troubleshooting Question

NAT 1 to 1 nat and ipsec tunnel Cisco

Avatar of GBorsuk
GBorsuk asked on
RoutersVPNCisco
1 Comment1 Solution766 ViewsLast Modified:
We have 2 offices connected via a crypto map and everything works, except we can not see a mail server that has one to one natting from the branch office.
the mail server does 1 to 1 nat for the purpose of RDNS to be correct.
Below is the basic configs..

Everything can see everything else except that the 1 to 1 nat of the external ip at the home office to 192.168.1.9 does not go down the tunnel and from the remote office nothing can see the 192.168.1.9 (from the 192.168.2.x address space)
I know something has to do with the 1 to 1 NAT for that mail server at 192.168.1.9 but i have not been able to find out what it is i am missing.
Thanks!
Branch Office:
Building configuration...

Current configuration : 4836 bytes
!
! Last configuration change at 07:15:25 EST Thu Dec 17 2009 by admin
! NVRAM config last updated at 07:15:26 EST Thu Dec 17 2009 by admin
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname xxxxxx
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
username admin privilege xxxxxxxxxxxxxxx
clock timezone EST -5
clock summer-time DST recurring
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
no ip source-route
!
!
!
!
ip cef
ip domain name rtr1.xxxxxxx
ip name-server 4.2.2.1
ip ips po max-events 100
no ftp-server write-enable
!
!
crypto pki trustpoint TP-self-signed-4189246428
 subject-name cn=IOS-Self-Signed-Certificate-4189246428
 revocation-check none
 rsakeypair TP-self-signed-4189246428
!
!
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
!
crypto isakmp policy 2
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 3
 hash md5
 authentication pre-share
 group 2
crypto isakmp key xxxxxx address xxxxxxxx
!
!
crypto ipsec transform-set rtpset2 esp-3des esp-sha-hmac
crypto ipsec transform-set rtpset1 esp-des esp-sha-hmac
!
crypto map rtp 3 ipsec-isakmp
 set peer yyyyyyyyyyyy
 set transform-set rtpset2
 match address 113
!
!
!
interface Loopback1
 ip address 10.1.1.1 255.255.255.0
!
interface FastEthernet0
 description 5Meg Brighthouse Fiber
 bandwidth 5120
 ip address zzzzzzzzzz 255.255.255.248
 ip access-group 101 in
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 speed 100
 full-duplex
!
interface FastEthernet1
 no ip address
 duplex full
 speed 100
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface FastEthernet4
 no ip address
!
interface Vlan1
 description Aginix LAN
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 no ip route-cache cef
 no ip route-cache
!
interface Async1
 no ip address
!
ip classless
ip route 0.0.0.0 0.0.0.0 97.66.59.89
ip http server
ip http secure-server
!
ip nat pool NAT zzzzzzzzz zzzzzzzzz netmask 255.255.255.248
ip nat inside source list 104 pool NAT overload

!
ip dns server
!
no logging trap
access-list 100 permit ip any any dscp cs3
access-list 100 permit ip any any dscp ef
access-list 100 permit ip any any tos min-delay
access-list 100 permit ip any any tos 12
access-list 101 permit tcp any any eq telnet
access-list 101 permit udp any any eq ntp
access-list 101 permit udp any eq ntp any
access-list 101 permit udp any eq netbios-ns any eq netbios-ns
access-list 101 permit udp any eq netbios-dgm any eq netbios-dgm
access-list 101 permit udp any eq netbios-ns any
access-list 101 permit udp any eq netbios-dgm any
access-list 101 permit udp any eq domain any
access-list 101 permit udp any eq snmp any
access-list 101 permit udp any any eq snmp
access-list 101 permit udp any any eq snmptrap
access-list 101 permit udp any eq tftp any
access-list 101 permit udp any any eq tftp
access-list 101 permit udp any any eq 2000
access-list 101 permit udp any eq 2000 any
access-list 101 permit tcp any any eq 2000
access-list 101 permit tcp any eq 2000 any
access-list 101 permit tcp any any established
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any
access-list 101 permit tcp any any eq 3389
access-list 101 permit udp any eq snmp any eq snmp
access-list 101 permit udp any range 5000 32766 any
access-list 101 permit udp any any eq syslog
access-list 101 permit ip any any
access-list 104 deny   ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 104 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 104 permit ip 192.168.2.0 0.0.0.255 any
access-list 104 permit ip 192.168.1.0 0.0.0.255 any
access-list 113 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 130 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!
route-map nonat permit 10
 match ip address 130
 set ip next-hop 10.1.1.2
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 login local
line 1
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 exec-timeout 0 0
 privilege level 15
 login local
 transport input telnet
line vty 5 15
 privilege level 15
 login local
 transport input telnet
!
scheduler allocate 20000 1000
ntp clock-period 17179978
ntp server 192.5.41.209 source FastEthernet0 prefer
end


Home Office



Building configuration...

Current configuration : 3035 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname sdfsdfsdfsdf
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
ip cef
!
!
!
!
ip domain name yourdomain.com
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
username admin privilege 15 secret 5 $1
archive
 log config
  hidekeys
!
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
!
crypto isakmp policy 2
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 3
 hash md5
 authentication pre-share
 group 2
crypto isakmp key xxxxxxx address zzzzzzzz
!
!
crypto ipsec transform-set rtpset1 esp-des esp-sha-hmac
crypto ipsec transform-set rtpset2 esp-3des esp-sha-hmac
!
crypto map rtp 3 ipsec-isakmp
 set peer zzzzzzzz
 set transform-set rtpset2
 match address 113
!
!
!
interface Loopback1
 ip address 10.1.1.1 255.255.255.0
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
 ip address fffffffff 255.255.255.252
 ip access-group 101 in
 ip nat outside
 ip virtual-reassembly
 ip policy route-map nonat
 speed 100
 full-duplex
 crypto map rtp
!
interface FastEthernet0/1
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 speed 100
 full-duplex
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 67.79.130.49
!
!
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool NAT fffffffff fffffffff netmask 255.255.255.252
ip nat inside source list 104 pool NAT overload
ip nat inside source static 192.168.1.9 tt.tt.tt.tt extendable
!
access-list 101 permit tcp any any established
access-list 101 permit ip any any
access-list 101 permit udp any any
access-list 104 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 104 deny   ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 104 permit ip 192.168.1.0 0.0.0.255 any
access-list 105 permit ip 192.168.1.0 0.0.0.255 any
access-list 105 deny   ip any any
access-list 113 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 140 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 140 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!
route-map nonat permit 10
 match ip address 140
 set ip next-hop 10.1.1.2
!
!
!
control-plane
!
!
!
line con 0
 exec-timeout 5 0
line aux 0
line vty 0 4
 privilege level 15
 password norton
 login local
 transport input telnet
line vty 5 15
 privilege level 15
 login local
 transport input telnet
!
scheduler allocate 20000 1000
end
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 1 Comment.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 1 Comment.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros