Avatar of smartini67
smartini67Flag for United States of America asked on

Need to NAT ONLY VPN destined Traffic

Scenario
I have a Cisco 2811 router with a VPN Tunnel to a remote customer. THis customer requires I NAT our internal traffic to a 10.255.255.0/255.255.255.128 and pass it through the tunnel. I have setup an access-list of 60+ hosts on the remote side that we are allowed access to (servers). I dont want all IP traffic NATed for I have another VPN tunnel that is setup with our internal static IP.
I can send configs and specs . . . Please help!
RoutersInternet Protocol Security

Avatar of undefined
Last Comment
smartini67

8/22/2022 - Mon
ASKER
smartini67

I just need someone to review my routing.
Faruk Onder Yerli

Dear Friends;

Could you please send your config what did you do?
ASKER
smartini67

crypto map SDM_CMAP_1 2 ipsec-isakmp
 description Tunnel toXXX.XXX.XXX.XXX
 set peer XXX.XXX.XXX.XXX
 set transform-set StE
 match address StEACL
 reverse-route


ip nat pool StE 10.255.255.1 10.255.255.127 netmask 255.255.255.128
ip nat inside source route-map SDM_RMAP_9 pool StE

ip access-list extended StEACL
 remark SDM_ACL Category=6
 deny   ip host YYY.YYY.YYY.YYY 163.246.0.0 0.0.255.255
 deny   ip any host 10.142.192.105 log
 deny   ip any host 10.142.192.104 log
 deny   ip any host 10.142.1.102 log
 deny   ip any host 10.145.190.7 log
 deny   ip any host 172.31.253.76
 deny   ip any host 72.31.252.131
 deny   ip any host 172.31.252.130
 deny   ip any host 172.31.246.59
 permit ip any host 10.145.190.7 log
 permit ip any host 10.142.1.102 log
 permit ip any host 10.142.192.104 log
 permit ip any host 10.142.192.105 log

route-map SDM_RMAP_9 permit 1
 match ip address StEACL

** edited by modus_in_rebus : masked some ips **
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Faruk Onder Yerli

What you send to me it is not enough to understand NAT operation. Also such config can not work.

We need to define your request cleraly;

- What is your local IP address range?
- What is remote ip address range?
- What is router internal network interface IP address?

As i understood you want to send your local netowrk to Tunnel with Nat. There is two way nat option :
   1. Dynamic NAT. all local network will access to tunnel with same IP address or Pool. But pool is not obligation.
   2. Static NAT. Tunnel user wants access to LAN server or user. This case you need to use static nat for each host.

Please define upper topics.

Thanks ...
ASKER
smartini67

Local IP Address range is currently 192.168.1.x /24 . . . we need to NAT that for this tunnel to 10.255.255.1/25

WE do not have a remote IP address range, just a list of 60 hosts . . . main one is 10.145.190.7 (Citrix server)

Router internal network interface Ip is 192.168.1.1
ASKER
smartini67

I am recieving a message in the log when the tunnel test fails :

Nov 12 21:11:14.467: ISAKMP:(1067): processing NOTIFY INVALID_ID_INFO protocol
1
        spi 0, message ID = -330555943, sa = 4442FD28
*Nov 12 21:11:14.467: ISAKMP:(1067):peer does not do paranoid keepalives.

*Nov 12 21:11:14.467: ISAKMP:(1067):deleting SA reason "Recevied fatal informati
onal" state (I) QM_IDLE       (peer 205.132.83.2)
*Nov 12 21:11:14.467: ISAKMP:(1067):deleting node -330555943 error FALSE reason
"Informational (in) state 1"
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Faruk Onder Yerli

did you put interface ip nat commands? is there any more NAT inside of router?
 
in local network
ip nat inside

in crypto network
ip nat outside
ASKER
smartini67

Yes I have :

interface FastEthernet0/0
 description $ETH-WAN$
 ip address ZZZ.ZZZ.ZZZ.ZZZ 255.255.255.252 secondary
 ip address AAA.AAA.AAA.AAA 255.255.255.240
 ip access-group 104 out
 ip nat outside
 ip virtual-reassembly
 duplex full

interface FastEthernet0/1
 description $ES_LAN$$ETH-LAN$
 ip address 192.168.13.1 255.255.255.0 secondary
 ip address 10.255.255.1 255.255.255.128 secondary
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex full
 speed auto
 no mop enabled

** edited by modus_in_rebus : masked some ips **
Faruk Onder Yerli

could you please tell about ACL 104?
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
ASKER
smartini67

access-list 104 remark SDM_ACL Category=16
access-list 104 permit tcp host BBB.BBB.BBB.BBB any eq smtp log
access-list 104 permit tcp host CCC.CCC.CCC.CCC any eq smtp log
access-list 104 permit tcp host 192.168.1.160 any eq smtp log
access-list 104 permit tcp host 192.168.1.162 any eq smtp log
access-list 104 permit tcp host 192.168.1.91 any eq smtp log
access-list 104 permit tcp host 192.168.1.176 any eq smtp log
access-list 104 permit tcp host 192.168.1.188 any eq smtp log
access-list 104 deny   tcp host 192.168.1.119 any eq smtp log
access-list 104 permit ip any any log
access-list 104 permit tcp any any log
access-list 104 permit udp any any eq domain
access-list 104 remark SDM_ACL Category=16
access-list 104 remark SDM_ACL Category=16

** edited by modus_in_rebus : masked some ips **
Faruk Onder Yerli

Dear Friend;

access-list 104 permit tcp host BBB.BBB.BBB.BBB any eq smtp log
access-list 104 permit tcp host CCC.CCC.CCC.CCC any eq smtp log

I understood upper list that you have different NAT operations  in this router too. Youu need to check NAT orders. If you send all configuration i amy help.

Before send config you may know below steps about NAT and IPSEC.

If you are using NAT and IP sec togehther,
     -   their interface IPSEC output order is IP Routing -> NAT -> encrypt IPSEC -> interface out
     -   their interface IPSEC input  order is  in interface -> decrypt IPSEC -> PAT -> ip routing

Most probably you are using different NAT before to use necesarry one. We can just analyze if can see all picture of config.

Thanks ...

** edited by modus_in_rebus : masked some ips **
ASKER
smartini67

File is attached
Thank you SDMConfig-111510.txt
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
smartini67

I am sure this is a bit confusing as we have attempted about 1000 things. Basically the 205.132.83.2 peer needs to have our internal IP of 192.168.1.x changed to 10.255.255.0/25  . . . and their is a list of 60 hosts that need ot be in an access-list on his side . . . 10.145.190.7 is the primary example.

We will be alos setting up a VPN with another customer who requires we change our internal IP to 192.168.13.0/24 and THEY also have a list of hosts to access.

Fun!
Faruk Onder Yerli

hello;

in this configuration you have mistake below line

ip nat outside source route-map SDM_RMAP_11 pool StE

it needs to be
ip nat inside source route-map SDM_RMAP_11 pool StE

Becuse server is remote. Communication will start from LAN to WAN.
ASKER
smartini67

Thanks
Here is my new config . . .did some cleanup but added all the Remote servers to Access-list
still no luck with getting tunnel up.
 

** edited by modus_in_rebus : masked some ips **
SDMConfig1115-417EDIT.txt
Your help has saved me hundreds of hours of internet surfing.
fblack61
Faruk Onder Yerli

ok now we may concantrate to crypto commands.

could you please send me output of "show crypto session" command.
ASKER
smartini67

blscisco#  show crypto session
Crypto session current status

Interface: FastEthernet0/0
Session status: DOWN-NEGOTIATING
Peer: 205.132.83.2 port 500
  IKE SA: local 66.42.147.210/500 remote 205.132.83.2/500 Inactive
  IKE SA: local 66.42.147.210/500 remote 205.132.83.2/500 Inactive
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.72.26
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.142.6.97
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.38.62
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.142.1.102
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.108.14
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 0.145.110.26
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.110.26
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.142.1.140
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.204
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.116.23
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.205
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.142.1.148
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.12.157
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.101.69
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.142.1.185
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.180.12
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.142.1.197
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.182.14
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.6
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.7
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.11
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.16
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.17
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.18
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.19
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.22
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.23
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.182.31
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.27
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.28
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.180.39
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.29
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.30
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.180.41
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.33
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.36
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.44
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.45
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.46
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.47
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.50
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.51
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.53
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.54
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.55
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.56
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.150.6.245
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.193.66
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.194.66
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.193.67
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.70
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.194.67
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.193.68
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.71
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.194.68
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.193.69
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.190.72
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.194.69
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.193.70
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.194.70
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.193.71
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.194.71
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.193.72
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.194.72
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.193.73
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.194.73
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.193.74
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.194.74
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 205.132.82.20
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 205.132.82.28
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 205.132.82.32
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.192.104
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.180.116
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.192.105
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.15.29
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.180.151
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.145.180.152
        Active SAs: 0, origin: crypto map

Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 163.246.8.65 port 500
  IKE SA: local 66.42.147.210/500 remote 163.246.8.65/500 Active
  IPSEC FLOW: permit ip host 69.61.160.182 163.246.0.0/255.255.0.0
        Active SAs: 2, origin: crypto map
Faruk Onder Yerli

may i take below command output too
show crypto isakmp sa

Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
smartini67

blscisco#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
66.42.147.210   163.246.8.65    QM_IDLE           1001    0 ACTIVE

IPv6 Crypto ISAKMP SA
Faruk Onder Yerli

i see that Phase 1 is not working now. You need compare with your remote peer configuration that both them are same functions. (password, transport type, policy).

After 1. phase activation most probably it will work normally.
ASKER
smartini67

We have been over it and over it . . .  it is all correct. We get Phase 1 if I put a permit between 66.42.147.210 and 205.132.83.2 . . .but this is not correct...
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Faruk Onder Yerli

crypto always use first ip address. because of it you cannot use secondary IP address for IPSEC. if you need to use second one, you have to put another interface.  
ASKER
smartini67

66.42.147.210 is my first IP address. WHta i was referring to was adding a PERMIT statment to the ACL of 66.42.147.210 to 205.132.83.2.
ASKER CERTIFIED SOLUTION
Faruk Onder Yerli

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
smartini67

I think that I do not get Phase 1 because there is no INTERESTING traffic  . . . The remote side is an ASA and they say I need interesting traffic . . .I dont feel that the attempts to connect to the servers in the remote ACL are getting NATed correctly if at all.

Is there anythgin you can have me try?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
smartini67

Realize troubleshooting Cisco connectivity this way is difficult unless obviuos issue. Will ask another way as I learn more.