Solved

Need to NAT ONLY VPN destined Traffic

Posted on 2010-11-11
26
471 Views
Last Modified: 2012-05-10
Scenario
I have a Cisco 2811 router with a VPN Tunnel to a remote customer. THis customer requires I NAT our internal traffic to a 10.255.255.0/255.255.255.128 and pass it through the tunnel. I have setup an access-list of 60+ hosts on the remote side that we are allowed access to (servers). I dont want all IP traffic NATed for I have another VPN tunnel that is setup with our internal static IP.
I can send configs and specs . . . Please help!
0
Comment
Question by:smartini67
  • 15
  • 11
26 Comments
 

Author Comment

by:smartini67
Comment Utility
I just need someone to review my routing.
0
 
LVL 12

Expert Comment

by:Faruk Onder Yerli
Comment Utility
Dear Friends;

Could you please send your config what did you do?
0
 

Author Comment

by:smartini67
Comment Utility
crypto map SDM_CMAP_1 2 ipsec-isakmp
 description Tunnel toXXX.XXX.XXX.XXX
 set peer XXX.XXX.XXX.XXX
 set transform-set StE
 match address StEACL
 reverse-route


ip nat pool StE 10.255.255.1 10.255.255.127 netmask 255.255.255.128
ip nat inside source route-map SDM_RMAP_9 pool StE

ip access-list extended StEACL
 remark SDM_ACL Category=6
 deny   ip host YYY.YYY.YYY.YYY 163.246.0.0 0.0.255.255
 deny   ip any host 10.142.192.105 log
 deny   ip any host 10.142.192.104 log
 deny   ip any host 10.142.1.102 log
 deny   ip any host 10.145.190.7 log
 deny   ip any host 172.31.253.76
 deny   ip any host 72.31.252.131
 deny   ip any host 172.31.252.130
 deny   ip any host 172.31.246.59
 permit ip any host 10.145.190.7 log
 permit ip any host 10.142.1.102 log
 permit ip any host 10.142.192.104 log
 permit ip any host 10.142.192.105 log

route-map SDM_RMAP_9 permit 1
 match ip address StEACL

** edited by modus_in_rebus : masked some ips **
0
 
LVL 12

Expert Comment

by:Faruk Onder Yerli
Comment Utility
What you send to me it is not enough to understand NAT operation. Also such config can not work.

We need to define your request cleraly;

- What is your local IP address range?
- What is remote ip address range?
- What is router internal network interface IP address?

As i understood you want to send your local netowrk to Tunnel with Nat. There is two way nat option :
   1. Dynamic NAT. all local network will access to tunnel with same IP address or Pool. But pool is not obligation.
   2. Static NAT. Tunnel user wants access to LAN server or user. This case you need to use static nat for each host.

Please define upper topics.

Thanks ...
0
 

Author Comment

by:smartini67
Comment Utility
Local IP Address range is currently 192.168.1.x /24 . . . we need to NAT that for this tunnel to 10.255.255.1/25

WE do not have a remote IP address range, just a list of 60 hosts . . . main one is 10.145.190.7 (Citrix server)

Router internal network interface Ip is 192.168.1.1
0
 

Author Comment

by:smartini67
Comment Utility
I am recieving a message in the log when the tunnel test fails :

Nov 12 21:11:14.467: ISAKMP:(1067): processing NOTIFY INVALID_ID_INFO protocol
1
        spi 0, message ID = -330555943, sa = 4442FD28
*Nov 12 21:11:14.467: ISAKMP:(1067):peer does not do paranoid keepalives.

*Nov 12 21:11:14.467: ISAKMP:(1067):deleting SA reason "Recevied fatal informati
onal" state (I) QM_IDLE       (peer 205.132.83.2)
*Nov 12 21:11:14.467: ISAKMP:(1067):deleting node -330555943 error FALSE reason
"Informational (in) state 1"
0
 
LVL 12

Expert Comment

by:Faruk Onder Yerli
Comment Utility
did you put interface ip nat commands? is there any more NAT inside of router?
 
in local network
ip nat inside

in crypto network
ip nat outside
0
 

Author Comment

by:smartini67
Comment Utility
Yes I have :

interface FastEthernet0/0
 description $ETH-WAN$
 ip address ZZZ.ZZZ.ZZZ.ZZZ 255.255.255.252 secondary
 ip address AAA.AAA.AAA.AAA 255.255.255.240
 ip access-group 104 out
 ip nat outside
 ip virtual-reassembly
 duplex full

interface FastEthernet0/1
 description $ES_LAN$$ETH-LAN$
 ip address 192.168.13.1 255.255.255.0 secondary
 ip address 10.255.255.1 255.255.255.128 secondary
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex full
 speed auto
 no mop enabled

** edited by modus_in_rebus : masked some ips **
0
 
LVL 12

Expert Comment

by:Faruk Onder Yerli
Comment Utility
could you please tell about ACL 104?
0
 

Author Comment

by:smartini67
Comment Utility
access-list 104 remark SDM_ACL Category=16
access-list 104 permit tcp host BBB.BBB.BBB.BBB any eq smtp log
access-list 104 permit tcp host CCC.CCC.CCC.CCC any eq smtp log
access-list 104 permit tcp host 192.168.1.160 any eq smtp log
access-list 104 permit tcp host 192.168.1.162 any eq smtp log
access-list 104 permit tcp host 192.168.1.91 any eq smtp log
access-list 104 permit tcp host 192.168.1.176 any eq smtp log
access-list 104 permit tcp host 192.168.1.188 any eq smtp log
access-list 104 deny   tcp host 192.168.1.119 any eq smtp log
access-list 104 permit ip any any log
access-list 104 permit tcp any any log
access-list 104 permit udp any any eq domain
access-list 104 remark SDM_ACL Category=16
access-list 104 remark SDM_ACL Category=16

** edited by modus_in_rebus : masked some ips **
0
 
LVL 12

Expert Comment

by:Faruk Onder Yerli
Comment Utility
Dear Friend;

access-list 104 permit tcp host BBB.BBB.BBB.BBB any eq smtp log
access-list 104 permit tcp host CCC.CCC.CCC.CCC any eq smtp log

I understood upper list that you have different NAT operations  in this router too. Youu need to check NAT orders. If you send all configuration i amy help.

Before send config you may know below steps about NAT and IPSEC.

If you are using NAT and IP sec togehther,
     -   their interface IPSEC output order is IP Routing -> NAT -> encrypt IPSEC -> interface out
     -   their interface IPSEC input  order is  in interface -> decrypt IPSEC -> PAT -> ip routing

Most probably you are using different NAT before to use necesarry one. We can just analyze if can see all picture of config.

Thanks ...

** edited by modus_in_rebus : masked some ips **
0
 

Author Comment

by:smartini67
Comment Utility
File is attached
Thank you SDMConfig-111510.txt
0
 

Author Comment

by:smartini67
Comment Utility
I am sure this is a bit confusing as we have attempted about 1000 things. Basically the 205.132.83.2 peer needs to have our internal IP of 192.168.1.x changed to 10.255.255.0/25  . . . and their is a list of 60 hosts that need ot be in an access-list on his side . . . 10.145.190.7 is the primary example.

We will be alos setting up a VPN with another customer who requires we change our internal IP to 192.168.13.0/24 and THEY also have a list of hosts to access.

Fun!
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 12

Expert Comment

by:Faruk Onder Yerli
Comment Utility
hello;

in this configuration you have mistake below line

ip nat outside source route-map SDM_RMAP_11 pool StE

it needs to be
ip nat inside source route-map SDM_RMAP_11 pool StE

Becuse server is remote. Communication will start from LAN to WAN.
0
 

Author Comment

by:smartini67
Comment Utility
Thanks
Here is my new config . . .did some cleanup but added all the Remote servers to Access-list
still no luck with getting tunnel up.
 

** edited by modus_in_rebus : masked some ips **
SDMConfig1115-417EDIT.txt
0
 
LVL 12

Expert Comment

by:Faruk Onder Yerli
Comment Utility
ok now we may concantrate to crypto commands.

could you please send me output of "show crypto session" command.
0
 

Author Comment

by:smartini67
Comment Utility
blscisco#  show crypto session
Crypto session current status

Interface: FastEthernet0/0
Session status: DOWN-NEGOTIATING
Peer: 205.132.83.2 port 500
  IKE SA: local 66.42.147.210/500 remote 205.132.83.2/500 Inactive
  IKE SA: local 66.42.147.210/500 remote 205.132.83.2/500 Inactive
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.72.26
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.142.6.97
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.38.62
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.142.1.102
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.108.14
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 0.145.110.26
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.110.26
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.142.1.140
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.204
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.116.23
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.205
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.142.1.148
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.12.157
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.101.69
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.142.1.185
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.180.12
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.142.1.197
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.182.14
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.6
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.7
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.11
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.16
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.17
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.18
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.19
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.22
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.23
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.182.31
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.27
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.28
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.180.39
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.29
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.30
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.180.41
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.33
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.36
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.44
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.45
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.46
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.47
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.50
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.51
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.53
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.54
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.55
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.56
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.150.6.245
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.193.66
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.194.66
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.193.67
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.70
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.194.67
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.193.68
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.71
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.194.68
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.193.69
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.72
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.194.69
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.193.70
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.194.70
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.193.71
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.194.71
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.193.72
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.194.72
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.193.73
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.194.73
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.193.74
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.194.74
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 205.132.82.20
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 205.132.82.28
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 205.132.82.32
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.192.104
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.180.116
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.192.105
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.15.29
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.180.151
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.180.152
        Active SAs: 0, origin: crypto map

Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 163.246.8.65 port 500
  IKE SA: local 66.42.147.210/500 remote 163.246.8.65/500 Active
  IPSEC FLOW: permit ip host 69.61.160.182 163.246.0.0/255.255.0.0
        Active SAs: 2, origin: crypto map
0
 
LVL 12

Expert Comment

by:Faruk Onder Yerli
Comment Utility
may i take below command output too
show crypto isakmp sa

0
 

Author Comment

by:smartini67
Comment Utility
blscisco#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
66.42.147.210   163.246.8.65    QM_IDLE           1001    0 ACTIVE

IPv6 Crypto ISAKMP SA
0
 
LVL 12

Expert Comment

by:Faruk Onder Yerli
Comment Utility
i see that Phase 1 is not working now. You need compare with your remote peer configuration that both them are same functions. (password, transport type, policy).

After 1. phase activation most probably it will work normally.
0
 

Author Comment

by:smartini67
Comment Utility
We have been over it and over it . . .  it is all correct. We get Phase 1 if I put a permit between 66.42.147.210 and 205.132.83.2 . . .but this is not correct...
0
 
LVL 12

Expert Comment

by:Faruk Onder Yerli
Comment Utility
crypto always use first ip address. because of it you cannot use secondary IP address for IPSEC. if you need to use second one, you have to put another interface.  
0
 

Author Comment

by:smartini67
Comment Utility
66.42.147.210 is my first IP address. WHta i was referring to was adding a PERMIT statment to the ACL of 66.42.147.210 to 205.132.83.2.
0
 
LVL 12

Accepted Solution

by:
Faruk Onder Yerli earned 500 total points
Comment Utility
i couldnt understand sorry !
0
 

Author Comment

by:smartini67
Comment Utility
I think that I do not get Phase 1 because there is no INTERESTING traffic  . . . The remote side is an ASA and they say I need interesting traffic . . .I dont feel that the attempts to connect to the servers in the remote ACL are getting NATed correctly if at all.

Is there anythgin you can have me try?
0
 

Author Closing Comment

by:smartini67
Comment Utility
Realize troubleshooting Cisco connectivity this way is difficult unless obviuos issue. Will ask another way as I learn more.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now