Need to NAT ONLY VPN destined Traffic
Scenario
I have a Cisco 2811 router with a VPN Tunnel to a remote customer. THis customer requires I NAT our internal traffic to a 10.255.255.0/255.255.255.1
I can send configs and specs . . . Please help!
I have a Cisco 2811 router with a VPN Tunnel to a remote customer. THis customer requires I NAT our internal traffic to a 10.255.255.0/255.255.255.1
I can send configs and specs . . . Please help!
Last Comment
Dear Friends;
Could you please send your config what did you do?
Could you please send your config what did you do?
ASKER
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel toXXX.XXX.XXX.XXX
set peer XXX.XXX.XXX.XXX
set transform-set StE
match address StEACL
reverse-route
ip nat pool StE 10.255.255.1 10.255.255.127 netmask 255.255.255.128
ip nat inside source route-map SDM_RMAP_9 pool StE
ip access-list extended StEACL
remark SDM_ACL Category=6
deny ip host YYY.YYY.YYY.YYY 163.246.0.0 0.0.255.255
deny ip any host 10.142.192.105 log
deny ip any host 10.142.192.104 log
deny ip any host 10.142.1.102 log
deny ip any host 10.145.190.7 log
deny ip any host 172.31.253.76
deny ip any host 72.31.252.131
deny ip any host 172.31.252.130
deny ip any host 172.31.246.59
permit ip any host 10.145.190.7 log
permit ip any host 10.142.1.102 log
permit ip any host 10.142.192.104 log
permit ip any host 10.142.192.105 log
route-map SDM_RMAP_9 permit 1
match ip address StEACL
** edited by modus_in_rebus : masked some ips **
description Tunnel toXXX.XXX.XXX.XXX
set peer XXX.XXX.XXX.XXX
set transform-set StE
match address StEACL
reverse-route
ip nat pool StE 10.255.255.1 10.255.255.127 netmask 255.255.255.128
ip nat inside source route-map SDM_RMAP_9 pool StE
ip access-list extended StEACL
remark SDM_ACL Category=6
deny ip host YYY.YYY.YYY.YYY 163.246.0.0 0.0.255.255
deny ip any host 10.142.192.105 log
deny ip any host 10.142.192.104 log
deny ip any host 10.142.1.102 log
deny ip any host 10.145.190.7 log
deny ip any host 172.31.253.76
deny ip any host 72.31.252.131
deny ip any host 172.31.252.130
deny ip any host 172.31.246.59
permit ip any host 10.145.190.7 log
permit ip any host 10.142.1.102 log
permit ip any host 10.142.192.104 log
permit ip any host 10.142.192.105 log
route-map SDM_RMAP_9 permit 1
match ip address StEACL
** edited by modus_in_rebus : masked some ips **
What you send to me it is not enough to understand NAT operation. Also such config can not work.
We need to define your request cleraly;
- What is your local IP address range?
- What is remote ip address range?
- What is router internal network interface IP address?
As i understood you want to send your local netowrk to Tunnel with Nat. There is two way nat option :
1. Dynamic NAT. all local network will access to tunnel with same IP address or Pool. But pool is not obligation.
2. Static NAT. Tunnel user wants access to LAN server or user. This case you need to use static nat for each host.
Please define upper topics.
Thanks ...
We need to define your request cleraly;
- What is your local IP address range?
- What is remote ip address range?
- What is router internal network interface IP address?
As i understood you want to send your local netowrk to Tunnel with Nat. There is two way nat option :
1. Dynamic NAT. all local network will access to tunnel with same IP address or Pool. But pool is not obligation.
2. Static NAT. Tunnel user wants access to LAN server or user. This case you need to use static nat for each host.
Please define upper topics.
Thanks ...
ASKER
Local IP Address range is currently 192.168.1.x /24 . . . we need to NAT that for this tunnel to 10.255.255.1/25
WE do not have a remote IP address range, just a list of 60 hosts . . . main one is 10.145.190.7 (Citrix server)
Router internal network interface Ip is 192.168.1.1
WE do not have a remote IP address range, just a list of 60 hosts . . . main one is 10.145.190.7 (Citrix server)
Router internal network interface Ip is 192.168.1.1
ASKER
I am recieving a message in the log when the tunnel test fails :
Nov 12 21:11:14.467: ISAKMP:(1067): processing NOTIFY INVALID_ID_INFO protocol
1
spi 0, message ID = -330555943, sa = 4442FD28
*Nov 12 21:11:14.467: ISAKMP:(1067):peer does not do paranoid keepalives.
*Nov 12 21:11:14.467: ISAKMP:(1067):deleting SA reason "Recevied fatal informati
onal" state (I) QM_IDLE (peer 205.132.83.2)
*Nov 12 21:11:14.467: ISAKMP:(1067):deleting node -330555943 error FALSE reason
"Informational (in) state 1"
Nov 12 21:11:14.467: ISAKMP:(1067): processing NOTIFY INVALID_ID_INFO protocol
1
spi 0, message ID = -330555943, sa = 4442FD28
*Nov 12 21:11:14.467: ISAKMP:(1067):peer does not do paranoid keepalives.
*Nov 12 21:11:14.467: ISAKMP:(1067):deleting SA reason "Recevied fatal informati
onal" state (I) QM_IDLE (peer 205.132.83.2)
*Nov 12 21:11:14.467: ISAKMP:(1067):deleting node -330555943 error FALSE reason
"Informational (in) state 1"
did you put interface ip nat commands? is there any more NAT inside of router?
in local network
ip nat inside
in crypto network
ip nat outside
in local network
ip nat inside
in crypto network
ip nat outside
ASKER
Yes I have :
interface FastEthernet0/0
description $ETH-WAN$
ip address ZZZ.ZZZ.ZZZ.ZZZ 255.255.255.252 secondary
ip address AAA.AAA.AAA.AAA 255.255.255.240
ip access-group 104 out
ip nat outside
ip virtual-reassembly
duplex full
interface FastEthernet0/1
description $ES_LAN$$ETH-LAN$
ip address 192.168.13.1 255.255.255.0 secondary
ip address 10.255.255.1 255.255.255.128 secondary
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex full
speed auto
no mop enabled
** edited by modus_in_rebus : masked some ips **
interface FastEthernet0/0
description $ETH-WAN$
ip address ZZZ.ZZZ.ZZZ.ZZZ 255.255.255.252 secondary
ip address AAA.AAA.AAA.AAA 255.255.255.240
ip access-group 104 out
ip nat outside
ip virtual-reassembly
duplex full
interface FastEthernet0/1
description $ES_LAN$$ETH-LAN$
ip address 192.168.13.1 255.255.255.0 secondary
ip address 10.255.255.1 255.255.255.128 secondary
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex full
speed auto
no mop enabled
** edited by modus_in_rebus : masked some ips **
could you please tell about ACL 104?
ASKER
access-list 104 remark SDM_ACL Category=16
access-list 104 permit tcp host BBB.BBB.BBB.BBB any eq smtp log
access-list 104 permit tcp host CCC.CCC.CCC.CCC any eq smtp log
access-list 104 permit tcp host 192.168.1.160 any eq smtp log
access-list 104 permit tcp host 192.168.1.162 any eq smtp log
access-list 104 permit tcp host 192.168.1.91 any eq smtp log
access-list 104 permit tcp host 192.168.1.176 any eq smtp log
access-list 104 permit tcp host 192.168.1.188 any eq smtp log
access-list 104 deny tcp host 192.168.1.119 any eq smtp log
access-list 104 permit ip any any log
access-list 104 permit tcp any any log
access-list 104 permit udp any any eq domain
access-list 104 remark SDM_ACL Category=16
access-list 104 remark SDM_ACL Category=16
** edited by modus_in_rebus : masked some ips **
access-list 104 permit tcp host BBB.BBB.BBB.BBB any eq smtp log
access-list 104 permit tcp host CCC.CCC.CCC.CCC any eq smtp log
access-list 104 permit tcp host 192.168.1.160 any eq smtp log
access-list 104 permit tcp host 192.168.1.162 any eq smtp log
access-list 104 permit tcp host 192.168.1.91 any eq smtp log
access-list 104 permit tcp host 192.168.1.176 any eq smtp log
access-list 104 permit tcp host 192.168.1.188 any eq smtp log
access-list 104 deny tcp host 192.168.1.119 any eq smtp log
access-list 104 permit ip any any log
access-list 104 permit tcp any any log
access-list 104 permit udp any any eq domain
access-list 104 remark SDM_ACL Category=16
access-list 104 remark SDM_ACL Category=16
** edited by modus_in_rebus : masked some ips **
Dear Friend;
access-list 104 permit tcp host BBB.BBB.BBB.BBB any eq smtp log
access-list 104 permit tcp host CCC.CCC.CCC.CCC any eq smtp log
I understood upper list that you have different NAT operations in this router too. Youu need to check NAT orders. If you send all configuration i amy help.
Before send config you may know below steps about NAT and IPSEC.
If you are using NAT and IP sec togehther,
- their interface IPSEC output order is IP Routing -> NAT -> encrypt IPSEC -> interface out
- their interface IPSEC input order is in interface -> decrypt IPSEC -> PAT -> ip routing
Most probably you are using different NAT before to use necesarry one. We can just analyze if can see all picture of config.
Thanks ...
** edited by modus_in_rebus : masked some ips **
access-list 104 permit tcp host BBB.BBB.BBB.BBB any eq smtp log
access-list 104 permit tcp host CCC.CCC.CCC.CCC any eq smtp log
I understood upper list that you have different NAT operations in this router too. Youu need to check NAT orders. If you send all configuration i amy help.
Before send config you may know below steps about NAT and IPSEC.
If you are using NAT and IP sec togehther,
- their interface IPSEC output order is IP Routing -> NAT -> encrypt IPSEC -> interface out
- their interface IPSEC input order is in interface -> decrypt IPSEC -> PAT -> ip routing
Most probably you are using different NAT before to use necesarry one. We can just analyze if can see all picture of config.
Thanks ...
** edited by modus_in_rebus : masked some ips **
ASKER
File is attached
Thank you SDMConfig-111510.txt
Thank you SDMConfig-111510.txt
ASKER
I am sure this is a bit confusing as we have attempted about 1000 things. Basically the 205.132.83.2 peer needs to have our internal IP of 192.168.1.x changed to 10.255.255.0/25 . . . and their is a list of 60 hosts that need ot be in an access-list on his side . . . 10.145.190.7 is the primary example.
We will be alos setting up a VPN with another customer who requires we change our internal IP to 192.168.13.0/24 and THEY also have a list of hosts to access.
Fun!
We will be alos setting up a VPN with another customer who requires we change our internal IP to 192.168.13.0/24 and THEY also have a list of hosts to access.
Fun!
hello;
in this configuration you have mistake below line
ip nat outside source route-map SDM_RMAP_11 pool StE
it needs to be
ip nat inside source route-map SDM_RMAP_11 pool StE
Becuse server is remote. Communication will start from LAN to WAN.
in this configuration you have mistake below line
ip nat outside source route-map SDM_RMAP_11 pool StE
it needs to be
ip nat inside source route-map SDM_RMAP_11 pool StE
Becuse server is remote. Communication will start from LAN to WAN.
ASKER
Thanks
Here is my new config . . .did some cleanup but added all the Remote servers to Access-list
still no luck with getting tunnel up.
** edited by modus_in_rebus : masked some ips **
SDMConfig1115-417EDIT.txt
Here is my new config . . .did some cleanup but added all the Remote servers to Access-list
still no luck with getting tunnel up.
** edited by modus_in_rebus : masked some ips **
SDMConfig1115-417EDIT.txt
ok now we may concantrate to crypto commands.
could you please send me output of "show crypto session" command.
could you please send me output of "show crypto session" command.
ASKER
blscisco# show crypto session
Crypto session current status
Interface: FastEthernet0/0
Session status: DOWN-NEGOTIATING
Peer: 205.132.83.2 port 500
IKE SA: local 66.42.147.210/500 remote 205.132.83.2/500 Inactive
IKE SA: local 66.42.147.210/500 remote 205.132.83.2/500 Inactive
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.72.26
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.142.6.97
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.38.62
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.142.1.102
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.108.14
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 0.145.110.26
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.110.26
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.142.1.140
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.204
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.116.23
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.205
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.142.1.148
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.12.157
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.101.69
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.142.1.185
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.180.12
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.142.1.197
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.182.14
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.6
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.7
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.11
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.16
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.17
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.18
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.19
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.22
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.23
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.182.31
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.27
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.28
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.180.39
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.29
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.30
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.180.41
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.33
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.36
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.44
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.45
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.46
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.47
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.50
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.51
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.53
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.54
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.55
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.56
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.150.6.245
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.193.66
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.194.66
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.193.67
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.70
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.194.67
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.193.68
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.71
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.194.68
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.193.69
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.72
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.194.69
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.193.70
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.194.70
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.193.71
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.194.71
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.193.72
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.194.72
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.193.73
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.194.73
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.193.74
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.194.74
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 205.132.82.20
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 205.132.82.28
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 205.132.82.32
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.192.104
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.180.116
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.192.105
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.15.29
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.180.151
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.180.152
Active SAs: 0, origin: crypto map
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 163.246.8.65 port 500
IKE SA: local 66.42.147.210/500 remote 163.246.8.65/500 Active
IPSEC FLOW: permit ip host 69.61.160.182 163.246.0.0/255.255.0.0
Active SAs: 2, origin: crypto map
Crypto session current status
Interface: FastEthernet0/0
Session status: DOWN-NEGOTIATING
Peer: 205.132.83.2 port 500
IKE SA: local 66.42.147.210/500 remote 205.132.83.2/500 Inactive
IKE SA: local 66.42.147.210/500 remote 205.132.83.2/500 Inactive
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.72.26
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.142.6.97
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.38.62
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.142.1.102
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.108.14
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 0.145.110.26
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.110.26
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.142.1.140
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.204
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.116.23
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.205
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.142.1.148
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.12.157
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.101.69
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.142.1.185
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.180.12
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.142.1.197
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.182.14
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.6
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.7
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.11
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.16
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.17
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.18
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.19
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.22
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.23
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.182.31
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.27
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.28
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.180.39
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.29
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.30
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.180.41
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.33
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.36
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.44
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.45
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.46
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.47
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.50
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.51
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.53
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.54
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.55
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.56
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.150.6.245
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.193.66
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.194.66
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.193.67
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.70
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.194.67
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.193.68
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.71
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.194.68
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.193.69
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.72
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.194.69
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.193.70
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.194.70
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.193.71
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.194.71
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.193.72
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.194.72
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.193.73
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.194.73
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.193.74
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.194.74
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 205.132.82.20
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 205.132.82.28
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 205.132.82.32
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.192.104
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.180.116
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.192.105
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.15.29
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.180.151
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.180.152
Active SAs: 0, origin: crypto map
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 163.246.8.65 port 500
IKE SA: local 66.42.147.210/500 remote 163.246.8.65/500 Active
IPSEC FLOW: permit ip host 69.61.160.182 163.246.0.0/255.255.0.0
Active SAs: 2, origin: crypto map
may i take below command output too
show crypto isakmp sa
show crypto isakmp sa
ASKER
blscisco#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
66.42.147.210 163.246.8.65 QM_IDLE 1001 0 ACTIVE
IPv6 Crypto ISAKMP SA
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
66.42.147.210 163.246.8.65 QM_IDLE 1001 0 ACTIVE
IPv6 Crypto ISAKMP SA
i see that Phase 1 is not working now. You need compare with your remote peer configuration that both them are same functions. (password, transport type, policy).
After 1. phase activation most probably it will work normally.
After 1. phase activation most probably it will work normally.
ASKER
We have been over it and over it . . . it is all correct. We get Phase 1 if I put a permit between 66.42.147.210 and 205.132.83.2 . . .but this is not correct...
crypto always use first ip address. because of it you cannot use secondary IP address for IPSEC. if you need to use second one, you have to put another interface.
ASKER
66.42.147.210 is my first IP address. WHta i was referring to was adding a PERMIT statment to the ACL of 66.42.147.210 to 205.132.83.2.
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
I think that I do not get Phase 1 because there is no INTERESTING traffic . . . The remote side is an ASA and they say I need interesting traffic . . .I dont feel that the attempts to connect to the servers in the remote ACL are getting NATed correctly if at all.
Is there anythgin you can have me try?
Is there anythgin you can have me try?
ASKER
Realize troubleshooting Cisco connectivity this way is difficult unless obviuos issue. Will ask another way as I learn more.
Routers
A router is a networking device that forwards data packets between computer networks. Routers perform the "traffic directing" functions on the Internet. The most familiar type of routers are home and small office cable or DSL routers that simply pass data, such as web pages, email, IM, and videos between computers and the Internet. More sophisticated routers, such as enterprise routers, connect large business or ISP networks up to the powerful core routers that forward data at high speed along the optical fiber lines of the Internet backbone. Though routers are typically dedicated hardware devices, use of software-based routers has grown increasingly common.
49K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
ASKER