Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
796
Views
5
Helpful
11
Replies

NAT problem in a LAN to LAN IPSEC connection.

david.sua
Level 1
Level 1

‎02-19-2009 09:52 AM - edited ‎02-21-2020 04:09 PM

Hi all again,

I configure two cisco 877 to establish a ipsec tunnel, i would like access internet from a host in the remote side of the tunnel but i have a problem with nat.

This are my configs:

!!!!!!!!ROUTER A

crypto isakmp policy 1

hash md5

authentication pre-share

lifetime 3600

crypto isakmp key XX address 1.2.3.4

crypto ipsec transform-set cm-transformset-1 esp-des esp-md5-hmac

!

crypto map cm-cryptomap local-address Dialer1

crypto map cm-cryptomap 4 ipsec-isakmp

set peer 1.2.3.4

set transform-set cm-transformset-1

match address 162

interface Dialer1

.

.

ip nat outside

crypto map cm-cryptomap

!

access-list 103 deny ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255

access-list 103 permit ip 10.0.0.0 0.0.255.255 any

access-list 162 permit ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255

access-list 162 permit ip host 66.102.9.99 10.0.1.0 0.0.0.255

!

ip route 0.0.0.0 0.0.0.0 Dialer1

!

interface Vlan1

ip address 10.0.0.1 255.255.255.0

ip nat inside

!

ip nat inside source list 103 interface Dialer1 overload

!!!!!!!ROUTER B

crypto isakmp policy 1

hash md5

authentication pre-share

lifetime 3600

crypto isakmp key XX address 5.6.7.8

!

crypto ipsec transform-set cm-transformset-1 esp-des esp-md5-hmac

!

crypto map cm-cryptomap local-address Dialer1

crypto map cm-cryptomap 1 ipsec-isakmp

set peer 5.6.7.8

set transform-set cm-transformset-1

match address 110

!

interface Dialer1

.

.

ip nat outside

crypto map cm-cryptomap

!

access-list 103 deny ip 10.0.0.0 0.0.255.255 10.0.0.0 0.0.255.255

access-list 103 deny ip 10.0.0.0 0.0.255.255 host 66.102.9.99

access-list 103 permit ip 10.0.0.0 0.0.255.255 any

access-list 110 permit ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 110 permit ip 10.0.1.0 0.0.0.255 host 66.102.9.99

!

ip route 0.0.0.0 0.0.0.0 Dialer1

!

interface Vlan1

ip address 10.0.0.1 255.255.255.0

ip nat inside

!

ip nat inside source list 103 interface Dialer1 overload

Then, when I ping from a host on router B (10.0.1.2) to the ip 66.102.9.99, this packet flows via ipsec tunel and go out to internet trough router A but NAT doesn't work. I can see the packet on wan side with the private ip of original host instead the overload of Dialer1.

I think that this occurs because my Dialer1 is a outside interface and traffic from router B arrive via this one and go out to internet again trough Dialer1 without pass trough a nat inside interface.

I can't use tunnels like ipinip, gre, etc.

Somebody knows how can i resolve this?

thanks in advance.

Labels:
0 Helpful
11 Replies 11

ansalaza
Level 1
Level 1

‎02-19-2009 12:03 PM

Could you try doing the same using a Route Map in the NAT Overload Statements?

Document ID: 7276

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009448f.shtml

0 Helpful

david.sua
Level 1
Level 1
In response to ansalaza

‎02-23-2009 01:10 AM

Yes, i try with route map but the problem persist.

I think that i need to set inbound traffic from ipsec as ip nat inside but i don't know how.

0 Helpful

fedecotofaja
Level 1
Level 1
In response to david.sua

‎02-24-2009 10:27 AM

What are you trying to accomplish?

If you PING from 10.0.1.2 to 66.102.9.99, the traffic will go

through the tunnel to Router A. (as per the configs).

What do you mean that NAT does not work? Do you mean regular

Internet traffic from Router B that should go to any other

destination that is not 10.0.0.0/24 nor 66.102.9.99?

In other words, Router's B internal LAN is not getting to the

Internet?

According to the configuration if you're sitting on host

10.0.1.2 and you try to go to any other destination besides

the remote IPSec tunnel, the traffic should flow through the

Internet (if this traffic is coming from VLAN1 and going out

Dialer1) because those interfaces are where you have the NAT

statements applied.

Is this the problem that you're having?

sdoremus33
Level 3
Level 3

‎02-24-2009 08:05 PM

Can you post a debug ip packet on Routers to see what the trranslations look like at each end

0 Helpful

david.sua
Level 1
Level 1
In response to sdoremus33

‎02-25-2009 08:59 AM

Thanks all for the answers.

fedecotof, that is not exactly my problem.

I will try to explain my scenario and my problems with a picture.

I am sitting on Host B.

I can access any internet host through Router B.

I can ping Host A.

But, there are one host on internet that only accept traffic with source ip of Router A Dialer1.

Then, I send a ping from Host B to Host 66.102.9.99.

The ping flows through IPSEC tunnel and go out internet from Router A. I am sniffing on a host between Router A and Host 66.102.9.99(Internet)

In this host i can watch the ping but i watch this ping with source ip 10.0.0.5 instead the wan IP of Router A.

Preview file
31 KB
0 Helpful

david.sua
Level 1
Level 1
In response to david.sua

‎03-02-2009 03:30 AM

Nobody has a idea?

0 Helpful

JamesLuther
Level 3
Level 3
In response to david.sua

‎03-02-2009 05:00 AM

Hi,

I'm guessing the NAT isn't being applied because it's not flowing through the router from inside to out. You have defined "ip nat inside" on your VLAN interface, however the packet doesn't arrive from here.

Why aren't you using Router B's internet connection? Could you register Router B's IP with your 3rd party?

Do you have a proxy server in network A you can bounce this traffic off?

Is there NAT capable device inside network A you can bounce this traffic off?

Regards

0 Helpful

david.sua
Level 1
Level 1
In response to JamesLuther

‎03-02-2009 05:07 AM

Thank you for your interest James,

Yes, that is my problem and i need to workaround.

>Why aren't you using Router B's internet connection? Could you register Router B's IP with your 3rd party?

Because the 3rd party provider only permit Router A ip and i can't register router B ip.

Do you have a proxy server in network A you can bounce this traffic off?

I don't have, i only have control over routers.

Is there NAT capable device inside network A you can bounce this traffic off?

No... :(

0 Helpful

sdoremus33
Level 3
Level 3

‎03-03-2009 09:26 PM

So when ping from a host on router B (10.0.1.2) to the ip 66.102.9.99, this packet flows via ipsec tunel and go out to internet trough router A but NAT doesn't work. I can see the packet on wan side with the private ip of original host instead the overload of Dialer1.

Like you said what it looks like based upon the config is that based upon this access-list

access-list 103 deny ip 10.0.0.0 0.0.255.255 host 66.102.9.99

which acts as identity NAT, meaning aby traffic sourced from your internal Lan, and destined to 66.102.9.99 will not get Pat(d)to the outside Dialer1 interface, so thats why you dont see the src address of the packet leaving the Dialer1 interface.

Based upon your Nat statement you are performing Dynamic PAT

ip nat inside source list 103 interface Dialer1 overload, and the only traffic getting Pat(d) would be any traffic not destined for the 10.0.0.0 network and 66.102.9.99 host.

0 Helpful

sdoremus33
Level 3
Level 3

‎03-03-2009 09:28 PM

So when ping from a host on router B (10.0.1.2) to the ip 66.102.9.99, this packet flows via ipsec tunel and go out to internet trough router A but NAT doesn't work. I can see the packet on wan side with the private ip of original host instead the overload of Dialer1.

Like you said what it looks like based upon the config is that based upon this access-list

access-list 103 deny ip 10.0.0.0 0.0.255.255 host 66.102.9.99

which acts as identity NAT, meaning aby traffic sourced from your internal Lan, and destined to 66.102.9.99 will not get Pat(d)to the outside Dialer1 interface, so thats why you dont see the src address of the packet leaving the Dialer1 interface.

Based upon your Nat statement you are performing Dynamic PAT

ip nat inside source list 103 interface Dialer1 overload, and the only traffic getting Pat(d) would be any traffic not destined for the 10.0.0.0 network and 66.102.9.99 host.

0 Helpful

sdoremus33
Level 3
Level 3

‎03-03-2009 09:28 PM

So when ping from a host on router B (10.0.1.2) to the ip 66.102.9.99, this packet flows via ipsec tunel and go out to internet trough router A but NAT doesn't work. I can see the packet on wan side with the private ip of original host instead the overload of Dialer1.

Like you said what it looks like based upon the config is that based upon this access-list

access-list 103 deny ip 10.0.0.0 0.0.255.255 host 66.102.9.99

which acts as identity NAT, meaning aby traffic sourced from your internal Lan, and destined to 66.102.9.99 will not get Pat(d)to the outside Dialer1 interface, so thats why you dont see the src address of the packet leaving the Dialer1 interface.

Based upon your Nat statement you are performing Dynamic PAT

ip nat inside source list 103 interface Dialer1 overload, and the only traffic getting Pat(d) would be any traffic not destined for the 10.0.0.0 network and 66.102.9.99 host.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents