02-19-2009 09:52 AM - edited 02-21-2020 04:09 PM
Hi all again,
I configure two cisco 877 to establish a ipsec tunnel, i would like access internet from a host in the remote side of the tunnel but i have a problem with nat.
This are my configs:
!!!!!!!!ROUTER A
crypto isakmp policy 1
hash md5
authentication pre-share
lifetime 3600
crypto isakmp key XX address 1.2.3.4
crypto ipsec transform-set cm-transformset-1 esp-des esp-md5-hmac
!
crypto map cm-cryptomap local-address Dialer1
crypto map cm-cryptomap 4 ipsec-isakmp
set peer 1.2.3.4
set transform-set cm-transformset-1
match address 162
interface Dialer1
.
.
ip nat outside
crypto map cm-cryptomap
!
access-list 103 deny ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 103 permit ip 10.0.0.0 0.0.255.255 any
access-list 162 permit ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 162 permit ip host 66.102.9.99 10.0.1.0 0.0.0.255
!
ip route 0.0.0.0 0.0.0.0 Dialer1
!
interface Vlan1
ip address 10.0.0.1 255.255.255.0
ip nat inside
!
ip nat inside source list 103 interface Dialer1 overload
!!!!!!!ROUTER B
crypto isakmp policy 1
hash md5
authentication pre-share
lifetime 3600
crypto isakmp key XX address 5.6.7.8
!
crypto ipsec transform-set cm-transformset-1 esp-des esp-md5-hmac
!
crypto map cm-cryptomap local-address Dialer1
crypto map cm-cryptomap 1 ipsec-isakmp
set peer 5.6.7.8
set transform-set cm-transformset-1
match address 110
!
interface Dialer1
.
.
ip nat outside
crypto map cm-cryptomap
!
access-list 103 deny ip 10.0.0.0 0.0.255.255 10.0.0.0 0.0.255.255
access-list 103 deny ip 10.0.0.0 0.0.255.255 host 66.102.9.99
access-list 103 permit ip 10.0.0.0 0.0.255.255 any
access-list 110 permit ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 110 permit ip 10.0.1.0 0.0.0.255 host 66.102.9.99
!
ip route 0.0.0.0 0.0.0.0 Dialer1
!
interface Vlan1
ip address 10.0.0.1 255.255.255.0
ip nat inside
!
ip nat inside source list 103 interface Dialer1 overload
Then, when I ping from a host on router B (10.0.1.2) to the ip 66.102.9.99, this packet flows via ipsec tunel and go out to internet trough router A but NAT doesn't work. I can see the packet on wan side with the private ip of original host instead the overload of Dialer1.
I think that this occurs because my Dialer1 is a outside interface and traffic from router B arrive via this one and go out to internet again trough Dialer1 without pass trough a nat inside interface.
I can't use tunnels like ipinip, gre, etc.
Somebody knows how can i resolve this?
thanks in advance.
02-19-2009 12:03 PM
Could you try doing the same using a Route Map in the NAT Overload Statements?
Document ID: 7276
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009448f.shtml
02-23-2009 01:10 AM
Yes, i try with route map but the problem persist.
I think that i need to set inbound traffic from ipsec as ip nat inside but i don't know how.
02-24-2009 10:27 AM
What are you trying to accomplish?
If you PING from 10.0.1.2 to 66.102.9.99, the traffic will go
through the tunnel to Router A. (as per the configs).
What do you mean that NAT does not work? Do you mean regular
Internet traffic from Router B that should go to any other
destination that is not 10.0.0.0/24 nor 66.102.9.99?
In other words, Router's B internal LAN is not getting to the
Internet?
According to the configuration if you're sitting on host
10.0.1.2 and you try to go to any other destination besides
the remote IPSec tunnel, the traffic should flow through the
Internet (if this traffic is coming from VLAN1 and going out
Dialer1) because those interfaces are where you have the NAT
statements applied.
Is this the problem that you're having?
02-24-2009 08:05 PM
Can you post a debug ip packet on Routers to see what the trranslations look like at each end
02-25-2009 08:59 AM
Thanks all for the answers.
fedecotof, that is not exactly my problem.
I will try to explain my scenario and my problems with a picture.
I am sitting on Host B.
I can access any internet host through Router B.
I can ping Host A.
But, there are one host on internet that only accept traffic with source ip of Router A Dialer1.
Then, I send a ping from Host B to Host 66.102.9.99.
The ping flows through IPSEC tunnel and go out internet from Router A. I am sniffing on a host between Router A and Host 66.102.9.99(Internet)
In this host i can watch the ping but i watch this ping with source ip 10.0.0.5 instead the wan IP of Router A.
03-02-2009 03:30 AM
Nobody has a idea?
03-02-2009 05:00 AM
Hi,
I'm guessing the NAT isn't being applied because it's not flowing through the router from inside to out. You have defined "ip nat inside" on your VLAN interface, however the packet doesn't arrive from here.
Why aren't you using Router B's internet connection? Could you register Router B's IP with your 3rd party?
Do you have a proxy server in network A you can bounce this traffic off?
Is there NAT capable device inside network A you can bounce this traffic off?
Regards
03-02-2009 05:07 AM
Thank you for your interest James,
Yes, that is my problem and i need to workaround.
>Why aren't you using Router B's internet connection? Could you register Router B's IP with your 3rd party?
Because the 3rd party provider only permit Router A ip and i can't register router B ip.
Do you have a proxy server in network A you can bounce this traffic off?
I don't have, i only have control over routers.
Is there NAT capable device inside network A you can bounce this traffic off?
No... :(
03-03-2009 09:26 PM
So when ping from a host on router B (10.0.1.2) to the ip 66.102.9.99, this packet flows via ipsec tunel and go out to internet trough router A but NAT doesn't work. I can see the packet on wan side with the private ip of original host instead the overload of Dialer1.
Like you said what it looks like based upon the config is that based upon this access-list
access-list 103 deny ip 10.0.0.0 0.0.255.255 host 66.102.9.99
which acts as identity NAT, meaning aby traffic sourced from your internal Lan, and destined to 66.102.9.99 will not get Pat(d)to the outside Dialer1 interface, so thats why you dont see the src address of the packet leaving the Dialer1 interface.
Based upon your Nat statement you are performing Dynamic PAT
ip nat inside source list 103 interface Dialer1 overload, and the only traffic getting Pat(d) would be any traffic not destined for the 10.0.0.0 network and 66.102.9.99 host.
03-03-2009 09:28 PM
So when ping from a host on router B (10.0.1.2) to the ip 66.102.9.99, this packet flows via ipsec tunel and go out to internet trough router A but NAT doesn't work. I can see the packet on wan side with the private ip of original host instead the overload of Dialer1.
Like you said what it looks like based upon the config is that based upon this access-list
access-list 103 deny ip 10.0.0.0 0.0.255.255 host 66.102.9.99
which acts as identity NAT, meaning aby traffic sourced from your internal Lan, and destined to 66.102.9.99 will not get Pat(d)to the outside Dialer1 interface, so thats why you dont see the src address of the packet leaving the Dialer1 interface.
Based upon your Nat statement you are performing Dynamic PAT
ip nat inside source list 103 interface Dialer1 overload, and the only traffic getting Pat(d) would be any traffic not destined for the 10.0.0.0 network and 66.102.9.99 host.
03-03-2009 09:28 PM
So when ping from a host on router B (10.0.1.2) to the ip 66.102.9.99, this packet flows via ipsec tunel and go out to internet trough router A but NAT doesn't work. I can see the packet on wan side with the private ip of original host instead the overload of Dialer1.
Like you said what it looks like based upon the config is that based upon this access-list
access-list 103 deny ip 10.0.0.0 0.0.255.255 host 66.102.9.99
which acts as identity NAT, meaning aby traffic sourced from your internal Lan, and destined to 66.102.9.99 will not get Pat(d)to the outside Dialer1 interface, so thats why you dont see the src address of the packet leaving the Dialer1 interface.
Based upon your Nat statement you are performing Dynamic PAT
ip nat inside source list 103 interface Dialer1 overload, and the only traffic getting Pat(d) would be any traffic not destined for the 10.0.0.0 network and 66.102.9.99 host.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: