11-01-2007 02:56 AM - edited 03-03-2019 07:21 PM
dear all,
i want to establish site to site vpn but both sites are using same IP network, so i have to overlap this. i did configuration but when i try to ping it gets time out. after running commands on router i found out that remote netowrk (vpn) traffic is routed to Internet.
# show ip nat translation
icmp 10.5.125.101:1 10.10.10.63:1 67.15.104.48:1 67.15.104.48:1
udp 10.5.125.101:16618 10.10.10.63:16618 192.168.1.100:5060 192.168.1.100:5060
currently i did source nating using 10.5.125.101. where as my local ip address is 10.10.10.63.
my router config is
crypto isakmp key xxx
address 210.19.20.12 no-xauth
crypto map worldnow 23 ipsec-isakmp
set peer 210.19.20.12
set transform-set world
match address 193
interface FastEthernet0
description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
ip address 202.x.x.10 255.255.255.252
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1375
duplex auto
speed auto
crypto map world
interface FastEthernet1
ip address 10.10.10.1 255.255.255.0
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
ip nat pool netover 10.5.125.101 10.5.125.101 prefix-length 24
ip nat inside source list 7 pool netover
access-list 7 permit 10.10.10.62
access-list 7 permit 10.10.10.63
access-list 7 permit 10.10.10.61
access-list 7 permit 10.10.10.64
access-list 193 permit ip 10.10.10.0 0.0.0.255 host 10.8.13.113
access-list 193 permit ip 10.10.10.0 0.0.0.255 host 10.8.1.71
access-list 193 permit ip 10.10.10.0 0.0.0.255 host 10.8.1.72
access-list 193 permit ip 10.10.10.0 0.0.0.255 host 10.3.22.51
access-list 193 permit ip 10.10.10.0 0.0.0.255 host 10.5.3.101
Any idea to solve this.
thanks
11-01-2007 03:08 AM
Hi
It's a little unclear what the exact problem is from your description. Could you have a look at the following document which explains how to setup a site to site VPN between two routers using the same local subnet.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800b07ed.shtml
Please come back with any further questions after reading the doc.
HTH
Jon
11-01-2007 10:21 PM
thanks marshall,
this is exactly what i want, but i am unable to understand one point defined in that link.
A NAT pool 172.18.x.x and 172.19.x.x is defined what is the purpose these two pools.
where as my peer site only provided me a single ip address to source nat.
kindly help to resolve this.
thanks.
11-02-2007 03:38 AM
Hi
That's fine. if you don't need to use a NAT pool but just one IP address then use that instead. It will still work.
Jon
11-02-2007 04:54 AM
Dear Jon
i read that defined document. this help alot to understand it. but my peer only told me to access their network hosts (only these 10.8.13.113 10.3.22.51 10.5.3.101) using this IP 10.5.125.101.
Can you please tell me what is proper command of "ip nat inside source ...."
thanks,
11-02-2007 07:38 AM
Hi
Instead of
ip nat inside source list 7 pool netover
try
ip nat inside source list 193 pool netover
HTH
Jon
11-02-2007 08:16 PM
dont just try, try to understand why it's not working.
create a loopback, send all traffic coming from internal to it, this will get addresses translated , then send them to the wan interface to get encrypted.
good luck
11-03-2007 12:55 AM
Hi
When i put "instead of this try that" it was not through a lack of understanding. I would not tell someone to just try and do something if i did not think that was the solution. Perhaps it is just a matter of semantics - maybe you would have been happier if i had said "do this instead". ???
The original poster wants to do conditional NAT and for that his config was using the wrong access-list so he needs to use access-list 193 as this has both source and destination networks in it.
Jon
11-04-2007 10:43 PM
first of all, thanks for all of your help.
but using this also didn't solved my problem.
ip nat pool netover 10.5.125.101 10.5.125.101 netmask 255.255.255.0
ip nat inside source list 193 pool netover
#debut ip nat
#
#sh ip nat trnaslation
#
no output by router
11-05-2007 06:44 AM
Hey, buddy, I didn't mean that, I am sorry if you felt being offended, didn't think too much when I was busy at typing.
11-07-2007 06:56 AM
Outbound crypto occurs after NAT (see http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml ). That's why your crypto ACL should be
access-list 193 permit ip host 10.5.125.101 host 10.8.13.113
...
Using NAT pool instead of static NAT is appropiate as long as they don't want to connect back into your network.
Check counters in
sh crypto session det
sh access-list
11-07-2007 10:36 PM
thanks koltl,
this solved the problem. but now i have another issue. i have list of local-network hosts to access remote servers (10.8.13.113, 10.8.1.71, 10.8.72, 10.5.3.102).
some local-net hosts are able to acces remote but some are not.
Success host 10.10.10.63
c:\ping 10.8.1.71
Reply from 10.8.1.71: bytes=32 time=442ms TTL=122
Reply from 10.8.1.71: bytes=32 time=286ms TTL=122
router#debug ip nat
000311: Nov 8 11:22:17.540 PCTime: NAT*: s=10.10.10.63->10.5.125.101, d=10.8.1.71 [11121]
000312: Nov 8 11:22:18.460 PCTime: NAT*: s=10.8.1.71, d=10.5.125.101->10.10.10.63 [22866]
000313: Nov 8 11:22:18.540 PCTime: NAT*: s=10.10.10.63->10.5.125.101, d=10.8.1.71 [11123]
router#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 10.5.125.101 10.5.125.101 --- ---
icmp 10.5.125.101:1 10.10.10.63:1 10.8.1.71:1 10.8.1.71:1
--- 10.5.125.101 10.10.10.63 --- ---
Failure from another host 10.10.10.64
c:\ping 10.8.1.71
Request timed out.
Request timed out.
Request timed out.
Request timed out.
000337: Nov 8 11:34:33.456 PCTime: NAT: expiring 10.5.125.101 (10.10.10.63) icmp 1 (1)ssh-heartbeatssh-heartbeatssh-heartbeat
000338: Nov 8 11:37:02.552 PCTime: NAT: translation failed (A), dropping packet s=10.10.10.64 d=10.8.1.71
000339: Nov 8 11:37:07.908 PCTime: NAT: translation failed (A), dropping packet s=10.10.10.64 d=10.8.1.71
000340: Nov 8 11:37:13.412 PCTime: NAT: translation failed (A), dropping packet s=10.10.10.64 d=10.8.1.71
my current configuration is
ip nat pool netover 10.5.125.101 10.5.125.101 netmask 255.255.255.0
ip nat inside source list 101 pool netover
access-list 101 permit ip host 10.10.10.61 host 10.8.13.113
access-list 101 permit ip host 10.10.10.61 host 10.8.1.71
access-list 101 permit ip host 10.10.10.61 host 10.8.1.72
access-list 101 permit ip host 10.10.10.61 host 10.5.3.101
access-list 101 permit ip host 10.10.10.61 host 10.3.22.51
access-list 101 permit ip host 10.10.10.62 host 10.8.13.113
access-list 101 permit ip host 10.10.10.62 host 10.8.1.71
access-list 101 permit ip host 10.10.10.62 host 10.8.1.72
access-list 101 permit ip host 10.10.10.62 host 10.5.3.101
access-list 101 permit ip host 10.10.10.62 host 10.3.22.51
access-list 101 permit ip host 10.10.10.63 host 10.8.13.113
access-list 101 permit ip host 10.10.10.63 host 10.8.1.71
access-list 101 permit ip host 10.10.10.63 host 10.8.1.72
access-list 101 permit ip host 10.10.10.63 host 10.5.3.101
access-list 101 permit ip host 10.10.10.63 host 10.3.22.51
access-list 101 permit ip host 10.10.10.64 host 10.8.13.113
access-list 101 permit ip host 10.10.10.64 host 10.8.1.71
access-list 101 permit ip host 10.10.10.64 host 10.8.1.72
access-list 101 permit ip host 10.10.10.64 host 10.5.3.101
access-list 101 permit ip host 10.10.10.64 host 10.3.22.51
access-list 193 permit ip host 10.5.125.101 host 10.8.1.71
access-list 193 permit ip host 10.5.125.101 host 10.8.1.72
access-list 193 permit ip host 10.5.125.101 host 10.8.13.113
access-list 193 permit ip host 10.5.125.101 host 10.5.3.101
access-list 193 permit ip host 10.5.125.101 host 10.3.22.51
hope you can help me to solve this also
thanks alot
11-08-2007 09:44 AM
Perhaps:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080094e75.shtml
Perhaps:
clear ip nat tr *
Or:
IOS upgrade
11-09-2007 02:21 PM
my current ios version is
Cisco IOS Software, C181X Software (C181X-ADVIPSERVICESK9-M), Version 12.4(9)T, RELEASE SOFTWARE (fc1)
i also applied the command
config)# ip subnet-zero
#clear ip nat trans *
but i am unable to get reply from some of hosts. where as my router displays some NAT translations.
2nd i want to add some important information. that as i changed the following line
ip nat pool netover 10.5.125.101 10.5.125.101 netmask 255.255.255.0
to
ip nat pool netover 10.5.125.101 10.5.125.101 netmask 255.255.0.0
i am able to ping one more host from my lan to remote
i think from your experience and experties i will be able to solve this issue also .
thanks all of you
11-10-2007 03:21 AM
Append 'extendable' or 'overload' to this command:
ip nat inside source list 101 pool netover
It's a must for PAT.
Peter
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: