NAT w/ multiple VLANs and Peer VPN

Unanswered Question
Jul 2nd, 2012
User Badges:

My problem is that I can not ping an external address from vlan2.


I included my running config below. Here is an overview of my setup:


- There are two internal vlans,10.10.0.0 and 10.20.0.0.

- NAT on vlan 1 (10.10.0.0) works fine. I can ping an external IP address from 10.10.0.1.

- NAT on vlan 2 (10.20.0.0) does not work. I can not ping an external IP address from 10.20.0.1

- I have a peer to peer VPN Tunnel where vlan 2 has access to a peer network


I suspect that the VPN may be interfering with NAT traffice, however I believe I have the ACLs configured correctly.


Thanks in advance,

-Jesse



Building configuration...



Current configuration : 5977 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname cisco1811

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

no logging buffered

logging console critical

enable secret 5 ###########################

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login sdm_vpn_xauth_ml_1 local

aaa authorization exec default local

aaa authorization network sdm_vpn_group_ml_1 local

!

aaa session-id common

!

resource policy

!

no ip source-route

!

!

ip cef

!

!

ip tcp synwait-time 10

no ip bootp server

ip domain name company.com

ip name-server xxx.xxx.xxx.xxx

ip name-server 8.8.8.8

ip ssh time-out 60

ip ssh authentication-retries 2

!

!

crypto pki trustpoint TP-self-signed-406172510

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-406172510

revocation-check none

rsakeypair TP-self-signed-406172510

!

!

crypto pki certificate chain TP-self-signed-406172510

certificate self-signed 01

  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

  quit

username admin privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxx

!

!

!

crypto isakmp policy 2

encr aes 256

hash md5

authentication pre-share

group 5

crypto isakmp key xxxxxxxxxxxxxx address 55.5.5.5

!

!

crypto ipsec transform-set Peer_VPN_Tunnel esp-aes 256 esp-md5-hmac

!

crypto map crypto_map_peer_tunnel 1 ipsec-isakmp

description Tunnel to 55.5.5.5

set peer 55.5.5.5

set transform-set Peer_VPN_Tunnel

match address 100

!

!

!

!

interface FastEthernet0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip virtual-reassembly

no ip route-cache cef

no ip route-cache

shutdown

duplex auto

speed auto

!

interface FastEthernet1

ip address 66.6.6.6 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

no ip route-cache cef

no ip route-cache

duplex auto

speed auto

crypto map crypto_map_peer_tunnel

!

interface FastEthernet2

!

interface FastEthernet3

switchport access vlan 2

!

interface FastEthernet4

!

interface FastEthernet5

!

interface FastEthernet6

!

interface FastEthernet7

!

interface FastEthernet8

!

interface FastEthernet9

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$

ip address 10.10.0.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

no ip route-cache cef

no ip route-cache

ip tcp adjust-mss 1452

!

interface Vlan2

ip address 10.20.0.1 255.255.255.0

no ip redirects

no ip unreachables

ip nat inside

ip virtual-reassembly

no ip route-cache cef

no ip route-cache

ip tcp adjust-mss 1452

!

interface Async1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

encapsulation slip

!

ip route 0.0.0.0 0.0.0.0 66.6.6.1

!

!

ip http server

ip http access-class 99

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source route-map map_dsl_nat interface FastEthernet1 overload

!

no logging trap

access-list 99 remark Limit Router Config Access (SSH, SDM, TELNET, etc)

access-list 99 permit 10.10.0.0 0.0.0.255 log

access-list 100 remark Encrypt tunnel traffic to peer network, only for vlan2

access-list 100 permit ip 10.20.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 remark DSL NAT

access-list 101 deny   ip 10.20.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 permit ip 10.10.0.0 0.0.0.255 any

access-list 101 permit ip 10.20.0.0 0.0.0.255 any

no cdp run

!

!

!

route-map map_dsl_nat permit 1

match ip address 101

!

!

!

!

control-plane

!

banner login ^CCCCCCCCCCCCCAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

transport output telnet

line 1

modem InOut

stopbits 1

speed 115200

flowcontrol hardware

line aux 0

transport output telnet

line vty 0 4

access-class 99 in

transport input ssh

line vty 5 15

access-class 99 in

transport input ssh

!

scheduler allocate 4000 1000

scheduler interval 500

!

webvpn context Default_context

ssl authenticate verify all

!

no inservice

!

end

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Harish Balakrishnan Sun, 09/30/2012 - 04:34
User Badges:
  • Silver, 250 points or more

Hello Jessem,


remove the following line and see how does it go


access-list 101 deny ip 10.20.0.0 0.0.0.255 192.168.1.0 0.0.0.255


regards

Harish.

Jon Marshall Sun, 09/30/2012 - 06:34
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jesse


I can't see anything obviously wrong with your config. So some quick checks.


1) does the VPN work


2) from a client in vlan 2 can you ping the vlan 1 interface


3) from a client in vlan 2 can you ping the fa1 interface IP


4) What does a traceroute from a client in vlan 2 show


5) when you try to ping an external IP from a client in vlan 2 can you see any activity on the IPSEC tunnel


Note it is best to do all these tests from a client and not from the router itself ie. don't use the vlan 2 IP as the source IP.


Jon

Jeff Van Houten Sun, 09/30/2012 - 06:55
User Badges:
  • Silver, 250 points or more

If these are real addresses, your default route next hop and your Internet facing interface are not in the same subnet.


Sent from Cisco Technical Support iPad App

Jon Marshall Sun, 09/30/2012 - 07:05
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jeff


Good spot although it begs the question why a device in vlan 1 can access internet addresses ?


Jon

Jeff Van Houten Sun, 09/30/2012 - 09:10
User Badges:
  • Silver, 250 points or more

I didn't imply it would. But if there is an error in routing its my experience to fix that first.


Sent from Cisco Technical Support iPad App

Actions

This Discussion