Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Need to NAT ONLY VPN destined Traffic

Posted on 2010-11-11
26
Medium Priority
?
481 Views
Last Modified: 2012-05-10
Scenario
I have a Cisco 2811 router with a VPN Tunnel to a remote customer. THis customer requires I NAT our internal traffic to a 10.255.255.0/255.255.255.128 and pass it through the tunnel. I have setup an access-list of 60+ hosts on the remote side that we are allowed access to (servers). I dont want all IP traffic NATed for I have another VPN tunnel that is setup with our internal static IP.
I can send configs and specs . . . Please help!
0
Comment
Question by:smartini67
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 15
  • 11
26 Comments
 

Author Comment

by:smartini67
ID: 34116881
I just need someone to review my routing.
0
 
LVL 12

Expert Comment

by:Faruk Onder Yerli
ID: 34118617
Dear Friends;

Could you please send your config what did you do?
0
 

Author Comment

by:smartini67
ID: 34123177
crypto map SDM_CMAP_1 2 ipsec-isakmp
 description Tunnel toXXX.XXX.XXX.XXX
 set peer XXX.XXX.XXX.XXX
 set transform-set StE
 match address StEACL
 reverse-route


ip nat pool StE 10.255.255.1 10.255.255.127 netmask 255.255.255.128
ip nat inside source route-map SDM_RMAP_9 pool StE

ip access-list extended StEACL
 remark SDM_ACL Category=6
 deny   ip host YYY.YYY.YYY.YYY 163.246.0.0 0.0.255.255
 deny   ip any host 10.142.192.105 log
 deny   ip any host 10.142.192.104 log
 deny   ip any host 10.142.1.102 log
 deny   ip any host 10.145.190.7 log
 deny   ip any host 172.31.253.76
 deny   ip any host 72.31.252.131
 deny   ip any host 172.31.252.130
 deny   ip any host 172.31.246.59
 permit ip any host 10.145.190.7 log
 permit ip any host 10.142.1.102 log
 permit ip any host 10.142.192.104 log
 permit ip any host 10.142.192.105 log

route-map SDM_RMAP_9 permit 1
 match ip address StEACL

** edited by modus_in_rebus : masked some ips **
0
The Ideal Solution for Multi-Display Applications

Check out ATEN’s VS1912 12-Port DP Video Wall Media Player at InfoComm 2017. Kerri describes how easy it is to design creative video walls in asymmetric layouts and schedule detailed playlists ahead of time with its advanced scheduling feature.

 
LVL 12

Expert Comment

by:Faruk Onder Yerli
ID: 34123325
What you send to me it is not enough to understand NAT operation. Also such config can not work.

We need to define your request cleraly;

- What is your local IP address range?
- What is remote ip address range?
- What is router internal network interface IP address?

As i understood you want to send your local netowrk to Tunnel with Nat. There is two way nat option :
   1. Dynamic NAT. all local network will access to tunnel with same IP address or Pool. But pool is not obligation.
   2. Static NAT. Tunnel user wants access to LAN server or user. This case you need to use static nat for each host.

Please define upper topics.

Thanks ...
0
 

Author Comment

by:smartini67
ID: 34123577
Local IP Address range is currently 192.168.1.x /24 . . . we need to NAT that for this tunnel to 10.255.255.1/25

WE do not have a remote IP address range, just a list of 60 hosts . . . main one is 10.145.190.7 (Citrix server)

Router internal network interface Ip is 192.168.1.1
0
 

Author Comment

by:smartini67
ID: 34124562
I am recieving a message in the log when the tunnel test fails :

Nov 12 21:11:14.467: ISAKMP:(1067): processing NOTIFY INVALID_ID_INFO protocol
1
        spi 0, message ID = -330555943, sa = 4442FD28
*Nov 12 21:11:14.467: ISAKMP:(1067):peer does not do paranoid keepalives.

*Nov 12 21:11:14.467: ISAKMP:(1067):deleting SA reason "Recevied fatal informati
onal" state (I) QM_IDLE       (peer 205.132.83.2)
*Nov 12 21:11:14.467: ISAKMP:(1067):deleting node -330555943 error FALSE reason
"Informational (in) state 1"
0
 
LVL 12

Expert Comment

by:Faruk Onder Yerli
ID: 34124592
did you put interface ip nat commands? is there any more NAT inside of router?
 
in local network
ip nat inside

in crypto network
ip nat outside
0
 

Author Comment

by:smartini67
ID: 34137230
Yes I have :

interface FastEthernet0/0
 description $ETH-WAN$
 ip address ZZZ.ZZZ.ZZZ.ZZZ 255.255.255.252 secondary
 ip address AAA.AAA.AAA.AAA 255.255.255.240
 ip access-group 104 out
 ip nat outside
 ip virtual-reassembly
 duplex full

interface FastEthernet0/1
 description $ES_LAN$$ETH-LAN$
 ip address 192.168.13.1 255.255.255.0 secondary
 ip address 10.255.255.1 255.255.255.128 secondary
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex full
 speed auto
 no mop enabled

** edited by modus_in_rebus : masked some ips **
0
 
LVL 12

Expert Comment

by:Faruk Onder Yerli
ID: 34137341
could you please tell about ACL 104?
0
 

Author Comment

by:smartini67
ID: 34137366
access-list 104 remark SDM_ACL Category=16
access-list 104 permit tcp host BBB.BBB.BBB.BBB any eq smtp log
access-list 104 permit tcp host CCC.CCC.CCC.CCC any eq smtp log
access-list 104 permit tcp host 192.168.1.160 any eq smtp log
access-list 104 permit tcp host 192.168.1.162 any eq smtp log
access-list 104 permit tcp host 192.168.1.91 any eq smtp log
access-list 104 permit tcp host 192.168.1.176 any eq smtp log
access-list 104 permit tcp host 192.168.1.188 any eq smtp log
access-list 104 deny   tcp host 192.168.1.119 any eq smtp log
access-list 104 permit ip any any log
access-list 104 permit tcp any any log
access-list 104 permit udp any any eq domain
access-list 104 remark SDM_ACL Category=16
access-list 104 remark SDM_ACL Category=16

** edited by modus_in_rebus : masked some ips **
0
 
LVL 12

Expert Comment

by:Faruk Onder Yerli
ID: 34137508
Dear Friend;

access-list 104 permit tcp host BBB.BBB.BBB.BBB any eq smtp log
access-list 104 permit tcp host CCC.CCC.CCC.CCC any eq smtp log

I understood upper list that you have different NAT operations  in this router too. Youu need to check NAT orders. If you send all configuration i amy help.

Before send config you may know below steps about NAT and IPSEC.

If you are using NAT and IP sec togehther,
     -   their interface IPSEC output order is IP Routing -> NAT -> encrypt IPSEC -> interface out
     -   their interface IPSEC input  order is  in interface -> decrypt IPSEC -> PAT -> ip routing

Most probably you are using different NAT before to use necesarry one. We can just analyze if can see all picture of config.

Thanks ...

** edited by modus_in_rebus : masked some ips **
0
 

Author Comment

by:smartini67
ID: 34137776
File is attached
Thank you SDMConfig-111510.txt
0
 

Author Comment

by:smartini67
ID: 34137980
I am sure this is a bit confusing as we have attempted about 1000 things. Basically the 205.132.83.2 peer needs to have our internal IP of 192.168.1.x changed to 10.255.255.0/25  . . . and their is a list of 60 hosts that need ot be in an access-list on his side . . . 10.145.190.7 is the primary example.

We will be alos setting up a VPN with another customer who requires we change our internal IP to 192.168.13.0/24 and THEY also have a list of hosts to access.

Fun!
0
 
LVL 12

Expert Comment

by:Faruk Onder Yerli
ID: 34140171
hello;

in this configuration you have mistake below line

ip nat outside source route-map SDM_RMAP_11 pool StE

it needs to be
ip nat inside source route-map SDM_RMAP_11 pool StE

Becuse server is remote. Communication will start from LAN to WAN.
0
 

Author Comment

by:smartini67
ID: 34140696
Thanks
Here is my new config . . .did some cleanup but added all the Remote servers to Access-list
still no luck with getting tunnel up.
 

** edited by modus_in_rebus : masked some ips **
SDMConfig1115-417EDIT.txt
0
 
LVL 12

Expert Comment

by:Faruk Onder Yerli
ID: 34140714
ok now we may concantrate to crypto commands.

could you please send me output of "show crypto session" command.
0
 

Author Comment

by:smartini67
ID: 34140738
blscisco#  show crypto session
Crypto session current status

Interface: FastEthernet0/0
Session status: DOWN-NEGOTIATING
Peer: 205.132.83.2 port 500
  IKE SA: local 66.42.147.210/500 remote 205.132.83.2/500 Inactive
  IKE SA: local 66.42.147.210/500 remote 205.132.83.2/500 Inactive
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.72.26
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.142.6.97
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.38.62
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.142.1.102
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.108.14
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 0.145.110.26
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.110.26
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.142.1.140
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.204
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.116.23
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.205
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.142.1.148
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.12.157
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.101.69
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.142.1.185
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.180.12
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.142.1.197
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.182.14
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.6
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.7
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.11
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.16
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.17
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.18
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.19
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.22
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.23
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.182.31
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.27
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.28
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.180.39
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.29
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.30
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.180.41
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.33
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.36
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.44
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.45
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.46
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.47
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.50
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.51
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.53
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.54
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.55
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.56
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.150.6.245
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.193.66
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.194.66
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.193.67
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.70
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.194.67
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.193.68
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.71
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.194.68
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.193.69
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.72
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.194.69
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.193.70
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.194.70
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.193.71
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.194.71
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.193.72
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.194.72
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.193.73
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.194.73
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.193.74
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.194.74
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 205.132.82.20
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 205.132.82.28
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 205.132.82.32
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.192.104
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.180.116
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.192.105
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.15.29
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.180.151
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.180.152
        Active SAs: 0, origin: crypto map

Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 163.246.8.65 port 500
  IKE SA: local 66.42.147.210/500 remote 163.246.8.65/500 Active
  IPSEC FLOW: permit ip host 69.61.160.182 163.246.0.0/255.255.0.0
        Active SAs: 2, origin: crypto map
0
 
LVL 12

Expert Comment

by:Faruk Onder Yerli
ID: 34140850
may i take below command output too
show crypto isakmp sa

0
 

Author Comment

by:smartini67
ID: 34140878
blscisco#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
66.42.147.210   163.246.8.65    QM_IDLE           1001    0 ACTIVE

IPv6 Crypto ISAKMP SA
0
 
LVL 12

Expert Comment

by:Faruk Onder Yerli
ID: 34140902
i see that Phase 1 is not working now. You need compare with your remote peer configuration that both them are same functions. (password, transport type, policy).

After 1. phase activation most probably it will work normally.
0
 

Author Comment

by:smartini67
ID: 34140942
We have been over it and over it . . .  it is all correct. We get Phase 1 if I put a permit between 66.42.147.210 and 205.132.83.2 . . .but this is not correct...
0
 
LVL 12

Expert Comment

by:Faruk Onder Yerli
ID: 34140985
crypto always use first ip address. because of it you cannot use secondary IP address for IPSEC. if you need to use second one, you have to put another interface.  
0
 

Author Comment

by:smartini67
ID: 34141007
66.42.147.210 is my first IP address. WHta i was referring to was adding a PERMIT statment to the ACL of 66.42.147.210 to 205.132.83.2.
0
 
LVL 12

Accepted Solution

by:
Faruk Onder Yerli earned 2000 total points
ID: 34141027
i couldnt understand sorry !
0
 

Author Comment

by:smartini67
ID: 34141106
I think that I do not get Phase 1 because there is no INTERESTING traffic  . . . The remote side is an ASA and they say I need interesting traffic . . .I dont feel that the attempts to connect to the servers in the remote ACL are getting NATed correctly if at all.

Is there anythgin you can have me try?
0
 

Author Closing Comment

by:smartini67
ID: 34145248
Realize troubleshooting Cisco connectivity this way is difficult unless obviuos issue. Will ask another way as I learn more.
0

Featured Post

Optimum High-Definition Video Viewing and Control

The ATEN VM0404HA 4x4 4K HDMI Matrix Switch supports 4K resolutions of UHD (3840 x 2160) and DCI (4096 x 2160) with refresh rates of 30 Hz (4:4:4) and 60 Hz (4:2:0). It is ideal for applications where the routing of 4K digital signals is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question