IPSec PAT issues

Unanswered Question
Oct 31st, 2008

Hi guys,

Please help, I am having hard time to set PAT-ing properly on my IPSec VPN setup. I am having 2611XM on one side and 831 on another in L2L configuration. Everything works fine ie. hosts on the private networks behind the VPN gateways are accessible to each other but once PAT is applied and crypto maps reapplied the ISAKMP Phase 1 never takes place.

So to speak my config works but only if I have no PAT applied to outside interfaces.

Here are my ACLs in shortcut that are applied to the outside interfaces:

ip access-list extended ISP

permit udp any any eq non500-isakmp

permit udp any any eq isakmp

permit esp any any

permit ahp any any

permit udp any any eq 10000

Any suggestions?

Thanks is advance,

Remi

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Hi Remi,

Greetings from New York City!

I have a feeling you are forgetting to bypass NAT for the private hosts... try this

! ACL that does nat!

!assuming you use 10.x.x.x, of course

!change if you are using 172.x.x.x or

!192.x.x.x

ip access-list extended 101

deny 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

permit 10.0.0.0 0.255.255.255 any

ip nat inside source list 101 interface s0/0 overload

int s0/0

ip nat outside

int f0/0

ip nat inside

now your ipsec crypto list such as

ip access-list extended 102

permit 10.0.0.0 0.0.0.255 10.10.10.0 0.0.0.255

wont be subject to the outgoing nat rule.

Of course post your full configs if you still need help!

Just remember to allow nat on an ipsec tunnel, nat rules are applied before the crypto rule. so you are going to nat the traffic and it will break the tunnel if you dont have a "deny" statement in the first line of your nat access list if you are doing nat in the same path as the ipsec traffic.

Thanks,

Joe

remi-reszka Fri, 10/31/2008 - 20:05

Hi Joe,

Greetings from Mexico, Veracruz! :-).

Thanks so much for the clues. I tried your suggestions but no help. What happens it looks like the remote router (831) whats to establish IPSec tunnel but the easy server not (2611XM). The "show crypto ipsec sa" displays all the values on 831 but not on the 2611XM.

I am going to paste below key parts of the configs for your examination if you were so kind.

IPSec Server config:

aaa authentication login vpnclient local

aaa authorization network allusers local

crypto keyring L2Lkeyring

description Pre-shared Key for L2L peers with dynamic addressing

pre-shared-key address 0.0.0.0 0.0.0.0 key secretkey

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp invalid-spi-recovery

crypto isakmp keepalive 10 3

crypto isakmp client configuration group allusers

key allusers123

dns 10.100.10.1

domain domain.local

pool userspool

include-local-lan

netmask 255.255.255.0

crypto isakmp profile allusersprofile

description Teleworkers Remote Access

match identity group allusers

client authentication list remoteaccess

isakmp authorization list allusers

client configuration address respond

keepalive 10 retry 3

crypto isakmp profile L2Lprofile

description All L2L peers

keyring L2Lkeyring

match identity address 0.0.0.0

keepalive 10 retry 3

crypto ipsec transform-set transset esp-3des esp-sha-hmac

crypto dynamic-map dynmap 5

set transform-set transset

set isakmp-profile allusersprofile

crypto dynamic-map dynmap 10

set transform-set transset

set isakmp-profile L2Lprofile

reverse-route

crypto map staticmap 10 ipsec-isakmp dynamic dynmap

interface FastEthernet0/0

description ***Internet EDGE***

ip address 172.30.17.1 255.255.255.248

ip mtu 1440

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map staticmap

interface FastEthernet0/1

description ***LAN***

ip address 10.100.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

ip nat inside source list 101 interface FastEthernet0/0 overload

ip access-list extended ISP

permit udp any any eq non500-isakmp

permit udp any any eq isakmp

permit esp any any

permit ahp any any

permit udp any any eq 10000

access-list 101 deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

access-list 101 permit ip 10.0.0.0 0.255.255.255 any

IPSec Remote Router:

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key secretkey address 172.30.17.1 no-xauth

crypto isakmp invalid-spi-recovery

crypto isakmp keepalive 10 3

crypto ipsec transform-set transset esp-3des esp-sha-hmac

crypto map staticmap 10 ipsec-isakmp

set peer 172.30.17.1

set transform-set transset

match address MAIN-OFFICE

reverse-route

interface Ethernet0

description ***LAN***

ip address 10.100.11.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1412

no keepalive

!

interface Ethernet1

description ***Internet EDGE***

ip address 172.30.20.1 255.255.255.248

ip mtu 1440

ip nat outside

ip virtual-reassembly

duplex auto

no keepalive

crypto map staticmap

ip route 0.0.0.0 0.0.0.0 Ethernet1

ip nat inside source list 101 interface Ethernet1 overload

ip access-list extended MAIN-OFFICE

permit ip 10.100.11.0 0.0.0.255 10.100.10.0 0.0.0.255

ip access-list extended ISP

permit udp any any eq non500-isakmp

permit udp any any eq isakmp

permit esp any any

permit ahp any any

permit udp any any eq 10000

access-list 101 deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

access-list 101 permit ip 10.0.0.0 0.255.255.255 any

The outside interfaces IPs are on different subnets because I have another router between them. The Server also handels VPN remote clients and that works great.

Thanks for all your input nad further help.

regards,

Remi

Actions

This Discussion