I am attempting to configure a 2611XM running 12.2(15)T7 as a "customer connection" VPN router for a client who connects to serveral customer networks with overlapping RFC1918 space. This router has f0/1 connected to the DMZ of a PIX, which PATs all traffic to this interface as the interface address (192.168.2.1). I want to make a static 1-to-1 relationship with each host on the remote network via a 192.168.2.x address with an ip nat outside source static command.
I made this setup work a few months ago on similar hardware, but seem to not be able to reproduce a working setup. I must be missing something.
I can get to the reomte devices I am attemptig to NAT for from the router or another device with their actual RFC1918 address, so the IPSec sid eof this is not the problem. When I try to use the oustide local address I assign, I get nowhere. I can ping it, so I know that the router is responfing for it, but I don't see any crypto being attmepted. A 'sh ip nat sta' shows me that no NAT counters are incrementing at all, making me sure that I've missed something very stupid in my nat config, but I can't seem to find it.
The config is posted below. Any pointers (or solutions!) would be greatly appreciated. Including better ways to accomplish this.
When you are trying to create IPSEC with NAT, the interesting traffic should be from the Natted outside IP and not from the Inside local IP. Change the access-list to match traffic from outside local IP and check.
Thanks for the idea. It doesn't seem to make a difference in this case. Unless I'm interperting the output incorrectly, it appears that NAT isn't working at all....when I try to hit one of my inside globals (with ping or telnet, for example), the counters never increment, and deb ip nat det shows no output:
Total active translations: 5 (5 static, 0 dynamic; 0 extended)
Hits: 0 Misses: 0
Expired translations: 0
I am under the impression that even pinging these inside globals should be incrementing some counter here. Maybe I'm not correct in the assumption, but I haven't found anything specific in the IOS NAT documentation yet.
The problem is that you need to set the direction for the NAT/Crypto. Since you are assigning inside addresses to an outside host, you will need to put a route that directs those addresses to the outside.
Try putting static routes pointing your nat'ed addresses to the outside. For instance,
ip route 192.168.2.18 255.255.255.255 zzz.zzz.zzz.1
(or to Fa0/0, either way, so long as it's your crypto map interface on the outside)
To make things easier for you, assign your outside statics in a maskable range within 192.168.2.x. This way you can add one static route to the outside interface (via zzz.zzz.zzz.1) to cover all of your [outside] static translations. For example, reserve 192.168.2.224/27 for outside static nat entries and add a route pointing it to the outside.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...