Cisco VPN Site to Site with NAT

I am having a problem trying to get this site to site VPN up and running. The NAT part is throwing me for a loop as I cannot get it working. We are connecting to a Cisco Concentrator from a PIX (our side). Our internal ip address is 192.168.1.x. We must create a VPN to the Concentrator via natting any interesting traffic, below is the information we received from the company that is configuring the Concentrator:

Our endpoint is: 66.179.80.109
Our network is: 192.168.50.0 (255.255.255.0)

you will need to make ACL from 172.24.105.2 to host 192.168.50.83 and 192.168.50.86
you will need to NAT interesting traffic to 172.24.105.0 255.255.255.0

I've created two ACL's exactly like the mentioned above. I've made so many changes now my head is swimming - nothing worked. Help would be great. Below is code I think is pertinent.

access-list 104 permit ip 172.24.105.0 255.255.255.0 192.168.50.0 255.255.255.0 
access-list 105 permit ip 192.168.50.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list conditional_nat permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0 
access-list 106 permit ip host 172.24.105.2 host 192.168.50.83 
access-list 107 permit ip host 172.24.105.2 host 192.168.50.86 
pager lines 24
logging on
logging console informational
mtu outside 1500
mtu inside 1500
ip address outside 70.60.232.63 255.255.255.252
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.1 255.255.255.255 inside
pdm location 192.168.1.3 255.255.255.255 inside
pdm location 192.168.1.2 255.255.255.255 inside
pdm location 192.168.50.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 3 172.24.105.2 netmask 255.255.255.0
nat (inside) 3 access-list conditional_nat 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 70.60.232.61 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server TACACS+ max-failed-attempts 3 
aaa-server TACACS+ deadtime 10 
aaa-server RADIUS protocol radius 
aaa-server RADIUS max-failed-attempts 3 
aaa-server RADIUS deadtime 10 
aaa-server LOCAL protocol local 
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set chevelle2 esp-3des esp-sha-hmac 
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 104
crypto map transam 1 set peer 66.179.80.109
crypto map transam 1 set transform-set chevelle2
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address 66.179.80.109 netmask 255.255.255.255 
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400

Open in new window

LVL 1
dsechristAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

wilsjCommented:
If i'm reading it correctly you want to nat 192.168.1.0 to 172.25.105.0.

access-list 104 permit ip 172.24.105.0 255.255.255.0 192.168.50.0 255.255.255.0  
access-list 104_nat permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0

static (inside,outside) 172.25.105.0 access-list 104_nat


also add this to your isakmp pre-shared key

isakmp key ******** address 66.179.80.109 netmask 255.255.255.255 no-xauth no-config-mode
0
wilsjCommented:
The other end will have to match this as well so if they just allow the whole 172.24.105.0/24 network you should be good to go.
0
dsechristAuthor Commented:
I think that is my problem - I don't think they allow the whole 172.24.105.0/24 network. The reason I say this is because we have a configuration we used for another setup we did with the same company about a year ago and it did allow the entire range (different NATTED range) - we took that configuration and modified it to fit this network and it doesn't work. I think they are only allowing the 172.24.105.2 to come across. I had the commands above in the configuration originally and no luck.
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

wilsjCommented:
ok then simply add another 2 ACL's for a different host so instead of above try this. This will allow host 192.168.1.2 to be natted to 172.24.105.2. 1 to 1 nat you can also do a many to 1 nat.

access-list 104 permit ip 172.24.105.2 255.255.255.0 192.168.50.0 255.255.255.0  
access-list 104_nat permit ip 192.168.1.2 255.255.255.0 192.168.50.0 255.255.255.0

static (inside,outside) 172.25.105.2 access-list 104_nat

Many to 1 nat

access-list 104 permit ip 172.24.105.2 255.255.255.0 192.168.50.0 255.255.255.0  
access-list 104_nat permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0

nat (inside) 1 access-list 104_nat
global (outside) 172.24.105.2

0
dsechristAuthor Commented:
Maybe this will help - ISAKMP debug file

ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block:src:66.179.80.109, dest:70.60.232.62 spt:
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 1
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload

ISAKMP (0): SA is doing pre-shared key authentication using id type I
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:66.179.80.109, dest:70.60.232.62 spt:
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a VPN3000 concentrator

ISAKMP (0): ID payload
        next-payload : 8
        type         : 1
        protocol     : 17
        port         : 500
        length       : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
ISAKMP (0): retransmitting phase 1 (0)...
crypto_isakmp_process_block:src:66.179.80.109, dest:70.60.232.62 spt:
ISAKMP: phase 1 packet is a duplicate of a previous packet
crypto_isakmp_process_block:src:66.179.80.109, dest:70.60.232.62 spt:
ISAKMP: phase 1 packet is a duplicate of a previous packet
ISAKMP: resending last response
crypto_isakmp_process_block:src:66.179.80.109, dest:70.60.232.62 spt:
ISAKMP: phase 1 packet is a duplicate of a previous packet
crypto_isakmp_process_block:src:66.179.80.109, dest:70.60.232.62 spt:
ISAKMP: drop P2 msg on unauthenticated SA

ISAKMP (0): deleting SA: src 70.60.232.62, dst 66.179.80.109
ISADB: reaper checking SA 0xbb7c84, conn_id = 0  DELETE IT!

VPN Peer:ISAKMP: Peer Info for 66.179.80.109/500 not found - peers:0
0
wilsjCommented:
can post what you have in your config so far.

did you add this to your isakmp pre-shared key line?

no-xauth no-config-mode
0
dsechristAuthor Commented:
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list 104 permit ip 172.24.105.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list 105 permit ip 192.168.50.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 104_nat permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0
pager lines 24
logging on
logging console informational
mtu outside 1500
mtu inside 1500
ip address outside 70.60.232.63 255.255.255.252
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.1 255.255.255.255 inside
pdm location 192.168.1.3 255.255.255.255 inside
pdm location 192.168.1.2 255.255.255.255 inside
pdm location 192.168.50.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 3 172.24.105.2
nat (inside) 3 access-list 104_nat 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 70.60.232.61 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set chevelle2 esp-3des esp-sha-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 104
crypto map transam 1 set peer 66.179.80.109
crypto map transam 1 set transform-set chevelle2
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address 66.179.80.109 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400



 

0
wilsjCommented:
you don't need access-list 105.

also change access-list 104

access-list 104 permit ip host 172.24.105.2 host 192.168.50.83
access-list 104 permit ip host 172.24.105.2 host 192.168.50.86
0
dsechristAuthor Commented:
Okay, made those changes and now I don't get anything. Before the changes I was getting the IKE tunnel to come up.
0
dsechristAuthor Commented:
Sorry, I forgot to go back in and add the crypto map transam 1 match address 104 because it took it out when I removed the ACL's. I now get the IKE Tunnel come up but the ISAKMP logging shows the same messages as above.
0
wilsjCommented:
repost your config. did you keep the access-list 104_nat?
0
dsechristAuthor Commented:
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list 104 permit ip host 172.24.105.2 host 192.168.50.83
access-list 104 permit ip host 172.24.105.2 host 192.168.50.86
access-list 104_nat permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0
pager lines 24
global (outside) 1 interface
global (outside) 3 172.24.105.2
nat (inside) 3 access-list 104_nat 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 70.60.232.61 1
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set chevelle2 esp-3des esp-sha-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 104
crypto map transam 1 set peer 66.179.80.109
crypto map transam 1 set transform-set chevelle2
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address 66.179.80.109 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400


0
wilsjCommented:
The config you have is correct we just have to make sure they are making a mirror image of what you have on the other end.

also just to make sure the set peer ip you have above 66.179.80.109 is their vpn concentrator correct?
0
dsechristAuthor Commented:
Yes, that is their vpn concentrator
0
wilsjCommented:
ok, so we just have to make sure it is a mirror image of what you have and that should do it.
0
dsechristAuthor Commented:
Easier said than done - been trying to get them to do that for 3 months now. I am curious what the ISAKMP: phase 1 packet is a duplicate of a previous packet message is? I've looked it up and can't any answers to what it means.
0
wilsjCommented:
i think that happens when something isn't configured right. But you'll see other messages also. a couple debugs you can run are

deb icmp trace (use when pinging a host from your network)
deb crypto isakmp 10 (detailed phase 1/2 traffic)
0
dsechristAuthor Commented:
One last thing - when I add the global (outside) 3 172.24.105.2 it returns a message that says it will be Port Address Translated (PAT). Could this be an issue?
0
wilsjCommented:
this will not be an issue. it will allow the traffic specified.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dsechristAuthor Commented:
Thanks wilsj for all the help. Problem was on the other end - we did have to make some additional changes but they were simple once they admitted they had made a mistake in their configuration. Again, thanks for all the help!1
0
wilsjCommented:
glad to help. thanks for the points.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.