Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT Interface Overload

Dear Experts,

I have a strange issue ,, my configs were working perfect on 12.4 when i changed the router 887 VA with an IOS 15.1 the NAT doenst works for internet traffic.

I have confgured the EZVPN client on my new 887VA router connecting to HO,the vpn is established perfect but the traffic for internet stops, when i remove the  crypto command from my outside interface it starts translating and the natting for internet traffic works fine.

35 REPLIES
New Member

NAT Interface Overload

Hello Clark,

Not sure if this will help but i have encountered a similar issue which was solved by performing the NAT via a route-map

Please try the following configuration :

Route-map NAT match-any permit 10

match ip address 100

match interface Dialer0

!

ip nat inside source route-map NAT interface Dialer0 overload

Regards,

Valentine

New Member

NAT Interface Overload

Dear,

I tried this before but still i am facing the same issue.

Cisco Employee

NAT Interface Overload

Hi Clark,

I am not entirely sure but my thoughts revolve about a different thing: you say that when you have the EzVPN client running, the NAT does not work, and when you remove the crypto ipsec client command from your Dialer0 interface, the internet connectivity resumes.

I wonder how the routing changes when you have the VPN running. Does the HQ send you a set of routes that could potentially take over your current routing, including the default route? What does the traceroute show when the VPN is running? Would it confirm that the packets are actually being carried over to the HQ site? Optionally, can you post the show ip route command output during the time VPN is up?

Best regards,

Peter

New Member

NAT Interface Overload

Thanks peter for the reply

I wonder how the routing changes when you have the VPN running. Does the  HQ send you a set of routes that could potentially take over your  current routing, including the default route?

NO

What does the traceroute show when the VPN is running?

If i do traceroute to 8.8.8.8 The traffic hits to HO (ezvpn server)

Would it confirm that the packets are actually being carried over to the HQ site?

YES

Optionally, can you post the show ip route command output during the time VPN is up?

Router#sh ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

       + - replicated route, % - next hop override

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S*    0.0.0.0/0 is directly connected, Dialer0

      85.0.0.0/32 is subnetted, 2 subnets

C        85.154.72.1 is directly connected, Dialer0

C        85.154.78.33 is directly connected, Dialer0

      119.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C        119.127.99.0/24 is directly connected, Vlan1

L        119.127.99.1/32 is directly connected, Vlan1

Cisco Employee

NAT Interface Overload

Hi Clark,

In the case the HQ is not sending any routes (i.e. no split tunneling is performed), the EzVPN client will add a (possible hidden) default route via the HQ site. That confirms the behavior you're seeing. Can you actually configure the HQ site to advertise only those routes to you that should be available through the tunnel? We need to do split tunneling here.

Best regards,

Peter

New Member

NAT Interface Overload

Thanks for the reply,

The split tunneling is confgrued on the HQ router,

I have 10 location running with 870 router, the 10th locaton router went faulty i replace that router with 887VA router and i confgured the same config on the 887VA router which are available on the 870 router.

Things are working perfect on 12.4 IOS once i changed the router to 887VA with an 15.0 IOS all stops working.

Thanks

Cisco Employee

Re: NAT Interface Overload

Hi Clark,

Hmmm... would you mind entering the crypto ipsec client ezvpn EZ mode on your 887VA and adding the following command?

virtual-interface

so the configuration will look like:

crypto ipsec client ezvpn EZ

  ! other configuration will remain intact

  virtual-interface

This configuration change will cause the router to create a Virtual-Access interface through which the split tunnel is being represented in the routing table. I assume this should help us to avoid all traffic being pulled into the VPN tunnel.

After changing the configuration, you will need to tear down the VPN and let it come up again. After this, please again post the output of the show ip route command. Thanks!

Best regards,

Peter

New Member

NAT Interface Overload

Hello Peter,

After enterng the comand the VPN went down and it did nt come up again. It removed the command from the dialer 0 interface, i manually put it back again, but still the status same.

Thanks

Cisco Employee

NAT Interface Overload

Hi Clark,

Okay, a slight modification. Add these lines to your running-config:

interface Virtual-Template1 type tunnel

  tunnel-mode ipsec ipv4

!

crypto ipsec client ezvpn EZ

  no virtual-interface

  virtual-interface 1

Regardless of whether the VPN comes up or not, after modifying your configuration and trying to reestablish the VPN, please post the output of the show ip route and show crypto ipsec client ezvpn commands. Thank you!

Best regards,

Peter

New Member

Re: NAT Interface Overload

Dear Peter,

interface Virtual-Template1 type tunnel

  tunnel-mode ipsec ipv4

As soon as i execute the below command

crypto ipsec client ezvpn EZ

  virtual-interface 1

EZVPN: For virtual-interface to take effect apply ezvpn on a real interface

Aug 25 18:58:21.248: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access5, changed state to down

Router(config-crypto-ezvpn)#do sh ip rout

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

       + - replicated route, % - next hop override

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S*    0.0.0.0/0 is directly connected, Dialer0

      62.0.0.0/32 is subnetted, 2 subnets

C        62.61.160.1 is directly connected, Dialer0

C        62.61.173.250 is directly connected, Dialer0

      119.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C        119.127.99.0/24 is directly connected, Vlan1

L        119.127.99.1/32 is directly connected, Vlan1

Router(config-crypto-ezvpn)#

############################################

Router#sh ip int brief  

Interface                  IP-Address      OK? Method Status                Protocol

ATM0                       unassigned      YES NVRAM  up                    up     

ATM0.1                     unassigned      YES unset  up                    up     

Dialer0                    62.61.173.XX   YES IPCP   up                    up     

Ethernet0                  unassigned      YES NVRAM  administratively down down   

FastEthernet0              unassigned      YES unset  down                  down   

FastEthernet1              unassigned      YES unset  up                    up     

FastEthernet2              unassigned      YES unset  down                  down   

FastEthernet3              unassigned      YES unset  down                  down   

NVI0                       119.127.99.1    YES unset  up                    up     

Virtual-Access1            unassigned      YES unset  up                    up     

Virtual-Access2            unassigned      YES unset  up                    down   

Virtual-Access3            unassigned      YES unset  down                  down   

Virtual-Access4            unassigned      YES unset  up                    down   

Virtual-Access5            unassigned      YES unset  up                    down   

Virtual-Template1          unassigned      YES unset  up                    down   

Vlan1                      119.127.99.1    YES NVRAM  up                    up     

Router#   

  ##################################################################

Router#sh cry ipse cli ezvpn

Easy VPN Remote Phase: 8

Tunnel name : EZ

Inside interface list: Vlan1

Outside interface: Virtual-Access5

Current State: IDLE

Last Event: REMOVE_INTERFACE_CFG

Save Password: Disallowed

Current EzVPN Peer: 85.154.XX.XX

Cisco Employee

Re: NAT Interface Overload

Hi Clark,

I've tested this in Dynamips. It seems that there is some sort of a bug that prevents the client configuration from correctly being modified using the virtual-interface command if the EzVPN client is already activated on interfaces. It results into the erroneous messages about 'only a single outside interface allowed'.

It seems that one of ways to rectify this is to simply remove the entire EzVPN client configuration and paste it back. So if you don't mind please try doing just that, e.g.:

interface Dialer0

  no crypto ipsec client ezvpn EZ

!

crypto ipsec client ezvpn EZ

  no virtual-interface

  exit

no crypto ipsec client ezvpn EZ

!

! At this point, make absolutely sure that no EzVPN config

! has remained in your router

!

crypto ipsec client ezvpn EZ

  virtual-interface

  connect auto

  group KK key 123

  mode network-extension

  peer 85.85.85.86 default

  xauth userid mode interactive

  exit

interface Vlan1

  crypto ipsec client ezvpn EZ inside

  exit

interface Dialer0

  crypto ipsec client ezvpn EZ outside

  end

Looking forward to hearing from you!

Best regards,

Peter

New Member

Re: NAT Interface Overload

sorry to saw ur reply late give me 5 min i will reply you

New Member

Re: NAT Interface Overload

Dear Peter

still the same no ping from internal lan to IP 8.8.8.8 nor i am not able to ping from the router itself

here are the output.


Router(config-if)#do sh ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
ATM0                       unassigned      YES manual up                    up     
ATM0.1                     unassigned      YES unset  up                    up     
Dialer0                    85.154.200.4    YES IPCP   up                    up     
Ethernet0                  unassigned      YES NVRAM  administratively down down   
FastEthernet0              unassigned      YES unset  down                  down   
FastEthernet1              unassigned      YES unset  up                    up     
FastEthernet2              unassigned      YES unset  down                  down   
FastEthernet3              unassigned      YES unset  down                  down   
NVI0                       119.127.99.1    YES unset  up                    up     
Virtual-Access1            unassigned      YES unset  up                    up     
Virtual-Access2            unassigned      YES unset  up                    down   
Virtual-Access3            unassigned      YES unset  down                  down   
Virtual-Access4            unassigned      YES unset  up                    down   
Virtual-Access5            unassigned      YES unset  up                    down   
Virtual-Access6            85.154.200.4    YES unset  up                    up     
Virtual-Template1          unassigned      YES unset  up                    down   
Vlan1                      119.127.99.1    YES NVRAM  up                    up 

###############################

Router(config-if)# do sh ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

       + - replicated route, % - next hop override

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 0.0.0.0, Virtual-Access6

                is directly connected, Dialer0

      85.0.0.0/32 is subnetted, 3 subnets

C        85.154.200.1 is directly connected, Dialer0

C        85.154.200.4 is directly connected, Dialer0

S        85.154.237.218 [1/0] via 0.0.0.0, Dialer0

      119.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C        119.127.99.0/24 is directly connected, Vlan1

L        119.127.99.1/32 is directly connected, Vlan1

Router(config-if)#

#################################

Router#sh crypto ipsec client ezvpn

Easy VPN Remote Phase: 8

Tunnel name : EZ

Inside interface list: Vlan1

Outside interface: Virtual-Access6 (bound to Dialer0)

Current State: IPSEC_ACTIVE

Last Event: MTU_CHANGED

Save Password: Disallowed

Current EzVPN Peer: 85.154.XX.XX

Router#

Cisco Employee

Re: NAT Interface Overload

Hi Clark,

At least now you can see that the split tunnel is not working - the routing table now clearly shows that all you are getting from the HQ is a default route that points through the Virtual-Access interface back to the HQ. Your router basically load-balances over the Dialer (non-VPN) and Virtual-Access (VPN) interfaces indiscriminately.

The most correct solution would be to correct the HQ configuration because at present, it is not sending a proper split tunnel configuration to your own router. However, I do not know if changing the HQ's configuration is currently in your power, or whether it is acceptable. Definitely, though, the split tunneling configuration on HQ is not correct, and HQ is not sending the set of local routes to be carried across the VPN to your router.

Best regards,

Peter

New Member

Re: NAT Interface Overload

Ok here are the HQ configs have a look on the group where the acl is used for the split tunnel

Cisco Employee

Re: NAT Interface Overload

Clark,

I've got them downloaded and I am going to check the contents.

Best regards,

Peter

New Member

NAT Interface Overload

Peter thanks for all the replies and we are just to reach the success, please cooperate till we get the success.

How the other 9 location are running withour any issue with 870 router with 12.4 IOS i think there is something different to treat 15.0. IOS for the split tunnel.

Thanks

Cisco Employee

Re: NAT Interface Overload

Hi Clark,

Hmmm... This is becoming convoluted.

Can you afford to run debugs on the 887VA? If yes please activate the debug crypto ipsec client ezvpn command followed by terminal monitor if you are working remotely, and then trigger the VPN reestablishment by issuing the clear crypto ipsec client ezvpn command. The debug output will be rather large but I will need it to be captured in its entirety and posted here.

Thank you!

Best regards,

Peter

New Member

NAT Interface Overload

ok i will do it

New Member

Re: NAT Interface Overload

Here is the attached i did'nt changed the peer ip address for the client so dont be strange. I noticed that i am not able to ping from the router itself. after creating the virtual interface

Cisco Employee

Re: NAT Interface Overload

Clark,

I believe I have found the problem in the HQ's configuration. Your ISAKMP profile that defines how the IPsec clients are authenticated does not match the group name KK. Paste the following lines to the HQ's configuration:

crypto isakmp profile client

  match identity group KK

  end

This will add another identity to the ISAKMP profile. After this change on HQ, issue the clear crypto ipsec client ezvpn on the 887VA and test the behavior again.

Best regards,

Peter

New Member

Re: NAT Interface Overload

Hello Peter,

I noticed this before but i did'nt touch becz the existing are working, but on ur previous reply i did the changes and the client was not able to connect

attached are the debugs from the client router it stucks in Xauth,

Cisco Employee

Re: NAT Interface Overload

Clark,

The HQ's configuration is quite messy - there are ISAKMP profiles and IPsec client configuration groups that do not seem to be used. Can we perhaps streamline its configuration? I guess the dynmap crypto dynamic-map is unused and can be removed, and I am not sure about the cana configuration group. Can you have a look and tell me what can be removed from the HQ's config?

Best regards,

Peter

New Member

Re: NAT Interface Overload

Dear Peter

sure i will do that but want to know form you that can we add 2 no's of match identity in a profile client, It will not affect the client conenction.

crypto isakmp profile client

  match identity group KK

match identity group abc

  end

Thanks

Cisco Employee

Re: NAT Interface Overload

Hi Clark,

To my best knowledge, a crypto isakmp profile can contain multiple match identity statements and they act like a logical OR - they simply map multiple identities to the ISAKMP profile. Also, adding an identity match statement into an ISAKMP profile should not affect any existing IPsec sessions.

By the way, the client is not stuck in Xauth. Quite the contrary, it expects you to enter the following command:

crypto ipsec client ezvpn xauth

and to enter the proper username and password. The reason it did not request the username and password up to now is because the KK clients were not mapped to the ISAKMP configuration that actually requests an Xauth. Let me rephrase that: because of this configuration error on HQ, your EzVPN clients in the KK configuration group were actually allowed to connect without user authentication - based only on the group authentication using a pre-shared key. Most certainly, that is not what you wanted. Please be aware that after you add the KK identity to your existing ISAKMP profile, all clients in the KK identity will be, sooner or later, required to authenticate using Xauth in the same way.

Is it required that you enter the username and password manually? Should this not be stored in the configuration of the clients?

Best regards,

Peter

New Member

NAT Interface Overload

Dear Peter,

i told you that i have a 10 sites but actually i have more than 10  sites and all will be affected once their VPN is disconnected becz they have to authenticate,

so how the alternate can be used rather than visiting each vpn client and confguring the username and password.

Is it required that you enter the username and password manually?

NO

Should this not be stored in the configuration of the clients?

NO

Thanks

Cisco Employee

NAT Interface Overload

Clark,

Well, if the KK clients are not supposed to be actually doing the Xauth authentication then we need to create a separate ISAKMP profile for them that does not require them to authenticate - something along the lines of:

client isakmp profile KKclients

  match identity group KK

  client configuration address respond

In this case, the match identity group KK must be present only in this ISAKMP profile and no other.

These configuration changes on HQ have to be performed carefully - you always need to have a backup of the original HQ's configuration handy in case a configuration change causes unforeseen issues.

Best regards,

Peter

New Member

NAT Interface Overload

Hello Peter,

I put only one match identity command and still it does'nt works  agian it is asking me to put the below commands

Pending XAuth Request, Please enter the following command:

Aug 29 14:14:55.941: EZVPN: crypto ipsec client ezvpn xauth

Thanks

Cisco Employee

NAT Interface Overload

Hi Clark,

Would you perhaps be willing to post your HQ config once again after the changes? I would like to see the latest version and try it out on my topology. Has the client's configuration been changed in any significant way?

Best regards,

Peter

956
Views
19
Helpful
35
Replies
CreatePlease to create content