• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 704
  • Last Modified:

NAT 1 to 1 nat and ipsec tunnel Cisco

We have 2 offices connected via a crypto map and everything works, except we can not see a mail server that has one to one natting from the branch office.
the mail server does 1 to 1 nat for the purpose of RDNS to be correct.
Below is the basic configs..

Everything can see everything else except that the 1 to 1 nat of the external ip at the home office to 192.168.1.9 does not go down the tunnel and from the remote office nothing can see the 192.168.1.9 (from the 192.168.2.x address space)
I know something has to do with the 1 to 1 NAT for that mail server at 192.168.1.9 but i have not been able to find out what it is i am missing.
Thanks!
Branch Office:
Building configuration...

Current configuration : 4836 bytes
!
! Last configuration change at 07:15:25 EST Thu Dec 17 2009 by admin
! NVRAM config last updated at 07:15:26 EST Thu Dec 17 2009 by admin
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname xxxxxx
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
username admin privilege xxxxxxxxxxxxxxx
clock timezone EST -5
clock summer-time DST recurring
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
no ip source-route
!
!
!
!
ip cef
ip domain name rtr1.xxxxxxx
ip name-server 4.2.2.1
ip ips po max-events 100
no ftp-server write-enable
!
!
crypto pki trustpoint TP-self-signed-4189246428
 subject-name cn=IOS-Self-Signed-Certificate-4189246428
 revocation-check none
 rsakeypair TP-self-signed-4189246428
!
!
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
!
crypto isakmp policy 2
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 3
 hash md5
 authentication pre-share
 group 2
crypto isakmp key xxxxxx address xxxxxxxx
!
!
crypto ipsec transform-set rtpset2 esp-3des esp-sha-hmac
crypto ipsec transform-set rtpset1 esp-des esp-sha-hmac
!
crypto map rtp 3 ipsec-isakmp
 set peer yyyyyyyyyyyy
 set transform-set rtpset2
 match address 113
!
!
!
interface Loopback1
 ip address 10.1.1.1 255.255.255.0
!
interface FastEthernet0
 description 5Meg Brighthouse Fiber
 bandwidth 5120
 ip address zzzzzzzzzz 255.255.255.248
 ip access-group 101 in
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 speed 100
 full-duplex
!
interface FastEthernet1
 no ip address
 duplex full
 speed 100
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface FastEthernet4
 no ip address
!
interface Vlan1
 description Aginix LAN
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 no ip route-cache cef
 no ip route-cache
!
interface Async1
 no ip address
!
ip classless
ip route 0.0.0.0 0.0.0.0 97.66.59.89
ip http server
ip http secure-server
!
ip nat pool NAT zzzzzzzzz zzzzzzzzz netmask 255.255.255.248
ip nat inside source list 104 pool NAT overload

!
ip dns server
!
no logging trap
access-list 100 permit ip any any dscp cs3
access-list 100 permit ip any any dscp ef
access-list 100 permit ip any any tos min-delay
access-list 100 permit ip any any tos 12
access-list 101 permit tcp any any eq telnet
access-list 101 permit udp any any eq ntp
access-list 101 permit udp any eq ntp any
access-list 101 permit udp any eq netbios-ns any eq netbios-ns
access-list 101 permit udp any eq netbios-dgm any eq netbios-dgm
access-list 101 permit udp any eq netbios-ns any
access-list 101 permit udp any eq netbios-dgm any
access-list 101 permit udp any eq domain any
access-list 101 permit udp any eq snmp any
access-list 101 permit udp any any eq snmp
access-list 101 permit udp any any eq snmptrap
access-list 101 permit udp any eq tftp any
access-list 101 permit udp any any eq tftp
access-list 101 permit udp any any eq 2000
access-list 101 permit udp any eq 2000 any
access-list 101 permit tcp any any eq 2000
access-list 101 permit tcp any eq 2000 any
access-list 101 permit tcp any any established
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any
access-list 101 permit tcp any any eq 3389
access-list 101 permit udp any eq snmp any eq snmp
access-list 101 permit udp any range 5000 32766 any
access-list 101 permit udp any any eq syslog
access-list 101 permit ip any any
access-list 104 deny   ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 104 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 104 permit ip 192.168.2.0 0.0.0.255 any
access-list 104 permit ip 192.168.1.0 0.0.0.255 any
access-list 113 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 130 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!
route-map nonat permit 10
 match ip address 130
 set ip next-hop 10.1.1.2
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 login local
line 1
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 exec-timeout 0 0
 privilege level 15
 login local
 transport input telnet
line vty 5 15
 privilege level 15
 login local
 transport input telnet
!
scheduler allocate 20000 1000
ntp clock-period 17179978
ntp server 192.5.41.209 source FastEthernet0 prefer
end


Home Office



Building configuration...

Current configuration : 3035 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname sdfsdfsdfsdf
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
ip cef
!
!
!
!
ip domain name yourdomain.com
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
username admin privilege 15 secret 5 $1
archive
 log config
  hidekeys
!
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
!
crypto isakmp policy 2
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 3
 hash md5
 authentication pre-share
 group 2
crypto isakmp key xxxxxxx address zzzzzzzz
!
!
crypto ipsec transform-set rtpset1 esp-des esp-sha-hmac
crypto ipsec transform-set rtpset2 esp-3des esp-sha-hmac
!
crypto map rtp 3 ipsec-isakmp
 set peer zzzzzzzz
 set transform-set rtpset2
 match address 113
!
!
!
interface Loopback1
 ip address 10.1.1.1 255.255.255.0
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
 ip address fffffffff 255.255.255.252
 ip access-group 101 in
 ip nat outside
 ip virtual-reassembly
 ip policy route-map nonat
 speed 100
 full-duplex
 crypto map rtp
!
interface FastEthernet0/1
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 speed 100
 full-duplex
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 67.79.130.49
!
!
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool NAT fffffffff fffffffff netmask 255.255.255.252
ip nat inside source list 104 pool NAT overload
ip nat inside source static 192.168.1.9 tt.tt.tt.tt extendable
!
access-list 101 permit tcp any any established
access-list 101 permit ip any any
access-list 101 permit udp any any
access-list 104 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 104 deny   ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 104 permit ip 192.168.1.0 0.0.0.255 any
access-list 105 permit ip 192.168.1.0 0.0.0.255 any
access-list 105 deny   ip any any
access-list 113 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 140 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 140 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!
route-map nonat permit 10
 match ip address 140
 set ip next-hop 10.1.1.2
!
!
!
control-plane
!
!
!
line con 0
 exec-timeout 5 0
line aux 0
line vty 0 4
 privilege level 15
 password norton
 login local
 transport input telnet
line vty 5 15
 privilege level 15
 login local
 transport input telnet
!
scheduler allocate 20000 1000
end

Open in new window

0
GBorsuk
Asked:
GBorsuk
1 Solution
 
Jody LemoineNetwork ArchitectCommented:
This is because the hard NAT doesn't differentiate between encrypted and and unencrypted traffic going out the outside interface.  Even when the traffic is going to the remote office, the translation will run, messing up the communication to this device.  There are two ways to go about fixing it.

1. Move away from old-style crypto maps and over to VTI, where the NAT on the external interface has no effect.

Remove existing crypto maps, access lists and NAT exceptions relating to the site-to-site VPN and apply the following:

Branch Office:

crypto ipsec profile VTI
 set transform-set rtpset2

interface Tunnel0
 ip unnumbered Vlan1
 tunnel source FastEthernet0/0
 tunnel destination yyyyyyyyyyyy
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VTI
 
ip route 192.168.1.0 255.255.255.0 Tunnel0

Home Office:

crypto ipsec profile VTI
 set transform-set rtpset2

interface Tunnel0
 ip unnumbered FastEthernet0/1
 tunnel source FastEthernet0/0
 tunnel destination zzzzzzzz
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VTI
 
ip route 192.168.2.0 255.255.255.0 Tunnel0

2. Use a route-map to make the 1-to-1 NAT conditional.

ip access-list extended BypassNAT
 deny   ip host 192.168.1.9 192.168.2.0 0.0.0.255
 permit ip host 192.168.1.9 any

route-map BypassNAT permit 10
 match ip address BypassNAT

ip nat inside source static 192.168.1.9 tt.tt.tt.tt route-map BypassNAT
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now