10-31-2008 05:16 PM - edited 02-21-2020 04:00 PM
Hi guys,
Please help, I am having hard time to set PAT-ing properly on my IPSec VPN setup. I am having 2611XM on one side and 831 on another in L2L configuration. Everything works fine ie. hosts on the private networks behind the VPN gateways are accessible to each other but once PAT is applied and crypto maps reapplied the ISAKMP Phase 1 never takes place.
So to speak my config works but only if I have no PAT applied to outside interfaces.
Here are my ACLs in shortcut that are applied to the outside interfaces:
ip access-list extended ISP
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit esp any any
permit ahp any any
permit udp any any eq 10000
Any suggestions?
Thanks is advance,
Remi
10-31-2008 05:27 PM
Hi Remi,
Greetings from New York City!
I have a feeling you are forgetting to bypass NAT for the private hosts... try this
! ACL that does nat!
!assuming you use 10.x.x.x, of course
!change if you are using 172.x.x.x or
!192.x.x.x
ip access-list extended 101
deny 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
permit 10.0.0.0 0.255.255.255 any
ip nat inside source list 101 interface s0/0 overload
int s0/0
ip nat outside
int f0/0
ip nat inside
now your ipsec crypto list such as
ip access-list extended 102
permit 10.0.0.0 0.0.0.255 10.10.10.0 0.0.0.255
wont be subject to the outgoing nat rule.
Of course post your full configs if you still need help!
Just remember to allow nat on an ipsec tunnel, nat rules are applied before the crypto rule. so you are going to nat the traffic and it will break the tunnel if you dont have a "deny" statement in the first line of your nat access list if you are doing nat in the same path as the ipsec traffic.
Thanks,
Joe
10-31-2008 08:05 PM
Hi Joe,
Greetings from Mexico, Veracruz! :-).
Thanks so much for the clues. I tried your suggestions but no help. What happens it looks like the remote router (831) whats to establish IPSec tunnel but the easy server not (2611XM). The "show crypto ipsec sa" displays all the values on 831 but not on the 2611XM.
I am going to paste below key parts of the configs for your examination if you were so kind.
IPSec Server config:
aaa authentication login vpnclient local
aaa authorization network allusers local
crypto keyring L2Lkeyring
description Pre-shared Key for L2L peers with dynamic addressing
pre-shared-key address 0.0.0.0 0.0.0.0 key secretkey
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 3
crypto isakmp client configuration group allusers
key allusers123
dns 10.100.10.1
domain domain.local
pool userspool
include-local-lan
netmask 255.255.255.0
crypto isakmp profile allusersprofile
description Teleworkers Remote Access
match identity group allusers
client authentication list remoteaccess
isakmp authorization list allusers
client configuration address respond
keepalive 10 retry 3
crypto isakmp profile L2Lprofile
description All L2L peers
keyring L2Lkeyring
match identity address 0.0.0.0
keepalive 10 retry 3
crypto ipsec transform-set transset esp-3des esp-sha-hmac
crypto dynamic-map dynmap 5
set transform-set transset
set isakmp-profile allusersprofile
crypto dynamic-map dynmap 10
set transform-set transset
set isakmp-profile L2Lprofile
reverse-route
crypto map staticmap 10 ipsec-isakmp dynamic dynmap
interface FastEthernet0/0
description ***Internet EDGE***
ip address 172.30.17.1 255.255.255.248
ip mtu 1440
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map staticmap
interface FastEthernet0/1
description ***LAN***
ip address 10.100.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
ip nat inside source list 101 interface FastEthernet0/0 overload
ip access-list extended ISP
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit esp any any
permit ahp any any
permit udp any any eq 10000
access-list 101 deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
access-list 101 permit ip 10.0.0.0 0.255.255.255 any
IPSec Remote Router:
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key secretkey address 172.30.17.1 no-xauth
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 3
crypto ipsec transform-set transset esp-3des esp-sha-hmac
crypto map staticmap 10 ipsec-isakmp
set peer 172.30.17.1
set transform-set transset
match address MAIN-OFFICE
reverse-route
interface Ethernet0
description ***LAN***
ip address 10.100.11.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
no keepalive
!
interface Ethernet1
description ***Internet EDGE***
ip address 172.30.20.1 255.255.255.248
ip mtu 1440
ip nat outside
ip virtual-reassembly
duplex auto
no keepalive
crypto map staticmap
ip route 0.0.0.0 0.0.0.0 Ethernet1
ip nat inside source list 101 interface Ethernet1 overload
ip access-list extended MAIN-OFFICE
permit ip 10.100.11.0 0.0.0.255 10.100.10.0 0.0.0.255
ip access-list extended ISP
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit esp any any
permit ahp any any
permit udp any any eq 10000
access-list 101 deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
access-list 101 permit ip 10.0.0.0 0.255.255.255 any
The outside interfaces IPs are on different subnets because I have another router between them. The Server also handels VPN remote clients and that works great.
Thanks for all your input nad further help.
regards,
Remi
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: