Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

'ip nat outside source static' problem

I am attempting to configure a 2611XM running 12.2(15)T7 as a "customer connection" VPN router for a client who connects to serveral customer networks with overlapping RFC1918 space. This router has f0/1 connected to the DMZ of a PIX, which PATs all traffic to this interface as the interface address (192.168.2.1). I want to make a static 1-to-1 relationship with each host on the remote network via a 192.168.2.x address with an ip nat outside source static command.

I made this setup work a few months ago on similar hardware, but seem to not be able to reproduce a working setup. I must be missing something.

I can get to the reomte devices I am attemptig to NAT for from the router or another device with their actual RFC1918 address, so the IPSec sid eof this is not the problem. When I try to use the oustide local address I assign, I get nowhere. I can ping it, so I know that the router is responfing for it, but I don't see any crypto being attmepted. A 'sh ip nat sta' shows me that no NAT counters are incrementing at all, making me sure that I've missed something very stupid in my nat config, but I can't seem to find it.

The config is posted below. Any pointers (or solutions!) would be greatly appreciated. Including better ways to accomplish this.

Thanks,

Daryl

------------

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 5

lifetime 28800

!

crypto isakmp key xxxxxxxxxxxxx address yyy.yyy.yyy.yyy

!

!

crypto ipsec transform-set trans3dessha esp-3des esp-sha-hmac

!

crypto map ipsecmap local-address FastEthernet0/0

crypto map ipsecmap 3 ipsec-isakmp

set peer yyy.yyy.yyy.yyy

set transform-set trans3dessha

match address vpnList1

!

interface FastEthernet0/0

ip address zzz.zzz.zzz.25 255.255.255.0

ip nat outside

speed 100

full-duplex

crypto map ipsecmap

!

interface FastEthernet0/1

ip address 192.168.2.2 255.255.255.0

ip nat inside

speed 100

half-duplex

!

ip nat outside source static 192.168.241.19 192.168.2.18

ip nat outside source static 192.168.241.20 192.168.2.19

ip nat outside source static 10.10.0.56 192.168.2.17

ip nat outside source static 10.10.0.10 192.168.2.20

ip nat outside source static 68.85.95.0 192.168.2.25

ip route 0.0.0.0 0.0.0.0 zzz.zzz.zzz.1

!

!

!

ip access-list extended vpnList1

permit ip any host 10.10.0.56

permit ip any host 10.10.0.10

permit ip any host 192.168.241.19

permit ip any host 192.168.241.20

!

3 REPLIES

Re: 'ip nat outside source static' problem

Hello,

When you are trying to create IPSEC with NAT, the interesting traffic should be from the Natted outside IP and not from the Inside local IP. Change the access-list to match traffic from outside local IP and check.

New Member

Re: 'ip nat outside source static' problem

Thanks for the idea. It doesn't seem to make a difference in this case. Unless I'm interperting the output incorrectly, it appears that NAT isn't working at all....when I try to hit one of my inside globals (with ping or telnet, for example), the counters never increment, and deb ip nat det shows no output:

Total active translations: 5 (5 static, 0 dynamic; 0 extended)

Outside interfaces:

FastEthernet0/0

Inside interfaces:

FastEthernet0/1

Hits: 0 Misses: 0

Expired translations: 0

Dynamic mappings:

-------

I am under the impression that even pinging these inside globals should be incrementing some counter here. Maybe I'm not correct in the assumption, but I haven't found anything specific in the IOS NAT documentation yet.

New Member

Re: 'ip nat outside source static' problem

Daryl,

The problem is that you need to set the direction for the NAT/Crypto. Since you are assigning inside addresses to an outside host, you will need to put a route that directs those addresses to the outside.

Try putting static routes pointing your nat'ed addresses to the outside. For instance,

ip route 192.168.2.18 255.255.255.255 zzz.zzz.zzz.1

(or to Fa0/0, either way, so long as it's your crypto map interface on the outside)

To make things easier for you, assign your outside statics in a maskable range within 192.168.2.x. This way you can add one static route to the outside interface (via zzz.zzz.zzz.1) to cover all of your [outside] static translations. For example, reserve 192.168.2.224/27 for outside static nat entries and add a route pointing it to the outside.

Hope this helps.

--Tim

760
Views
0
Helpful
3
Replies
CreatePlease login to create content