Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 482
  • Last Modified:

Need to NAT ONLY VPN destined Traffic

Scenario
I have a Cisco 2811 router with a VPN Tunnel to a remote customer. THis customer requires I NAT our internal traffic to a 10.255.255.0/255.255.255.128 and pass it through the tunnel. I have setup an access-list of 60+ hosts on the remote side that we are allowed access to (servers). I dont want all IP traffic NATed for I have another VPN tunnel that is setup with our internal static IP.
I can send configs and specs . . . Please help!
0
smartini67
Asked:
smartini67
  • 15
  • 11
1 Solution
 
smartini67Author Commented:
I just need someone to review my routing.
0
 
Faruk Onder YerliCommented:
Dear Friends;

Could you please send your config what did you do?
0
 
smartini67Author Commented:
crypto map SDM_CMAP_1 2 ipsec-isakmp
 description Tunnel toXXX.XXX.XXX.XXX
 set peer XXX.XXX.XXX.XXX
 set transform-set StE
 match address StEACL
 reverse-route


ip nat pool StE 10.255.255.1 10.255.255.127 netmask 255.255.255.128
ip nat inside source route-map SDM_RMAP_9 pool StE

ip access-list extended StEACL
 remark SDM_ACL Category=6
 deny   ip host YYY.YYY.YYY.YYY 163.246.0.0 0.0.255.255
 deny   ip any host 10.142.192.105 log
 deny   ip any host 10.142.192.104 log
 deny   ip any host 10.142.1.102 log
 deny   ip any host 10.145.190.7 log
 deny   ip any host 172.31.253.76
 deny   ip any host 72.31.252.131
 deny   ip any host 172.31.252.130
 deny   ip any host 172.31.246.59
 permit ip any host 10.145.190.7 log
 permit ip any host 10.142.1.102 log
 permit ip any host 10.142.192.104 log
 permit ip any host 10.142.192.105 log

route-map SDM_RMAP_9 permit 1
 match ip address StEACL

** edited by modus_in_rebus : masked some ips **
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
Faruk Onder YerliCommented:
What you send to me it is not enough to understand NAT operation. Also such config can not work.

We need to define your request cleraly;

- What is your local IP address range?
- What is remote ip address range?
- What is router internal network interface IP address?

As i understood you want to send your local netowrk to Tunnel with Nat. There is two way nat option :
   1. Dynamic NAT. all local network will access to tunnel with same IP address or Pool. But pool is not obligation.
   2. Static NAT. Tunnel user wants access to LAN server or user. This case you need to use static nat for each host.

Please define upper topics.

Thanks ...
0
 
smartini67Author Commented:
Local IP Address range is currently 192.168.1.x /24 . . . we need to NAT that for this tunnel to 10.255.255.1/25

WE do not have a remote IP address range, just a list of 60 hosts . . . main one is 10.145.190.7 (Citrix server)

Router internal network interface Ip is 192.168.1.1
0
 
smartini67Author Commented:
I am recieving a message in the log when the tunnel test fails :

Nov 12 21:11:14.467: ISAKMP:(1067): processing NOTIFY INVALID_ID_INFO protocol
1
        spi 0, message ID = -330555943, sa = 4442FD28
*Nov 12 21:11:14.467: ISAKMP:(1067):peer does not do paranoid keepalives.

*Nov 12 21:11:14.467: ISAKMP:(1067):deleting SA reason "Recevied fatal informati
onal" state (I) QM_IDLE       (peer 205.132.83.2)
*Nov 12 21:11:14.467: ISAKMP:(1067):deleting node -330555943 error FALSE reason
"Informational (in) state 1"
0
 
Faruk Onder YerliCommented:
did you put interface ip nat commands? is there any more NAT inside of router?
 
in local network
ip nat inside

in crypto network
ip nat outside
0
 
smartini67Author Commented:
Yes I have :

interface FastEthernet0/0
 description $ETH-WAN$
 ip address ZZZ.ZZZ.ZZZ.ZZZ 255.255.255.252 secondary
 ip address AAA.AAA.AAA.AAA 255.255.255.240
 ip access-group 104 out
 ip nat outside
 ip virtual-reassembly
 duplex full

interface FastEthernet0/1
 description $ES_LAN$$ETH-LAN$
 ip address 192.168.13.1 255.255.255.0 secondary
 ip address 10.255.255.1 255.255.255.128 secondary
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex full
 speed auto
 no mop enabled

** edited by modus_in_rebus : masked some ips **
0
 
Faruk Onder YerliCommented:
could you please tell about ACL 104?
0
 
smartini67Author Commented:
access-list 104 remark SDM_ACL Category=16
access-list 104 permit tcp host BBB.BBB.BBB.BBB any eq smtp log
access-list 104 permit tcp host CCC.CCC.CCC.CCC any eq smtp log
access-list 104 permit tcp host 192.168.1.160 any eq smtp log
access-list 104 permit tcp host 192.168.1.162 any eq smtp log
access-list 104 permit tcp host 192.168.1.91 any eq smtp log
access-list 104 permit tcp host 192.168.1.176 any eq smtp log
access-list 104 permit tcp host 192.168.1.188 any eq smtp log
access-list 104 deny   tcp host 192.168.1.119 any eq smtp log
access-list 104 permit ip any any log
access-list 104 permit tcp any any log
access-list 104 permit udp any any eq domain
access-list 104 remark SDM_ACL Category=16
access-list 104 remark SDM_ACL Category=16

** edited by modus_in_rebus : masked some ips **
0
 
Faruk Onder YerliCommented:
Dear Friend;

access-list 104 permit tcp host BBB.BBB.BBB.BBB any eq smtp log
access-list 104 permit tcp host CCC.CCC.CCC.CCC any eq smtp log

I understood upper list that you have different NAT operations  in this router too. Youu need to check NAT orders. If you send all configuration i amy help.

Before send config you may know below steps about NAT and IPSEC.

If you are using NAT and IP sec togehther,
     -   their interface IPSEC output order is IP Routing -> NAT -> encrypt IPSEC -> interface out
     -   their interface IPSEC input  order is  in interface -> decrypt IPSEC -> PAT -> ip routing

Most probably you are using different NAT before to use necesarry one. We can just analyze if can see all picture of config.

Thanks ...

** edited by modus_in_rebus : masked some ips **
0
 
smartini67Author Commented:
File is attached
Thank you SDMConfig-111510.txt
0
 
smartini67Author Commented:
I am sure this is a bit confusing as we have attempted about 1000 things. Basically the 205.132.83.2 peer needs to have our internal IP of 192.168.1.x changed to 10.255.255.0/25  . . . and their is a list of 60 hosts that need ot be in an access-list on his side . . . 10.145.190.7 is the primary example.

We will be alos setting up a VPN with another customer who requires we change our internal IP to 192.168.13.0/24 and THEY also have a list of hosts to access.

Fun!
0
 
Faruk Onder YerliCommented:
hello;

in this configuration you have mistake below line

ip nat outside source route-map SDM_RMAP_11 pool StE

it needs to be
ip nat inside source route-map SDM_RMAP_11 pool StE

Becuse server is remote. Communication will start from LAN to WAN.
0
 
smartini67Author Commented:
Thanks
Here is my new config . . .did some cleanup but added all the Remote servers to Access-list
still no luck with getting tunnel up.
 

** edited by modus_in_rebus : masked some ips **
SDMConfig1115-417EDIT.txt
0
 
Faruk Onder YerliCommented:
ok now we may concantrate to crypto commands.

could you please send me output of "show crypto session" command.
0
 
smartini67Author Commented:
blscisco#  show crypto session
Crypto session current status

Interface: FastEthernet0/0
Session status: DOWN-NEGOTIATING
Peer: 205.132.83.2 port 500
  IKE SA: local 66.42.147.210/500 remote 205.132.83.2/500 Inactive
  IKE SA: local 66.42.147.210/500 remote 205.132.83.2/500 Inactive
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.72.26
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.142.6.97
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.38.62
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.142.1.102
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.108.14
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 0.145.110.26
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.110.26
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.142.1.140
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.204
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.116.23
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.205
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.142.1.148
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.12.157
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.101.69
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.142.1.185
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.180.12
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.142.1.197
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.182.14
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.6
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.7
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.11
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.16
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.17
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.18
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.19
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.22
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.23
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.182.31
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.27
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.28
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.180.39
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.29
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.30
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.180.41
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.33
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.36
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.44
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.45
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.46
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.47
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.50
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.51
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.53
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.54
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.55
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.56
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.150.6.245
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.193.66
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.194.66
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.193.67
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.70
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.194.67
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.193.68
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.71
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.194.68
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.193.69
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.72
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.194.69
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.193.70
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.194.70
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.193.71
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.194.71
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.193.72
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.194.72
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.193.73
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.194.73
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.193.74
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.194.74
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 205.132.82.20
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 205.132.82.28
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 205.132.82.32
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.192.104
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.180.116
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.192.105
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.15.29
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.180.151
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.180.152
        Active SAs: 0, origin: crypto map

Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 163.246.8.65 port 500
  IKE SA: local 66.42.147.210/500 remote 163.246.8.65/500 Active
  IPSEC FLOW: permit ip host 69.61.160.182 163.246.0.0/255.255.0.0
        Active SAs: 2, origin: crypto map
0
 
Faruk Onder YerliCommented:
may i take below command output too
show crypto isakmp sa

0
 
smartini67Author Commented:
blscisco#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
66.42.147.210   163.246.8.65    QM_IDLE           1001    0 ACTIVE

IPv6 Crypto ISAKMP SA
0
 
Faruk Onder YerliCommented:
i see that Phase 1 is not working now. You need compare with your remote peer configuration that both them are same functions. (password, transport type, policy).

After 1. phase activation most probably it will work normally.
0
 
smartini67Author Commented:
We have been over it and over it . . .  it is all correct. We get Phase 1 if I put a permit between 66.42.147.210 and 205.132.83.2 . . .but this is not correct...
0
 
Faruk Onder YerliCommented:
crypto always use first ip address. because of it you cannot use secondary IP address for IPSEC. if you need to use second one, you have to put another interface.  
0
 
smartini67Author Commented:
66.42.147.210 is my first IP address. WHta i was referring to was adding a PERMIT statment to the ACL of 66.42.147.210 to 205.132.83.2.
0
 
Faruk Onder YerliCommented:
i couldnt understand sorry !
0
 
smartini67Author Commented:
I think that I do not get Phase 1 because there is no INTERESTING traffic  . . . The remote side is an ASA and they say I need interesting traffic . . .I dont feel that the attempts to connect to the servers in the remote ACL are getting NATed correctly if at all.

Is there anythgin you can have me try?
0
 
smartini67Author Commented:
Realize troubleshooting Cisco connectivity this way is difficult unless obviuos issue. Will ask another way as I learn more.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 15
  • 11
Tackle projects and never again get stuck behind a technical roadblock.
Join Now