7206, static NAT, after then ipsec. vrf

sabtransmark · ‎08-26-2009

We have Cisco 7206VXR (NPE-G2), c7200p-advsecurityk9-mz.124-15.T1.bin

we have to configure ipsec tunnel to another cisco. but befor ipsec we have to translate sourse ip into another ip, which we get from our pertner.

I've tried this configuration:

ip vrf mobile

rd 1:300

route-target export 1:300

route-target import 1:300

!

ip vrf roffice

rd 1:200

route-target export 1:200

route-target import 1:200

interface GigabitEthernet0/1.5

description VPN_Outside

encapsulation dot1Q 5

ip address Ñ….Ñ….Ñ….17 255.255.255.248 # public ip - our side of ipsec tonnel

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

crypto map outside

interface GigabitEthernet0/2.11

description VPN_Mobile

encapsulation dot1Q 11

ip vrf forwarding mobile

ip address 10.31.28.137 255.255.255.248

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

crypto keyring BlackBerryNew

pre-shared-key address y.y.y.238 key MEGAPASSWORD # public ip - partner's side of ipsec tunnel

crypto isakmp policy 60

encr aes

authentication pre-share

group 2

crypto isakmp profile BlackBerryNew

vrf mobile

keyring BlackBerryNew

match identity address y.y.y.238 255.255.255.255

crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac

crypto map outside 65535 ipsec-isakmp

set peer y.y.y.238

set transform-set ESP-AES128-SHA

set pfs group5

set isakmp-profile BlackBerryNew

match address outside_65535_cryptomap

ip route vrf mobile 10.31.50.176 255.255.255.240 x.x.x.22 global

ip access-list extended outside_65535_cryptomap

permit ip host 172.18.12.21 10.31.50.176 0.0.0.15

permit ip host 172.18.12.22 10.31.50.176 0.0.0.15

permit ip host 172.18.12.23 10.31.50.176 0.0.0.15

ip access-list extended BlackBerryNAT

permit ip host 10.31.0.61 10.31.50.176 0.0.0.15

permit ip host 10.31.0.64 10.31.50.176 0.0.0.15

permit ip host 10.31.0.223 10.31.50.176 0.0.0.15

deny ip any any

route-map BlackBerryNAT permit 10

match ip address BlackBerryNAT

ip nat inside source static 10.31.0.61 172.18.12.21 vrf mobile route-map BlackBerryNAT

ip nat inside source static 10.31.0.223 172.18.12.22 vrf mobile route-map BlackBerryNAT

ip nat inside source static 10.31.0.64 172.18.12.23 vrf mobile route-map BlackBerryNAT

but when i put "ip nat inside" on Gi0/2.11 the router fall into reboot

Giuseppe Larosa · ‎08-26-2009

Hello Denis,

try with another IOS image like 12.4(20)T same feature set.

this looks like an issue (it may be a known bug) of current image

Edit:

I have some doubts on the outside interface configuration.

It should work if NAT is processed first and then resulting packets are examined for potential encrpytion.

you may need to use a GRE tunnel and to encrypt it to be sure about the order of operations.

The GRE tunnel can give you a L3 point where to apply ip nat outside before encryption occurs.

Hope to help

Giuseppe

sabtransmark · ‎08-27-2009

I make it work :)

It was nessesary to add one string in route-map

now it looks like this

route-map BlackBerryNAT permit 10

match ip address BlackBerryNAT

set vrf mobile

Giuseppe Larosa · ‎08-27-2009

Hello Denis,

good news!

the command associate to vrf mobile

http://www.cisco.com/en/US/docs/ios/iproute/command/reference/irp_pi2.html#wp1035512

interesting

Best Regards

Giuseppe