cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2835
Views
0
Helpful
2
Replies

Static NAT & IPSec on Cisco 881W

pkpatel
Level 1
Level 1

Hello,

I have an 881W with configuration posted below along with IOS version.  The site has a local Exchange server and also a LAN-to-LAN IPSec.  Exchange's internal IP is statically NAT'd.  Problem is that when  that when a static NAT for Exchange is in place, Exchage is not accessible thru tunnel.  Scenarios is as below:

  1. Exchange's internal IP:  10.50.80.21
  2. Exchange's NAT'd IP:  65.X.X.216
  3. IPSec interesting traffic:  Local - 10.50.80.0/24, remote - 198.168.189.0/24
  4. Static NAT for Exchange in place:  Excahgne server can be accessed over Internet.  We can RDP in to the exchange's NAT's publuc IP, 65.X.X.216.    But Exchange is no loger accessible thru tunnel.  You cannot ping 198.168.189.1 from Excahnge server.
  5. Static NAT removed:  Exchange server no longer is accessible over internet as expected.  Ping from Exchagne to 192.168.189.1 are successful.
  6. Cisco 881 is running "c880data-universalk9-mz.152-1.T1.bin".  The behavior was also seen on "c880data-universalk9-mz.150-1.M7.bin" IOS.

Please help.

Thanks,
Paresh

===================

boot-start-marker

boot system flash:c880data-universalk9-mz.152-1.T1.bin

boot-end-marker

!

!

logging buffered 50000 informational

!

no aaa new-model

memory-size iomem 10

clock timezone CT -6 0

clock summer-time CT recurring

crypto pki token default removal timeout 0

!

ip inspect max-incomplete high 20000000

ip inspect max-incomplete low 750

ip inspect one-minute low 750

ip inspect one-minute high 20000000

ip inspect tcp idle-time 14400

ip inspect tcp max-incomplete host 150 block-time 0

ip inspect name FIREWALL tcp timeout 7200

ip inspect name FIREWALL udp

ip inspect name FIREWALL ftp

ip inspect name FIREWALL icmp

ip inspect name FIREWALL smtp

ip cef

no ipv6 cef

!

!

track 10 ip sla 10 reachability

delay down 30 up 10

!

!

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 5

crypto isakmp key *********** address 68.X.X.36    no-xauth

crypto isakmp aggressive-mode disable

!

!

crypto ipsec transform-set rtpset esp-aes 256 esp-sha-hmac

!

!

!

crypto map rtpset 100 ipsec-isakmp

set peer 68.7X.X.36

set security-association lifetime seconds 28800

set transform-set rtpset

set pfs group5

match address IPSEC-LIST

!

!

!

!

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

switchport access vlan 2

no ip address

shutdown

!

interface FastEthernet4

description PRIMARY WAN - CONNECTS TO PRIMARY CABLE

ip address 65.X.X.6 255.255.255.0

ip nat outside

ip inspect FIREWALL out

ip virtual-reassembly in

duplex auto

speed auto

crypto map rtpset

!        

interface wlan-ap0

description Service module interface to manage the embedded AP

ip unnumbered Vlan1

arp timeout 0

!

interface Wlan-GigabitEthernet0

description Internal switch interface connecting to the embedded AP

no ip address

!

interface Vlan1

description CONNECTS LAN

ip address 10.50.80.250 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1360

!

interface Vlan2

description BACKUP WAN - CONNECTS TO BACKUP

ip address 166.X.X.168 255.255.255.0

ip nat outside

ip inspect FIREWALL out

ip virtual-reassembly in

shutdown

crypto map rtpset

!

ip local policy route-map BACKUP_RMAP_1

ip forward-protocol nd

!

ip nat inside source route-map BACKUP-NAT-MAP interface Vlan2 overload

ip nat inside static source 10.50.80.21 65.X.X.216

ip nat inside source route-map PRIMARY-NAT-MAP interface FastEthernet4 overload

ip route 0.0.0.0 0.0.0.0 65.X.X.1 track 10

ip route 0.0.0.0 0.0.0.0 166.X.X.254 250

!

ip access-list extended IPSEC-LIST

permit ip 10.50.80.0 0.0.0.255 192.168.189.0 0.0.0.255

ip access-list extended NAT-LIST

deny   ip 10.50.80.0 0.0.0.255 192.168.189.0 0.0.0.255

permit ip 10.50.80.0 0.0.0.255 any

!

ip sla 10

icmp-echo 4.2.2.2 source-interface FastEthernet4

frequency 15

ip sla schedule 10 life forever start-time now

access-list 101 permit icmp any host 4.2.2.2 echo

no cdp run

!

!

!

!

route-map BACKUP-NAT-MAP permit 10

match ip address NAT-LIST

match interface Vlan2

!

route-map BACKUP_RMAP_1 permit 1

match ip address 101

set ip next-hop 65.X.X.1

set interface Null0

!

route-map PRIMARY-NAT-MAP permit 10

match ip address NAT-LIST

match interface FastEthernet4

!

!

line con 0

logging synchronous

login local

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

line vty 0 4

privilege level 15

logging synchronous

login local

transport input telnet ssh

!

================

boot-start-marker
boot system flash:c880data-universalk9-mz.152-1.T1.bin
boot-end-marker
!
!
logging buffered 50000 informational
!
no aaa new-model
memory-size iomem 10
clock timezone CT -6 0
clock summer-time CT recurring
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-96086277
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-96086277
revocation-check none
rsakeypair TP-self-signed-96086277
!
!
crypto pki certificate chain TP-self-signed-96086277
certificate self-signed 01
  3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 39363038 36323737 301E170D 31323032 30363231 30343430
  5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53
  2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D393630 38363237
  3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100DCCC
  083B1A97 28662E10 AF6FAA0E FD69D34D 56FBC5B2 FB28D6B7 5462821E A061D114
  5C3D8D33 9F916002 9993C8E8 8D97003D DC7C820C 55A31B6E DA29BFF9 D70A29A9
  5EBF35E1 7196B218 2902EF8A 50B43C37 780A6AAC 2DF95F60 F69692F7 21EDCE7C
  30665912 635A2649 7BE89D93 7CA3172D 83B6A549 3EEA9F64 A053D013 23B10203
  010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603 551D1104
  1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D 301F0603
  551D2304 18301680 14BB894B 966D5376 84DF75AA C1A6AE06 604D0762 33301D06
  03551D0E 04160414 BB894B96 6D537684 DF75AAC1 A6AE0660 4D076233 300D0609
  2A864886 F70D0101 04050003 8181003D 3B97AB2E 52EB3B7F 4EB3D2ED 2C8EF9C2
  DBBABAE2 8610B41D 9F53BDD3 50262F76 E86BE550 62A0084B 60E28D3C 25537531
  D9188777 1F593FE9 E2F89C30 0D3216E2 C2A34C19 12998147 1F7AFE7D C9FACD66
  9D93F385 DBA187FF 92721F80 D9BFA754 6143A626 114D5782 9F937336 F13CC7A4
  7BA39C6C 80D87586 82CA5C28 AD6ACF
        quit
!
!
!
ip dhcp excluded-address 10.10.10.1
!
!
no ip domain lookup
ip domain name ipractice.com
ip inspect max-incomplete high 20000000
ip inspect max-incomplete low 750
ip inspect one-minute low 750
ip inspect one-minute high 20000000
ip inspect tcp idle-time 14400
ip inspect tcp max-incomplete host 150 block-time 0
ip inspect name FIREWALL tcp timeout 7200
ip inspect name FIREWALL udp
ip inspect name FIREWALL ftp
ip inspect name FIREWALL icmp
ip inspect name FIREWALL smtp
ip cef
no ipv6 cef
!
!
license udi pid CISCO881W-GN-A-K9 sn FTX15468444
!
!
username clay privilege 15 password 0 clay123
username ppatel privilege 15 secret 5 $1$UT5B$FzYxHwEDjiJ0Kjpucv1Pq.
!
!
!
!
!
!
track 10 ip sla 10 reachability
delay down 30 up 10
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key iPRAC001PeakTen address 68.71.106.36    no-xauth
crypto isakmp aggressive-mode disable
!
!
crypto ipsec transform-set rtpset esp-aes 256 esp-sha-hmac
!
!
!
crypto map rtpset 100 ipsec-isakmp
set peer 68.71.106.36
set security-association lifetime seconds 28800
set transform-set rtpset
set pfs group5
match address IPSEC-LIST
!
!
!
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
switchport access vlan 2
no ip address
shutdown
!
interface FastEthernet4
description PRIMARY WAN - CONNECTS TO PRIMARY CABLE
ip address 65.5.50.6 255.255.255.0
ip nat outside
ip inspect FIREWALL out
ip virtual-reassembly in
duplex auto
speed auto
crypto map rtpset
!        
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
no ip address
!
interface Vlan1
description CONNECTS TO PRACTICE LAN
ip address 10.50.80.250 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1360
!
interface Vlan2
description BACKUP WAN - CONNECTS TO ACCEL WIRELESS MODEM
ip address 166.200.162.168 255.255.255.0
ip nat outside
ip inspect FIREWALL out
ip virtual-reassembly in
shutdown
crypto map rtpset
!
ip local policy route-map BACKUP_RMAP_1
ip forward-protocol nd
no ip http server
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map BACKUP-NAT-MAP interface Vlan2 overload
ip nat inside source route-map PRIMARY-NAT-MAP interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 65.5.50.1 track 10
ip route 0.0.0.0 0.0.0.0 166.200.162.254 250
!
ip access-list extended EXCHANGE-ACL
permit tcp any eq smtp host 10.50.80.21
permit tcp host 10.50.80.21 eq smtp any
ip access-list extended IPSEC-LIST
permit ip 10.50.80.0 0.0.0.255 192.168.189.0 0.0.0.255
ip access-list extended NAT-LIST
deny   ip 10.50.80.0 0.0.0.255 192.168.189.0 0.0.0.255
deny   ip host 10.50.80.21 any
permit ip 10.50.80.0 0.0.0.255 any
!
ip sla 10
icmp-echo 4.2.2.2 source-interface FastEthernet4
frequency 15
ip sla schedule 10 life forever start-time now
access-list 101 permit icmp any host 4.2.2.2 echo
no cdp run
!
!
!
!
route-map BACKUP-NAT-MAP permit 10
match ip address NAT-LIST
match interface Vlan2
!
route-map BACKUP_RMAP_1 permit 1
match ip address 101
set ip next-hop 65.5.50.1
set interface Null0
!
route-map PRIMARY-NAT-MAP permit 10
match ip address NAT-LIST
match interface FastEthernet4
!
route-map EXCHANGE-MAP permit 10
match ip address EXCHANGE-ACL
match interface FastEthernet4
!
!
line con 0
logging synchronous
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
privilege level 15
logging synchronous
login local
transport input telnet ssh
!
scheduler max-task-time 5000
ntp server 129.6.15.28
ntp server 129.6.15.29
event manager applet PRIMARY-DOWN
event track 10 state down
action 10 cli command "enable"
action 11 cli command "config t"
action 12 cli command "int fa 3"
action 13 cli command "no sh"
action 14 cli command "int vlan 2"
action 15 cli command "no sh"
action 16 cli command "end"
action 17 cli command "clear ip nat tr *"
action 18 cli command "clear cry isa"
action 19 cli command "clear ip nat tr *"
event manager applet PRIMARY-UP
event track 10 state up
action 10 cli command "enable"
action 11 cli command "config t"
action 12 cli command "int fa 3"
action 13 cli command "sh"
action 14 cli command "int vlan 2"
action 15 cli command "sh"
action 16 cli command "end"
action 17 cli command "clear ip nat tr *"
action 18 cli command "clear cry isa"
action 19 cli command "clear ip nat tr *"
!
end
1 Accepted Solution

Accepted Solutions

Neeraj Arora
Level 3
Level 3

The reason for this behavious is because when this static NAT is in place, then this server traffic is getting NATted even when its being sent out on tunnel. You need to deny that, so use the following commands:

ip access-list extended exchange

deny ip host 10.50.80.21 192.168.189.0 0.0.0.255

permit ip host 10.50.80.21 any

route-map exchange

match ip address exchange

no ip nat inside static source 10.50.80.21 65.X.X.216

ip nat inside static source 10.50.80.21 65.X.X.216 route-map exchange

Using the above commands, NAT will only happen for exchange server only if the destination is anything else than 192.168.189.0/24 subnet

Hope it helps.

Neeraj

View solution in original post

2 Replies 2

Neeraj Arora
Level 3
Level 3

The reason for this behavious is because when this static NAT is in place, then this server traffic is getting NATted even when its being sent out on tunnel. You need to deny that, so use the following commands:

ip access-list extended exchange

deny ip host 10.50.80.21 192.168.189.0 0.0.0.255

permit ip host 10.50.80.21 any

route-map exchange

match ip address exchange

no ip nat inside static source 10.50.80.21 65.X.X.216

ip nat inside static source 10.50.80.21 65.X.X.216 route-map exchange

Using the above commands, NAT will only happen for exchange server only if the destination is anything else than 192.168.189.0/24 subnet

Hope it helps.

Neeraj

That was it, Neeraj.

Thanks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco