Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT problem in a LAN to LAN IPSEC connection.

Hi all again,

I configure two cisco 877 to establish a ipsec tunnel, i would like access internet from a host in the remote side of the tunnel but i have a problem with nat.

This are my configs:

!!!!!!!!ROUTER A

crypto isakmp policy 1

hash md5

authentication pre-share

lifetime 3600

crypto isakmp key XX address 1.2.3.4

crypto ipsec transform-set cm-transformset-1 esp-des esp-md5-hmac

!

crypto map cm-cryptomap local-address Dialer1

crypto map cm-cryptomap 4 ipsec-isakmp

set peer 1.2.3.4

set transform-set cm-transformset-1

match address 162

interface Dialer1

.

.

ip nat outside

crypto map cm-cryptomap

!

access-list 103 deny ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255

access-list 103 permit ip 10.0.0.0 0.0.255.255 any

access-list 162 permit ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255

access-list 162 permit ip host 66.102.9.99 10.0.1.0 0.0.0.255

!

ip route 0.0.0.0 0.0.0.0 Dialer1

!

interface Vlan1

ip address 10.0.0.1 255.255.255.0

ip nat inside

!

ip nat inside source list 103 interface Dialer1 overload

!!!!!!!ROUTER B

crypto isakmp policy 1

hash md5

authentication pre-share

lifetime 3600

crypto isakmp key XX address 5.6.7.8

!

crypto ipsec transform-set cm-transformset-1 esp-des esp-md5-hmac

!

crypto map cm-cryptomap local-address Dialer1

crypto map cm-cryptomap 1 ipsec-isakmp

set peer 5.6.7.8

set transform-set cm-transformset-1

match address 110

!

interface Dialer1

.

.

ip nat outside

crypto map cm-cryptomap

!

access-list 103 deny ip 10.0.0.0 0.0.255.255 10.0.0.0 0.0.255.255

access-list 103 deny ip 10.0.0.0 0.0.255.255 host 66.102.9.99

access-list 103 permit ip 10.0.0.0 0.0.255.255 any

access-list 110 permit ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 110 permit ip 10.0.1.0 0.0.0.255 host 66.102.9.99

!

ip route 0.0.0.0 0.0.0.0 Dialer1

!

interface Vlan1

ip address 10.0.0.1 255.255.255.0

ip nat inside

!

ip nat inside source list 103 interface Dialer1 overload

Then, when I ping from a host on router B (10.0.1.2) to the ip 66.102.9.99, this packet flows via ipsec tunel and go out to internet trough router A but NAT doesn't work. I can see the packet on wan side with the private ip of original host instead the overload of Dialer1.

I think that this occurs because my Dialer1 is a outside interface and traffic from router B arrive via this one and go out to internet again trough Dialer1 without pass trough a nat inside interface.

I can't use tunnels like ipinip, gre, etc.

Somebody knows how can i resolve this?

thanks in advance.

11 REPLIES
Bronze

Re: NAT problem in a LAN to LAN IPSEC connection.

Could you try doing the same using a Route Map in the NAT Overload Statements?

Document ID: 7276

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009448f.shtml

New Member

Re: NAT problem in a LAN to LAN IPSEC connection.

Yes, i try with route map but the problem persist.

I think that i need to set inbound traffic from ipsec as ip nat inside but i don't know how.

New Member

Re: NAT problem in a LAN to LAN IPSEC connection.

What are you trying to accomplish?

If you PING from 10.0.1.2 to 66.102.9.99, the traffic will go

through the tunnel to Router A. (as per the configs).

What do you mean that NAT does not work? Do you mean regular

Internet traffic from Router B that should go to any other

destination that is not 10.0.0.0/24 nor 66.102.9.99?

In other words, Router's B internal LAN is not getting to the

Internet?

According to the configuration if you're sitting on host

10.0.1.2 and you try to go to any other destination besides

the remote IPSec tunnel, the traffic should flow through the

Internet (if this traffic is coming from VLAN1 and going out

Dialer1) because those interfaces are where you have the NAT

statements applied.

Is this the problem that you're having?

New Member

Re: NAT problem in a LAN to LAN IPSEC connection.

Can you post a debug ip packet on Routers to see what the trranslations look like at each end

New Member

Re: NAT problem in a LAN to LAN IPSEC connection.

Thanks all for the answers.

fedecotof, that is not exactly my problem.

I will try to explain my scenario and my problems with a picture.

I am sitting on Host B.

I can access any internet host through Router B.

I can ping Host A.

But, there are one host on internet that only accept traffic with source ip of Router A Dialer1.

Then, I send a ping from Host B to Host 66.102.9.99.

The ping flows through IPSEC tunnel and go out internet from Router A. I am sniffing on a host between Router A and Host 66.102.9.99(Internet)

In this host i can watch the ping but i watch this ping with source ip 10.0.0.5 instead the wan IP of Router A.

New Member

Re: NAT problem in a LAN to LAN IPSEC connection.

Nobody has a idea?

Bronze

Re: NAT problem in a LAN to LAN IPSEC connection.

Hi,

I'm guessing the NAT isn't being applied because it's not flowing through the router from inside to out. You have defined "ip nat inside" on your VLAN interface, however the packet doesn't arrive from here.

Why aren't you using Router B's internet connection? Could you register Router B's IP with your 3rd party?

Do you have a proxy server in network A you can bounce this traffic off?

Is there NAT capable device inside network A you can bounce this traffic off?

Regards

New Member

Re: NAT problem in a LAN to LAN IPSEC connection.

Thank you for your interest James,

Yes, that is my problem and i need to workaround.

>Why aren't you using Router B's internet connection? Could you register Router B's IP with your 3rd party?

Because the 3rd party provider only permit Router A ip and i can't register router B ip.

Do you have a proxy server in network A you can bounce this traffic off?

I don't have, i only have control over routers.

Is there NAT capable device inside network A you can bounce this traffic off?

No... :(

New Member

Re: NAT problem in a LAN to LAN IPSEC connection.

So when ping from a host on router B (10.0.1.2) to the ip 66.102.9.99, this packet flows via ipsec tunel and go out to internet trough router A but NAT doesn't work. I can see the packet on wan side with the private ip of original host instead the overload of Dialer1.

Like you said what it looks like based upon the config is that based upon this access-list

access-list 103 deny ip 10.0.0.0 0.0.255.255 host 66.102.9.99

which acts as identity NAT, meaning aby traffic sourced from your internal Lan, and destined to 66.102.9.99 will not get Pat(d)to the outside Dialer1 interface, so thats why you dont see the src address of the packet leaving the Dialer1 interface.

Based upon your Nat statement you are performing Dynamic PAT

ip nat inside source list 103 interface Dialer1 overload, and the only traffic getting Pat(d) would be any traffic not destined for the 10.0.0.0 network and 66.102.9.99 host.

New Member

Re: NAT problem in a LAN to LAN IPSEC connection.

So when ping from a host on router B (10.0.1.2) to the ip 66.102.9.99, this packet flows via ipsec tunel and go out to internet trough router A but NAT doesn't work. I can see the packet on wan side with the private ip of original host instead the overload of Dialer1.

Like you said what it looks like based upon the config is that based upon this access-list

access-list 103 deny ip 10.0.0.0 0.0.255.255 host 66.102.9.99

which acts as identity NAT, meaning aby traffic sourced from your internal Lan, and destined to 66.102.9.99 will not get Pat(d)to the outside Dialer1 interface, so thats why you dont see the src address of the packet leaving the Dialer1 interface.

Based upon your Nat statement you are performing Dynamic PAT

ip nat inside source list 103 interface Dialer1 overload, and the only traffic getting Pat(d) would be any traffic not destined for the 10.0.0.0 network and 66.102.9.99 host.

New Member

Re: NAT problem in a LAN to LAN IPSEC connection.

So when ping from a host on router B (10.0.1.2) to the ip 66.102.9.99, this packet flows via ipsec tunel and go out to internet trough router A but NAT doesn't work. I can see the packet on wan side with the private ip of original host instead the overload of Dialer1.

Like you said what it looks like based upon the config is that based upon this access-list

access-list 103 deny ip 10.0.0.0 0.0.255.255 host 66.102.9.99

which acts as identity NAT, meaning aby traffic sourced from your internal Lan, and destined to 66.102.9.99 will not get Pat(d)to the outside Dialer1 interface, so thats why you dont see the src address of the packet leaving the Dialer1 interface.

Based upon your Nat statement you are performing Dynamic PAT

ip nat inside source list 103 interface Dialer1 overload, and the only traffic getting Pat(d) would be any traffic not destined for the 10.0.0.0 network and 66.102.9.99 host.

248
Views
5
Helpful
11
Replies
CreatePlease to create content