Link to home
Start Free TrialLog in
Avatar of GBorsuk
GBorsuk

asked on

NAT 1 to 1 nat and ipsec tunnel Cisco

We have 2 offices connected via a crypto map and everything works, except we can not see a mail server that has one to one natting from the branch office.
the mail server does 1 to 1 nat for the purpose of RDNS to be correct.
Below is the basic configs..

Everything can see everything else except that the 1 to 1 nat of the external ip at the home office to 192.168.1.9 does not go down the tunnel and from the remote office nothing can see the 192.168.1.9 (from the 192.168.2.x address space)
I know something has to do with the 1 to 1 NAT for that mail server at 192.168.1.9 but i have not been able to find out what it is i am missing.
Thanks!
Branch Office:
Building configuration...

Current configuration : 4836 bytes
!
! Last configuration change at 07:15:25 EST Thu Dec 17 2009 by admin
! NVRAM config last updated at 07:15:26 EST Thu Dec 17 2009 by admin
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname xxxxxx
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
username admin privilege xxxxxxxxxxxxxxx
clock timezone EST -5
clock summer-time DST recurring
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
no ip source-route
!
!
!
!
ip cef
ip domain name rtr1.xxxxxxx
ip name-server 4.2.2.1
ip ips po max-events 100
no ftp-server write-enable
!
!
crypto pki trustpoint TP-self-signed-4189246428
 subject-name cn=IOS-Self-Signed-Certificate-4189246428
 revocation-check none
 rsakeypair TP-self-signed-4189246428
!
!
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
!
crypto isakmp policy 2
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 3
 hash md5
 authentication pre-share
 group 2
crypto isakmp key xxxxxx address xxxxxxxx
!
!
crypto ipsec transform-set rtpset2 esp-3des esp-sha-hmac
crypto ipsec transform-set rtpset1 esp-des esp-sha-hmac
!
crypto map rtp 3 ipsec-isakmp
 set peer yyyyyyyyyyyy
 set transform-set rtpset2
 match address 113
!
!
!
interface Loopback1
 ip address 10.1.1.1 255.255.255.0
!
interface FastEthernet0
 description 5Meg Brighthouse Fiber
 bandwidth 5120
 ip address zzzzzzzzzz 255.255.255.248
 ip access-group 101 in
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 speed 100
 full-duplex
!
interface FastEthernet1
 no ip address
 duplex full
 speed 100
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface FastEthernet4
 no ip address
!
interface Vlan1
 description Aginix LAN
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 no ip route-cache cef
 no ip route-cache
!
interface Async1
 no ip address
!
ip classless
ip route 0.0.0.0 0.0.0.0 97.66.59.89
ip http server
ip http secure-server
!
ip nat pool NAT zzzzzzzzz zzzzzzzzz netmask 255.255.255.248
ip nat inside source list 104 pool NAT overload

!
ip dns server
!
no logging trap
access-list 100 permit ip any any dscp cs3
access-list 100 permit ip any any dscp ef
access-list 100 permit ip any any tos min-delay
access-list 100 permit ip any any tos 12
access-list 101 permit tcp any any eq telnet
access-list 101 permit udp any any eq ntp
access-list 101 permit udp any eq ntp any
access-list 101 permit udp any eq netbios-ns any eq netbios-ns
access-list 101 permit udp any eq netbios-dgm any eq netbios-dgm
access-list 101 permit udp any eq netbios-ns any
access-list 101 permit udp any eq netbios-dgm any
access-list 101 permit udp any eq domain any
access-list 101 permit udp any eq snmp any
access-list 101 permit udp any any eq snmp
access-list 101 permit udp any any eq snmptrap
access-list 101 permit udp any eq tftp any
access-list 101 permit udp any any eq tftp
access-list 101 permit udp any any eq 2000
access-list 101 permit udp any eq 2000 any
access-list 101 permit tcp any any eq 2000
access-list 101 permit tcp any eq 2000 any
access-list 101 permit tcp any any established
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any
access-list 101 permit tcp any any eq 3389
access-list 101 permit udp any eq snmp any eq snmp
access-list 101 permit udp any range 5000 32766 any
access-list 101 permit udp any any eq syslog
access-list 101 permit ip any any
access-list 104 deny   ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 104 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 104 permit ip 192.168.2.0 0.0.0.255 any
access-list 104 permit ip 192.168.1.0 0.0.0.255 any
access-list 113 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 130 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!
route-map nonat permit 10
 match ip address 130
 set ip next-hop 10.1.1.2
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 login local
line 1
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 exec-timeout 0 0
 privilege level 15
 login local
 transport input telnet
line vty 5 15
 privilege level 15
 login local
 transport input telnet
!
scheduler allocate 20000 1000
ntp clock-period 17179978
ntp server 192.5.41.209 source FastEthernet0 prefer
end


Home Office



Building configuration...

Current configuration : 3035 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname sdfsdfsdfsdf
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
ip cef
!
!
!
!
ip domain name yourdomain.com
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
username admin privilege 15 secret 5 $1
archive
 log config
  hidekeys
!
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
!
crypto isakmp policy 2
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 3
 hash md5
 authentication pre-share
 group 2
crypto isakmp key xxxxxxx address zzzzzzzz
!
!
crypto ipsec transform-set rtpset1 esp-des esp-sha-hmac
crypto ipsec transform-set rtpset2 esp-3des esp-sha-hmac
!
crypto map rtp 3 ipsec-isakmp
 set peer zzzzzzzz
 set transform-set rtpset2
 match address 113
!
!
!
interface Loopback1
 ip address 10.1.1.1 255.255.255.0
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
 ip address fffffffff 255.255.255.252
 ip access-group 101 in
 ip nat outside
 ip virtual-reassembly
 ip policy route-map nonat
 speed 100
 full-duplex
 crypto map rtp
!
interface FastEthernet0/1
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 speed 100
 full-duplex
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 67.79.130.49
!
!
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool NAT fffffffff fffffffff netmask 255.255.255.252
ip nat inside source list 104 pool NAT overload
ip nat inside source static 192.168.1.9 tt.tt.tt.tt extendable
!
access-list 101 permit tcp any any established
access-list 101 permit ip any any
access-list 101 permit udp any any
access-list 104 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 104 deny   ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 104 permit ip 192.168.1.0 0.0.0.255 any
access-list 105 permit ip 192.168.1.0 0.0.0.255 any
access-list 105 deny   ip any any
access-list 113 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 140 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 140 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!
route-map nonat permit 10
 match ip address 140
 set ip next-hop 10.1.1.2
!
!
!
control-plane
!
!
!
line con 0
 exec-timeout 5 0
line aux 0
line vty 0 4
 privilege level 15
 password norton
 login local
 transport input telnet
line vty 5 15
 privilege level 15
 login local
 transport input telnet
!
scheduler allocate 20000 1000
end

Open in new window

ASKER CERTIFIED SOLUTION
Avatar of Jody Lemoine
Jody Lemoine
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial