×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

VPN - Leaking NAT

Unanswered Question
Jul 12th, 2012
User Badges:

I am creating a IPSEC tunnel via a 3G Cell Interface to an ASA for failover in the event the primary Serial interface goes down.  Everything works just fine without the local switch connected to the 2811.  Cell interface comes up fine on failover without any problems.  The issues I am seeing is when I hook the switch to the 2811 after about 5 minutes the cell interface resets (incoming TERMREQ from Verizon) so I know I am leaking private IP out to Verizon causing the problem either through a jacked up access list or a misconfiguration of the NAT.  Here is the relevant parts of the config.  I think I am missing something totally obvious but just can't see it.  Thanks.    



ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.1.151.1 10.1.151.99
ip dhcp excluded-address 10.1.151.200 10.1.151.254
ip dhcp excluded-address 10.101.151.1 10.101.151.99
ip dhcp excluded-address 10.101.151.200 10.101.151.254
!
ip dhcp pool Voice
   network 10.101.151.0 255.255.255.0
   option 150 ip 10.101.90.6
   default-router 10.101.151.254
!
ip dhcp pool Data
   network 10.1.151.0 255.255.255.0
   dns-server 10.1.90.189 10.5.100.30 66.174.95.44 69.78.96.14
   default-router 10.1.151.254
!
!
no ip bootp server
no ip domain lookup
ip domain name candfbank.local
ip multicast-routing
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
chat-script cdma "" "ATDT#777" TIMEOUT 60 "CONNECT"
!
!
!
!
!
<<<<<<<<< -------  Truncated  -------->>>>>>>>>
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxxx address xxx.xxx.xxx.xxx
!
!
crypto ipsec transform-set CellFOSet esp-3des esp-sha-hmac
!
crypto map CellFOMap 1 ipsec-isakmp
set peer xxx.xxx.xxx.xxx
set security-association lifetime seconds 86400
set transform-set CellFOSet
match address 100
!
!
!
controller T1 0/1/0
framing esf
linecode b8zs
cablelength long 0db
channel-group 0 timeslots 1-24
!
ip tftp source-interface FastEthernet0/0.1
!
track 1 ip sla 1 reachability
!
class-map match-all VOICE
match ip dscp ef
class-map match-any VOICE-CTRL
match ip dscp af31
match ip dscp cs3
!
!
policy-map WAN-EDGE
class VOICE
    priority 384
  set ip dscp ef
class VOICE-CTRL
  set ip dscp af21
    bandwidth 32
class class-default
    fair-queue
  set ip dscp default
!
!
!
!
!
interface Loopback0
ip address 10.1.1.151 255.255.255.255
shutdown
h323-gateway voip interface
h323-gateway voip bind srcaddr 10.1.1.151
!
interface FastEthernet0/0
description Physical Interface for Data VLAN 10 and Voice VLAN 20
no ip address
ip flow ingress
ip pim sparse-dense-mode
no ip route-cache cef
duplex auto
speed auto
!
interface FastEthernet0/0.1
description Interface to Data VLAN 10
encapsulation dot1Q 10
ip address 10.1.151.254 255.255.255.0
no ip redirects
no ip unreachables
ip flow ingress
ip flow egress
ip pim sparse-dense-mode
ip nat inside
ip virtual-reassembly
no cdp enable
!
interface FastEthernet0/0.2
description Interface to Voice VLAN 20
encapsulation dot1Q 20
ip address 10.101.151.254 255.255.255.0
no ip redirects
no ip unreachables
ip flow ingress
ip flow egress
ip pim sparse-dense-mode
ip nat inside
ip virtual-reassembly
no cdp enable
!
interface FastEthernet0/1
description Unused port
no ip address
shutdown
duplex auto
speed auto
no cdp enable
!
interface Cellular0/0/0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer in-band
dialer idle-timeout 0
dialer string cdma
dialer-group 1
async mode interactive
ppp chap hostname [email protected]
ppp chap password 7 1511021F0725
ppp ipcp dns request
crypto map CellFOMap
!
interface Serial0/1/0:0
ip address 169.130.27.82 255.255.255.252
ip flow ingress
ip flow egress
encapsulation ppp
service-policy output WAN-EDGE
!        
router bgp 65000
no synchronization
bgp log-neighbor-changes
bgp suppress-inactive
network 10.1.1.151 mask 255.255.255.255
network 10.1.151.0 mask 255.255.255.0
network 10.101.151.0 mask 255.255.255.0
network 169.130.27.80 mask 255.255.255.252
neighbor 169.130.27.81 remote-as 15270
default-information originate
no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Serial0/1/0:0 track 1
ip route 0.0.0.0 0.0.0.0 Cellular0/0/0 20
no ip http server
no ip http secure-server
!
ip flow-export source FastEthernet0/0.1
ip flow-export version 5
ip flow-export destination 10.1.90.25 2055
!
ip nat inside source list 110 interface Cellular0/0/0 overload
!
ip access-list standard MON_SNMP_RO
permit 207.59.3.197
permit 64.80.255.182
permit 216.20.199.86
permit 63.139.151.86
!
ip radius source-interface FastEthernet0/0.1
ip sla 1
icmp-echo 169.130.27.81
timeout 1000
threshold 2
frequency 3
ip sla schedule 1 life forever start-time now
logging trap notifications
logging 10.1.90.167
access-list 100 permit ip 10.1.151.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 100 permit ip 10.1.151.0 0.0.0.255 10.5.0.0 0.0.255.255
access-list 100 permit ip 10.1.151.0 0.0.0.255 10.6.0.0 0.0.255.255
access-list 100 permit ip 10.1.151.0 0.0.0.255 10.7.0.0 0.0.255.255
access-list 100 permit ip 10.1.151.0 0.0.0.255 10.101.81.0 0.0.0.255
access-list 100 permit ip 10.1.151.0 0.0.0.255 10.101.90.0 0.0.0.255
access-list 100 permit ip 10.101.151.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 100 permit ip 10.101.151.0 0.0.0.255 10.5.0.0 0.0.255.255
access-list 100 permit ip 10.101.151.0 0.0.0.255 10.6.0.0 0.0.255.255
access-list 100 permit ip 10.101.151.0 0.0.0.255 10.7.0.0 0.0.255.255
access-list 100 permit ip 10.101.151.0 0.0.0.255 10.101.81.0 0.0.0.255
access-list 100 permit ip 10.101.151.0 0.0.0.255 10.101.90.0 0.0.0.255
access-list 110 deny   ip 10.1.151.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny   ip 10.1.151.0 0.0.0.255 10.5.0.0 0.0.255.255
access-list 110 deny   ip 10.1.151.0 0.0.0.255 10.6.0.0 0.0.255.255
access-list 110 deny   ip 10.1.151.0 0.0.0.255 10.7.0.0 0.0.255.255
access-list 110 deny   ip 10.1.151.0 0.0.0.255 10.101.81.0 0.0.0.255
access-list 110 deny   ip 10.1.151.0 0.0.0.255 10.101.90.0 0.0.0.255
access-list 110 deny   ip 10.101.151.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny   ip 10.101.151.0 0.0.0.255 10.5.0.0 0.0.255.255
access-list 110 deny   ip 10.101.151.0 0.0.0.255 10.6.0.0 0.0.255.255
access-list 110 deny   ip 10.101.151.0 0.0.0.255 10.7.0.0 0.0.255.255
access-list 110 deny   ip 10.101.151.0 0.0.0.255 10.101.81.0 0.0.0.255
access-list 110 deny   ip 10.101.151.0 0.0.0.255 10.101.90.0 0.0.0.255
access-list 110 permit ip any any
dialer-list 1 protocol ip list 100
snmp-server community xxxxxxxx RO
snmp-server enable traps tty
!
!        
!
!
!
!
!
control-plane
!
!
!
<<<<<<<<< -------  Truncated  -------->>>>>>>>>
!
!
!
!
!
line con 0
line aux 0
line 0/0/0
script dialer cdma
modem InOut
no exec
transport input all
transport output all
rxspeed 3100000
txspeed 1800000
line vty 0 4
transport input telnet
line vty 5 15
transport input telnet
!
scheduler allocate 20000 1000
ntp server 10.1.99.5
end

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion