Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1138
Views
2
Helpful
7
Replies

Site-to-site VPN issue: Passing public IP through IPSEC

Go to solution
cchristodoulou
Level 1
Level 1

‎03-21-2007 07:08 AM - edited ‎02-21-2020 02:56 PM

Hi all,

I need to create a site-to-site VPN tunnel using IPSEC established over the Internet between two offices. The offices belong to two different companies.

I was given a range of 16 public IP addresses. One of these IPs is used on the ISPs router and it is the next-hop for my router. Another IP from the range is used on my router?s external interface ( which is a Cisco 851) and it is also my site's VPN endpoint. So far so good...

Here is my problem: The source IP for the encrypted traffic, is a public address from within the 16 public IPs I have (not the one on my router's interface). The actual application that needs to send the encrypted data is a server in my LAN, and it has a private IP. The other site, expects to receive the encrypted data however, from the public IP. I used NAT between the private IP address of the server and its public IP, but no data passes through the tunnel. By the way, the tunnel between the two end points establishes with no problem. The problem is that the source of my encrypted data is the public IP and I do not know how to route it through the tunnel. I am attaching the configuration of my router.

Any help is appreciated.

Labels:
Preview file
3 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
kaachary
Cisco Employee
Cisco Employee
In response to Kamal Malhotra

‎03-21-2007 07:59 AM

The access-list "natted-traffic" should say :

ip access-list extended natted-traffic

deny ip host 192.168.0.160 host BB.BB.BB.BD

deny ip host 192.168.0.160 host BB.BB.BB.BE

exit

Hope this helps.

-Kanishka

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Kamal Malhotra
Cisco Employee
Cisco Employee

‎03-21-2007 07:53 AM

Hi,

Please try to configure a static instead of port forwarding :

ip nat inside source static 192.168.0.160 AA.AA.AA.AB

HTH,

Please rate if it helps,

Regards,

Kamal

0 Helpful

Go to solution
kaachary
Cisco Employee
Cisco Employee
In response to Kamal Malhotra

‎03-21-2007 07:59 AM

The access-list "natted-traffic" should say :

ip access-list extended natted-traffic

deny ip host 192.168.0.160 host BB.BB.BB.BD

deny ip host 192.168.0.160 host BB.BB.BB.BE

exit

Hope this helps.

-Kanishka

0 Helpful

Go to solution
Kamal Malhotra
Cisco Employee
Cisco Employee
In response to kaachary

‎03-21-2007 08:23 AM

But we need to NAT the traffic rather than nat bypass.

Go to solution
kaachary
Cisco Employee
Cisco Employee
In response to Kamal Malhotra

‎03-21-2007 09:13 AM

That is what this will do !

You have to first deny it from patting, so that its statically natted.

-Kanishka

0 Helpful

Go to solution
cchristodoulou
Level 1
Level 1
In response to kaachary

‎03-21-2007 12:53 PM

kmalhotr and kaachary,

Thank you for the response but unfortunately neither suggestion solved my problem. I have run the VPN TEST through the SDM and it showed the NAT test as successful, along with everything else, except the peer connectivity. As I said before the VPN tunnel is established but cannot pass traffic through it. SDM also reported the following:

*******************************************

Failure Reason(s): The following source(s) are routed through the crypto map interface. 1) AA.AA.AA.AB

Recommended Action(s): Go to 'Configure->Routing' and correct the routing table

*******************************************

If I understand this correctly, I need to tell the traffic originating from IP AA.AA.AA.AB to be forwarded through my VPN endpoint with IP AA.AA.AA.AA. How can I do this though, since IP AA.AA.AA.AB is not configured on any interface, it is in the same IP range as AA.AA.AA.AA and it is only used for staticNATing an internal private IP (192.168.0.160).

0 Helpful

Go to solution
kaachary
Cisco Employee
Cisco Employee
In response to cchristodoulou

‎03-21-2007 01:11 PM

I don't think its the problem with the routing. Can you please post the output of "sh cry ipsec sa" and "sh ip nat trans" when you try to initiate some traffic.

-Kanishka

0 Helpful

Go to solution
cchristodoulou
Level 1
Level 1
In response to kaachary

‎03-22-2007 01:13 PM

Kanishka,

It turns out you were right! I made the changes remotely last night and then tried to test my tunnel through the SDM. SDM gave an error. I kept the changes however and today I tried the tunnel by starting my actual application... it worked like a charm.

My access-list now look like below:

ip access-list extended natted-traffic

deny ip host AA.AA.AA.AB host BB.BB.BB.BD

deny ip host AA.AA.AA.AB host BB.BB.BB.BE

deny ip 192.168.0.0 0.0.0.255 host BB.BB.BB.BD

deny ip 192.168.0.0 0.0.0.255 host BB.BB.BB.BE

permit ip 192.168.0.0 0.0.0.255 any

ip access-list extended vpn-control-list

permit ip host AA.AA.AA.AB host BB.BB.BB.BD

permit ip host AA.AA.AA.AB host BB.BB.BB.BE

permit ip host 192.168.0.160 host BB.BB.BB.BD

!

Probably I can remove a couple of lines out of there, something to try tomorrow!

Thank you for the help.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents