error (incrementing error counter on sa, attempt 1 of 5: retransmit phase 1)

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname BatsVpnRouter

!

boot-start-marker

boot system flash c1700-k9o3sy7-mz.122-13.T.bin

boot-end-marker

!

no logging console

enable secret xxx

enable password xxx

!

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

no aaa new-model

no ip subnet-zero

!

ip cef

ip audit po max-events 100

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key xxx address 190.0.0.1

!

crypto ipsec transform-set BATS esp-3des esp-sha-hmac

!

crypto map bats_map 2 ipsec-isakmp

set peer 190.0.0.1

set transform-set BATS

--More-- match address BATSACL

!

interface Ethernet0

ip address 11.0.x.x.255.255.224

ip nat outside

full-duplex

crypto map bats_map

!

interface FastEthernet0

ip address 192.168.1.2 255.255.255.0

ip nat inside

speed 100

full-duplex

!

ip nat inside source list bats-nat interface Ethernet0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 11.0.0.1

no ip http server

no ip http secure-server

!

ip access-list extended BATSACL

permit ip host 11.0.0.5 host 200.0.0.1

permit ip host 192.168.1.100 host 200.0.0.1

permit ip host 11.0.0.5 host 200.0.0.2

permit ip host 192.168.1.100 host 200.0.0.2

permit ip host 11.0.0.5 host 200.0.0.3

permit ip host 192.168.1.100 host 200.0.0.3

ip access-list extended bats-nat

permit ip host 192.168.1.100 host 200.0.0.1 log

permit ip host 192.168.1.100 host 200.0.0.2

permit ip host 192.168.1.100 host 200.0.0.3

!

snmp-server community public RO

snmp-server enable traps tty

alias exec clip clear ip rou *

alias exec crs copy run start

alias exec deb187 debug ip pack det 187

alias exec ospfnei sh ip ospf nei

alias exec ship sho ip route

alias exec shr sho run

alias exec siib show ip inter brief

alias exec sip sho ip pro

alias exec tr traceroute

alias exec ss sho sess

alias exec sl sho line

alias exec cl clear line

!

line con 0

line aux 0

line vty 0 4

password xxx

login

mattiaseriksson · ‎07-13-2007

Ok. You need to make sure that the ACl:s are identical (but mirrored) on both sides, which means you probably need to remove some lines on router 1. The ACL should look like this:

ip access-list extended BATSACL

permit ip host 11.0.0.5 host 200.0.0.1

permit ip host 11.0.0.5 host 200.0.0.2

permit ip host 11.0.0.5 host 200.0.0.3

Then remove the 'log' keyword from this line:

ip access-list extended bats-nat

permit ip host 192.168.1.100 host 200.0.0.1 log

Ok now you have cleaned up, try to bring up the tunnel again, try with both 200.0.0.1 and 200.0.0.2.

Then check the remote debug again.

View solution in original post

mattiaseriksson · ‎07-12-2007

Hi, the problem is that NAT with access-lists don't give you a detailed control over the translation entries.

with the route-map method you ensure that the decision of the address to translate to is done on a per flow basis rather than once.

route-map nat-me permit 10

match ip address bats-nat

ip nat inside source route-map nat-me interface Ethernet0 overload

jimwysocki · ‎07-13-2007

I edited the configs as attached below. when i first did the statement it completed phase 1 but i could not transfer traffic through the tunnel. I saved the configs and restarted to get a debug of the action from the start. upon debugging after the restart no data was natted. i have attached my debug file, thank you

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname BatsVpnRouter

!

boot-start-marker

boot system flash c1700-k9o3sy7-mz.122-13.T.bin

boot-end-marker

!

no logging console

enable secret xxx

enable password xxx

!

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

no aaa new-model

no ip subnet-zero

!

ip cef

ip audit po max-events 100

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key xxx address 190.0.0.1

!

crypto ipsec transform-set BATS esp-3des esp-sha-hmac

!

crypto map bats_map 2 ipsec-isakmp

set peer 190.0.0.1

set transform-set BATS

match address BATSACL

!

interface Ethernet0

ip address 11.x.x.5 255.255.255.224

ip nat outside

full-duplex

crypto map bats_map

!

interface FastEthernet0

ip address 192.168.1.2 255.255.255.0

ip nat inside

speed 100

full-duplex

!

ip nat inside source route-map nat-me interface Ethernet0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 11.0.0.1

no ip http server

no ip http secure-server

!

ip access-list extended BATSACL

permit ip host 11.0.0.5 host 200.0.0.1

permit ip host 192.168.1.100 host 200.0.0.1

permit ip host 11.0.0.5 host 200.0.0.2

permit ip host 192.168.1.100 host 200.0.0.2

permit ip host 11.0.0.5 host 200.0.0.3

permit ip host 192.168.1.100 host 200.0.0.3

ip access-list extended bats-nat

permit ip host 192.168.1.100 host 200.0.0.1 log

permit ip host 192.168.1.100 host 200.0.0.2

permit ip host 192.168.1.100 host 200.0.0.3

!

route-map nat-me permit 10

match ip address bats-nat

!

snmp-server community public RO

snmp-server enable traps tty

alias exec clip clear ip rou *

alias exec crs copy run start

alias exec deb187 debug ip pack det 187

alias exec ospfnei sh ip ospf nei

alias exec ship sho ip route

alias exec shr sho run

alias exec siib show ip inter brief

alias exec sip sho ip pro

alias exec tr traceroute

alias exec ss sho sess

alias exec sl sho line

alias exec cl clear line

!

line con 0

line aux 0

line vty 0 4

password xxx

login

mattiaseriksson · ‎07-13-2007

Ok, the debug is from the initiator side and does not really give you an explanation. Can you get the debug from the other side?

But first check your access-lists used in the crypto map on both sides, that is a common cause for this to happen!

Otherwise attach the debug from the other end of the tunnel.

jimwysocki · ‎07-13-2007

Here is the debug info from the remote firewall

Jul 10 16:49:48 [IKEv1]: Group = 11.0.0.5, IP = 11.0.0.5, Static Crypto Map check, map = outside_map, seq = 50, ACL does not match proxy IDs src:192.168.1.100 dst:200.0.0.1

mattiaseriksson · ‎07-13-2007

Ok. You need to make sure that the ACl:s are identical (but mirrored) on both sides, which means you probably need to remove some lines on router 1. The ACL should look like this:

ip access-list extended BATSACL

permit ip host 11.0.0.5 host 200.0.0.1

permit ip host 11.0.0.5 host 200.0.0.2

permit ip host 11.0.0.5 host 200.0.0.3

Then remove the 'log' keyword from this line:

ip access-list extended bats-nat

permit ip host 192.168.1.100 host 200.0.0.1 log

Ok now you have cleaned up, try to bring up the tunnel again, try with both 200.0.0.1 and 200.0.0.2.

Then check the remote debug again.

timkaye · ‎07-12-2007

Hello.

Is this still an issue?

So if your looking to NAT across the tunnel, then remove the host lines in BATSACL referring to the 192.168.1.x hosts.

Likewise the other end should be the same.

Hope that helps.