GBorsuk
asked on
NAT 1 to 1 nat and ipsec tunnel Cisco
We have 2 offices connected via a crypto map and everything works, except we can not see a mail server that has one to one natting from the branch office.
the mail server does 1 to 1 nat for the purpose of RDNS to be correct.
Below is the basic configs..
Everything can see everything else except that the 1 to 1 nat of the external ip at the home office to 192.168.1.9 does not go down the tunnel and from the remote office nothing can see the 192.168.1.9 (from the 192.168.2.x address space)
I know something has to do with the 1 to 1 NAT for that mail server at 192.168.1.9 but i have not been able to find out what it is i am missing.
Thanks!
the mail server does 1 to 1 nat for the purpose of RDNS to be correct.
Below is the basic configs..
Everything can see everything else except that the 1 to 1 nat of the external ip at the home office to 192.168.1.9 does not go down the tunnel and from the remote office nothing can see the 192.168.1.9 (from the 192.168.2.x address space)
I know something has to do with the 1 to 1 NAT for that mail server at 192.168.1.9 but i have not been able to find out what it is i am missing.
Thanks!
Branch Office:
Building configuration...
Current configuration : 4836 bytes
!
! Last configuration change at 07:15:25 EST Thu Dec 17 2009 by admin
! NVRAM config last updated at 07:15:26 EST Thu Dec 17 2009 by admin
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname xxxxxx
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
username admin privilege xxxxxxxxxxxxxxx
clock timezone EST -5
clock summer-time DST recurring
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
no ip source-route
!
!
!
!
ip cef
ip domain name rtr1.xxxxxxx
ip name-server 4.2.2.1
ip ips po max-events 100
no ftp-server write-enable
!
!
crypto pki trustpoint TP-self-signed-4189246428
subject-name cn=IOS-Self-Signed-Certificate-4189246428
revocation-check none
rsakeypair TP-self-signed-4189246428
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 3
hash md5
authentication pre-share
group 2
crypto isakmp key xxxxxx address xxxxxxxx
!
!
crypto ipsec transform-set rtpset2 esp-3des esp-sha-hmac
crypto ipsec transform-set rtpset1 esp-des esp-sha-hmac
!
crypto map rtp 3 ipsec-isakmp
set peer yyyyyyyyyyyy
set transform-set rtpset2
match address 113
!
!
!
interface Loopback1
ip address 10.1.1.1 255.255.255.0
!
interface FastEthernet0
description 5Meg Brighthouse Fiber
bandwidth 5120
ip address zzzzzzzzzz 255.255.255.248
ip access-group 101 in
no ip proxy-arp
ip nat outside
ip virtual-reassembly
speed 100
full-duplex
!
interface FastEthernet1
no ip address
duplex full
speed 100
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
no ip address
!
interface Vlan1
description Aginix LAN
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
!
interface Async1
no ip address
!
ip classless
ip route 0.0.0.0 0.0.0.0 97.66.59.89
ip http server
ip http secure-server
!
ip nat pool NAT zzzzzzzzz zzzzzzzzz netmask 255.255.255.248
ip nat inside source list 104 pool NAT overload
!
ip dns server
!
no logging trap
access-list 100 permit ip any any dscp cs3
access-list 100 permit ip any any dscp ef
access-list 100 permit ip any any tos min-delay
access-list 100 permit ip any any tos 12
access-list 101 permit tcp any any eq telnet
access-list 101 permit udp any any eq ntp
access-list 101 permit udp any eq ntp any
access-list 101 permit udp any eq netbios-ns any eq netbios-ns
access-list 101 permit udp any eq netbios-dgm any eq netbios-dgm
access-list 101 permit udp any eq netbios-ns any
access-list 101 permit udp any eq netbios-dgm any
access-list 101 permit udp any eq domain any
access-list 101 permit udp any eq snmp any
access-list 101 permit udp any any eq snmp
access-list 101 permit udp any any eq snmptrap
access-list 101 permit udp any eq tftp any
access-list 101 permit udp any any eq tftp
access-list 101 permit udp any any eq 2000
access-list 101 permit udp any eq 2000 any
access-list 101 permit tcp any any eq 2000
access-list 101 permit tcp any eq 2000 any
access-list 101 permit tcp any any established
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any
access-list 101 permit tcp any any eq 3389
access-list 101 permit udp any eq snmp any eq snmp
access-list 101 permit udp any range 5000 32766 any
access-list 101 permit udp any any eq syslog
access-list 101 permit ip any any
access-list 104 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 104 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 104 permit ip 192.168.2.0 0.0.0.255 any
access-list 104 permit ip 192.168.1.0 0.0.0.255 any
access-list 113 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 130 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!
route-map nonat permit 10
match ip address 130
set ip next-hop 10.1.1.2
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
login local
line 1
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
exec-timeout 0 0
privilege level 15
login local
transport input telnet
line vty 5 15
privilege level 15
login local
transport input telnet
!
scheduler allocate 20000 1000
ntp clock-period 17179978
ntp server 192.5.41.209 source FastEthernet0 prefer
end
Home Office
Building configuration...
Current configuration : 3035 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname sdfsdfsdfsdf
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
ip cef
!
!
!
!
ip domain name yourdomain.com
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
username admin privilege 15 secret 5 $1
archive
log config
hidekeys
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 3
hash md5
authentication pre-share
group 2
crypto isakmp key xxxxxxx address zzzzzzzz
!
!
crypto ipsec transform-set rtpset1 esp-des esp-sha-hmac
crypto ipsec transform-set rtpset2 esp-3des esp-sha-hmac
!
crypto map rtp 3 ipsec-isakmp
set peer zzzzzzzz
set transform-set rtpset2
match address 113
!
!
!
interface Loopback1
ip address 10.1.1.1 255.255.255.0
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
ip address fffffffff 255.255.255.252
ip access-group 101 in
ip nat outside
ip virtual-reassembly
ip policy route-map nonat
speed 100
full-duplex
crypto map rtp
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
speed 100
full-duplex
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 67.79.130.49
!
!
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool NAT fffffffff fffffffff netmask 255.255.255.252
ip nat inside source list 104 pool NAT overload
ip nat inside source static 192.168.1.9 tt.tt.tt.tt extendable
!
access-list 101 permit tcp any any established
access-list 101 permit ip any any
access-list 101 permit udp any any
access-list 104 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 104 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 104 permit ip 192.168.1.0 0.0.0.255 any
access-list 105 permit ip 192.168.1.0 0.0.0.255 any
access-list 105 deny ip any any
access-list 113 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 140 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 140 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!
route-map nonat permit 10
match ip address 140
set ip next-hop 10.1.1.2
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 5 0
line aux 0
line vty 0 4
privilege level 15
password norton
login local
transport input telnet
line vty 5 15
privilege level 15
login local
transport input telnet
!
scheduler allocate 20000 1000
end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.