09-07-2003 07:51 PM - edited 03-02-2019 10:09 AM
I am attempting to configure a 2611XM running 12.2(15)T7 as a "customer connection" VPN router for a client who connects to serveral customer networks with overlapping RFC1918 space. This router has f0/1 connected to the DMZ of a PIX, which PATs all traffic to this interface as the interface address (192.168.2.1). I want to make a static 1-to-1 relationship with each host on the remote network via a 192.168.2.x address with an ip nat outside source static command.
I made this setup work a few months ago on similar hardware, but seem to not be able to reproduce a working setup. I must be missing something.
I can get to the reomte devices I am attemptig to NAT for from the router or another device with their actual RFC1918 address, so the IPSec sid eof this is not the problem. When I try to use the oustide local address I assign, I get nowhere. I can ping it, so I know that the router is responfing for it, but I don't see any crypto being attmepted. A 'sh ip nat sta' shows me that no NAT counters are incrementing at all, making me sure that I've missed something very stupid in my nat config, but I can't seem to find it.
The config is posted below. Any pointers (or solutions!) would be greatly appreciated. Including better ways to accomplish this.
Thanks,
Daryl
------------
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 5
lifetime 28800
!
crypto isakmp key xxxxxxxxxxxxx address yyy.yyy.yyy.yyy
!
!
crypto ipsec transform-set trans3dessha esp-3des esp-sha-hmac
!
crypto map ipsecmap local-address FastEthernet0/0
crypto map ipsecmap 3 ipsec-isakmp
set peer yyy.yyy.yyy.yyy
set transform-set trans3dessha
match address vpnList1
!
interface FastEthernet0/0
ip address zzz.zzz.zzz.25 255.255.255.0
ip nat outside
speed 100
full-duplex
crypto map ipsecmap
!
interface FastEthernet0/1
ip address 192.168.2.2 255.255.255.0
ip nat inside
speed 100
half-duplex
!
ip nat outside source static 192.168.241.19 192.168.2.18
ip nat outside source static 192.168.241.20 192.168.2.19
ip nat outside source static 10.10.0.56 192.168.2.17
ip nat outside source static 10.10.0.10 192.168.2.20
ip nat outside source static 68.85.95.0 192.168.2.25
ip route 0.0.0.0 0.0.0.0 zzz.zzz.zzz.1
!
!
!
ip access-list extended vpnList1
permit ip any host 10.10.0.56
permit ip any host 10.10.0.10
permit ip any host 192.168.241.19
permit ip any host 192.168.241.20
!
09-08-2003 06:47 AM
Hello,
When you are trying to create IPSEC with NAT, the interesting traffic should be from the Natted outside IP and not from the Inside local IP. Change the access-list to match traffic from outside local IP and check.
09-08-2003 06:58 AM
Thanks for the idea. It doesn't seem to make a difference in this case. Unless I'm interperting the output incorrectly, it appears that NAT isn't working at all....when I try to hit one of my inside globals (with ping or telnet, for example), the counters never increment, and deb ip nat det shows no output:
Total active translations: 5 (5 static, 0 dynamic; 0 extended)
Outside interfaces:
FastEthernet0/0
Inside interfaces:
FastEthernet0/1
Hits: 0 Misses: 0
Expired translations: 0
Dynamic mappings:
-------
I am under the impression that even pinging these inside globals should be incrementing some counter here. Maybe I'm not correct in the assumption, but I haven't found anything specific in the IOS NAT documentation yet.
09-09-2003 09:35 AM
Daryl,
The problem is that you need to set the direction for the NAT/Crypto. Since you are assigning inside addresses to an outside host, you will need to put a route that directs those addresses to the outside.
Try putting static routes pointing your nat'ed addresses to the outside. For instance,
ip route 192.168.2.18 255.255.255.255 zzz.zzz.zzz.1
(or to Fa0/0, either way, so long as it's your crypto map interface on the outside)
To make things easier for you, assign your outside statics in a maskable range within 192.168.2.x. This way you can add one static route to the outside interface (via zzz.zzz.zzz.1) to cover all of your [outside] static translations. For example, reserve 192.168.2.224/27 for outside static nat entries and add a route pointing it to the outside.
Hope this helps.
--Tim
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide