I'm trying to configure NAT on a Stick using a Cisco 881 router using Cisco Configuration Professional. Based on the Cisco document "Netwrok Address Translation on a Stick" (Document ID:6505) I run into some questions.
1) The document states to use the Cisco Feature Navigator II to determine which IOS version I could use with this feature. But I have no idea what feature exactly I have to look for in the Cisco Feature Navigator. Could anybody please help me with this? Right now I'm using Version 12.4(24)T3.
2) As I mentioned above, I'm trying to use Cisco Configuration Professional (version 2.2). As stated in the document I created an Loopback interface. Following the document I should now designate the loopback interface as inside NAT interface. However, trying to do this fails, because it is not possible to configure the loopback interface. Instead of showing the select box with options inside/outside/<none> (as it is e.g. on VLAN interfaces) the selct box is greyed out and states <NOT-SUPPORTES>. Does anybody know why? Is this because I'm using a wrong IOS version, is it a bug in Cisco Configuration Professional or something else I'm missing?
Could you tell me if the IOS version I'm using is capable of this functionality?
I will try to put something together (sketches, ...) to make it more clear (see Attachment).
In addition a little description in words (as good as I could):
The clients in the remote location (networks 10.10.10.0/24) should be able to talk to clients in the near location (network 10.10.30.0 /24). The remote clients are configured to use the gateway 10.10.10.1. Data packets received on gateway 10.10.10.1 are routed directly to network 10.10.20.0/24 or to the next gateway 10.10.20.1 exept for traffic with destination address from network 10.10.30.0/24. This traffic is rerouteted to Cisco 881 router with ip address 10.10.10.2. Now I want this router to bild a vpn tunnel to the near location ASA with IP address 192.168.30.1.
To do that, my idea was to create a virtual interface (loopback, NAT inside) on cisco 881 with IP address 192.168.10.1. All traffic received on 10.10.10.2 - NAT outside - (should be traffic from network 10.10.10.0/24 to 10.10.30.0/24 only - routed to 10.10.10.2 from gateway 10.10.10.1) should than be routed using a route-map to 192.168.10.1. Between inside and outside there should be a NAT for IP Address 10.10.10.0/24 to 10.40.40.0/24. The VPN configuration is on the interface 10.10.10.2. Here it should be rated as intersting traffic and cause the VPN tunnel to be created.
I'm not it the office anymore. As soon as I'm back tomorrow I could past my non working configuration. This may help you understand what I'm trying to do and maybe point out my error.
I updated the sketch attached to my previous reply slightly (corrected one error and added loopback0 interface).
Below you could see the configuration as it is right now (still not working). I tetsed the VPN tunnel using Cisco Configuration Professional. The VPN Tunnel itself looks fine. Must be something wrong with route and nat.
version 12.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname TEST ! boot-start-marker boot system flash c880data-universalk9-mz.124-24.T3.bin boot-end-marker ! logging message-counter syslog logging buffered 51200 warnings enable secret 5 $1$0KZ4$S65tv.EKwuTR3exlfKXsD/ ! no aaa new-model ! crypto pki trustpoint TP-self-signed-1535404978 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-1535404978 revocation-check none rsakeypair TP-self-signed-1535404978 ! ! crypto pki certificate chain TP-self-signed-1535404978 certificate self-signed 01 3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 31353335 34303439 3738301E 170D3130 30383236 30363439 35305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 35333534 30343937 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100B55B 507D3DFD C2E028CF C6E2798D 70B4CDA7 E7CDB892 C2CD1580 3B8C1AB9 EA5CB2D7 21024492 305A4AAC 05AB70C6 8F6DC00F 934A6FEB 6D19B46F E25AE0BD 76350D93 B936CE8D 61589204 5DDE0161 E1322698 47ACBD61 39625970 FFA0549B 2DC3AF65 3819BB39 16D249D1 C7E327E7 BCB511E7 642098CD 1CD0256C C938411D 20A30203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603 551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D 301F0603 551D2304 18301680 147A92AF 6814610C BB29B366 39542604 3621C07F 46301D06 03551D0E 04160414 7A92AF68 14610CBB 29B36639 54260436 21C07F46 300D0609 2A864886 F70D0101 04050003 81810014 1CF65E51 91F9CAD7 271E2690 B725CDB9 F3F35E2D 7C6F08C0 B0069DA2 3EC548BB 7EB67516 6E3E1510 BE298ACA 3F3C78E3 77D7DD38 06909174 DECD89D4 A8B39B1F 0073004D 3B135AB2 B8C2A2F8 F30DB7DC 2E93387F 3ACD16E2 50BC3F54 183CDF5E 1FFAED90 DECF155E 7BC4EBD0 7D02766A 3467C58A C88D976D 44F7CA84 0C81DD quit ip source-route ! ! ! ! ip cef no ip domain lookup ip domain name sigpack.com no ipv6 cef ! ! multilink bundle-name authenticated ! ! username MCAdmin privilege 15 secret 5 $1$UFpt$D/6klqFSrp.f212e9UcU11 ! ! crypto isakmp policy 1 authentication pre-share crypto isakmp key xxxxxxxxxxxxxxx address 192.168.30.1 no-xauth ! ! crypto ipsec transform-set VPN_Maschinen esp-des esp-sha-hmac ! crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel to 192.168.30.1 set peer 192.168.30.1 set security-association idle-time 300 set transform-set VPN_Maschinen match address 103 ! archive log config hidekeys ! ! ! ! ! interface Loopback0 ip address 192.168.10.1 255.255.255.252 ip nat inside ip virtual-reassembly ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface FastEthernet4 no ip address shutdown duplex auto speed auto ! interface Vlan1 description Machine Network$ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$ ip address 10.10.10.2 255.255.255.0 no ip redirects ip nat outside ip virtual-reassembly ip tcp adjust-mss 1452 ip policy route-map NAT_VPN no autostate crypto map SDM_CMAP_1 ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 10.10.10.1 permanent ip route 10.40.40.0 255.255.255.0 Loopback0 permanent ip http server ip http access-class 23 ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ! ! ip nat inside source static 10.10.10.0 10.40.40.0 /24 ! access-list 23 permit 10.10.10.0 0.0.0.255 access-list 103 remark Interesting VPN Traffic access-list 103 remark CCP_ACL Category=4 access-list 103 permit ip 10.40.40.0 0.0.0.255 10.10.30.0 0.0.0.255 access-list 110 remark Route Remote Support Traffic access-list 110 remark CCP_ACL Category=1 access-list 110 permit ip 10.10.10.0 0.0.0.255 10.10.30.0 0.0.0.255 no cdp run
! ! ! ! route-map NAT_VPN permit 10 match ip address 110 set ip next-hop 192.168.10.1 ! ! control-plane ! ! line con 0 login local no modem enable line aux 0 line vty 0 4 access-class 23 in privilege level 15 login local transport input telnet ssh ! scheduler max-task-time 5000 end
If I ping 10.10.30.56 from client 10.10.10.131, the route-map works fine. Also the NAT for ip addrss 10.10.10.131 to 10.40.40.131 looks OK. Debugging with "debug ip nat" shows, that ip 10.10.10.2 is trying to reach 192.168.30.1 (what is correct, because the vpn tunnel is initiating). But ip address 10.10.10.2 is nated to 10.40.40.2 what is wrong. So, something with my nat (or maybe route) is wrong.
For right now, i'm testing in our lab with private addresses only. IP address 10.10.10.2 is being translated (PAT) to interface ip 192.168.20.1. In the end, the connection will run over the internet and for sure use public ip addresses. The 192.168.30.1 will be a public IP address as well as 192.168.20.1. The 10.10.10.2 will than be translated (PAT) to the public ipaddress as well. Since both vpn end point support NAT-T this part worked fine from the beginning.
I could get the configuration I postet yesterday to work by changing the static NAT to not include the 10.10.10.2.
What I tried first to NAT is:
ip nat inside source static 10.10.10.0 10.40.40.0 /24 (see earlier posting)
Now I changed to:
ip nat inside source static 10.10.10.0 10.40.40.0 /31
ip nat inside source static 10.10.10.3 10.40.40.3 /32
ip nat inside source static 10.10.10.4 10.40.40.4 /30
ip nat inside source static 10.10.10.8 10.40.40.8 /29
ip nat inside source static 10.10.10.16 10.40.40.16 /28
ip nat inside source static 10.10.10.32 10.40.40.32 /27
ip nat inside source static 10.10.10.64 10.40.40.64 /26
ip nat inside source static 10.10.10.128 10.40.40.128 /25
This way it works fine. Looks like ip address 10.10.10.2 got nated without having data packets travelling from the nat inside to the nat outside interface. I didn't expect this.
Doing a dynamic nat (including the 10.10.10.2 ip address) instead of the static nat will also result in a working configuration. Looks like in case of dynamic nat the data packets really have to travel through the interfaces to get nated.
ip nat pool NAT_Maschinen 10.40.40.0 10.40.40.255 netmask 255.255.255.0 type match-host ip nat inside source list 20 pool NAT_Maschinen access-list 20 deny 10.10.10.2 access-list 20 permit 10.10.10.0 0.0.0.255
Since I have to initiate client connection from both sides:
10.10.30.56 -> 10.40.40.131 (10.10.10.131)
10.10.10.131 (10.40.40.131) -> 10.10.30.56
I guess I will have to go with static nat and just exclude the interface ip 10.10.10.2 from the nat statement. Is there a better way to do the exclude than what I did up to now (see config above). Maybe something analog to the exclude I did for dynamic nat?
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...