smartit_richard
asked on
877 - 877 Site to Site traffic stopped working since new Route-Map added
Hi all,
I cannot see what is happening and have to say being so busy i seem to be blinded by this.
I have been transferring our VOIP from IAX to SIP, this required i added a new UDP pool to be added to the NAT listings.
When adding the new ip nat inside source line it stops all site to site traffic, as soon as i remove it and clear the ip nat trans all works again.
here is the details:
========================== ========== ========== ========== ========== =====
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source route-map SDM_RMAP_2 interface Dialer0 overload
ip nat inside source route-map SDM_RMAP_3 interface Dialer0 overload
ip nat inside source static tcp 192.168.90.3 25 217.36.230.125 25 route-map SDM_RMAP_1 extendable
ip nat inside source static tcp 192.168.90.3 443 217.36.230.125 443 route-map SDM_RMAP_1 extendable
ip nat inside source static tcp 192.168.90.3 1723 217.36.230.125 1723 extendable
ip nat inside source static tcp 192.168.90.5 3389 217.36.230.125 3389 route-map SDM_RMAP_1 extendable
ip nat inside source static udp 192.168.90.6 4569 217.36.230.125 4569 route-map SDM_RMAP_1 extendable
ip nat inside source static tcp 192.168.90.12 5500 217.36.230.125 5500 route-map SDM_RMAP_1 extendable
ip nat inside source static tcp 192.168.90.22 5501 217.36.230.125 5501 route-map SDM_RMAP_1 extendable
ip nat inside source static tcp 192.168.90.36 5501 217.36.230.125 5502 route-map SDM_RMAP_1 extendable
ip nat inside source static tcp 192.168.90.4 8001 217.36.230.125 8001 route-map SDM_RMAP_1 extendable
ip nat inside source static 192.168.90.6 217.36.230.125 route-map SIP_NAT
!
ip access-list extended UDP_RTP
permit udp host 192.168.90.6 any range 10001 20000
permit udp host 192.168.90.6 any range 5060 5082
!
access-list 23 permit 192.168.90.0 0.0.0.254
access-list 23 permit 192.168.91.0 0.0.0.254
access-list 100 deny ip 192.168.90.0 0.0.0.255 192.168.91.0 0.0.0.255
access-list 100 permit ip 192.168.90.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.90.0 0.0.0.255 192.168.91.0 0.0.0.255
access-list 103 deny ip 192.168.92.0 0.0.0.255 192.168.90.0 0.0.0.255
access-list 103 permit ip 192.168.92.0 0.0.0.255 any
access-list 104 deny ip 192.168.9.0 0.0.0.255 192.168.90.0 0.0.0.255
access-list 104 permit ip 192.168.9.0 0.0.0.255 any
access-list 105 deny icmp any any echo
access-list 105 permit ip any any
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
route-map SIP_NAT permit 1
match ip address UDP_RTP
!
route-map SDM_RMAP_1 permit 10
match ip address 100
!
route-map SDM_RMAP_2 permit 1
match ip address 103
!
route-map SDM_RMAP_3 permit 1
match ip address 104
========================== ========== ========== ========== ========== ======
so to clarify VPN traffic stops when i activate:
ip nat inside source static 192.168.90.6 217.36.230.125 route-map SIP_NAT
Regards,
Richard
I cannot see what is happening and have to say being so busy i seem to be blinded by this.
I have been transferring our VOIP from IAX to SIP, this required i added a new UDP pool to be added to the NAT listings.
When adding the new ip nat inside source line it stops all site to site traffic, as soon as i remove it and clear the ip nat trans all works again.
here is the details:
==========================
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source route-map SDM_RMAP_2 interface Dialer0 overload
ip nat inside source route-map SDM_RMAP_3 interface Dialer0 overload
ip nat inside source static tcp 192.168.90.3 25 217.36.230.125 25 route-map SDM_RMAP_1 extendable
ip nat inside source static tcp 192.168.90.3 443 217.36.230.125 443 route-map SDM_RMAP_1 extendable
ip nat inside source static tcp 192.168.90.3 1723 217.36.230.125 1723 extendable
ip nat inside source static tcp 192.168.90.5 3389 217.36.230.125 3389 route-map SDM_RMAP_1 extendable
ip nat inside source static udp 192.168.90.6 4569 217.36.230.125 4569 route-map SDM_RMAP_1 extendable
ip nat inside source static tcp 192.168.90.12 5500 217.36.230.125 5500 route-map SDM_RMAP_1 extendable
ip nat inside source static tcp 192.168.90.22 5501 217.36.230.125 5501 route-map SDM_RMAP_1 extendable
ip nat inside source static tcp 192.168.90.36 5501 217.36.230.125 5502 route-map SDM_RMAP_1 extendable
ip nat inside source static tcp 192.168.90.4 8001 217.36.230.125 8001 route-map SDM_RMAP_1 extendable
ip nat inside source static 192.168.90.6 217.36.230.125 route-map SIP_NAT
!
ip access-list extended UDP_RTP
permit udp host 192.168.90.6 any range 10001 20000
permit udp host 192.168.90.6 any range 5060 5082
!
access-list 23 permit 192.168.90.0 0.0.0.254
access-list 23 permit 192.168.91.0 0.0.0.254
access-list 100 deny ip 192.168.90.0 0.0.0.255 192.168.91.0 0.0.0.255
access-list 100 permit ip 192.168.90.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.90.0 0.0.0.255 192.168.91.0 0.0.0.255
access-list 103 deny ip 192.168.92.0 0.0.0.255 192.168.90.0 0.0.0.255
access-list 103 permit ip 192.168.92.0 0.0.0.255 any
access-list 104 deny ip 192.168.9.0 0.0.0.255 192.168.90.0 0.0.0.255
access-list 104 permit ip 192.168.9.0 0.0.0.255 any
access-list 105 deny icmp any any echo
access-list 105 permit ip any any
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
route-map SIP_NAT permit 1
match ip address UDP_RTP
!
route-map SDM_RMAP_1 permit 10
match ip address 100
!
route-map SDM_RMAP_2 permit 1
match ip address 103
!
route-map SDM_RMAP_3 permit 1
match ip address 104
==========================
so to clarify VPN traffic stops when i activate:
ip nat inside source static 192.168.90.6 217.36.230.125 route-map SIP_NAT
Regards,
Richard
ASKER
Thanks for your reponse, the actual ports i have forwarded work fine, what im saying is that the site to site VPN traffic stops as soon as i apply:
ip nat inside source static 192.168.90.6 217.36.230.125 route-map SIP_NAT
ip nat inside source static 192.168.90.6 217.36.230.125 route-map SIP_NAT
The entire tunnel goes down? Or, just traffic from this host stops working?
ASKER
the tunnel is still up but the light goes off and the traffic stops.
if i remove:
ip nat inside source static 192.168.90.6 217.36.230.125 route-map SIP_NAT
and then clear the ip nat trans then traffic starts again and the light comes back on.
if i remove:
ip nat inside source static 192.168.90.6 217.36.230.125 route-map SIP_NAT
and then clear the ip nat trans then traffic starts again and the light comes back on.
ASKER
ok so i have changed the config slightly:
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source route-map SDM_RMAP_2 interface Dialer0 overload
ip nat inside source route-map SDM_RMAP_3 interface Dialer0 overload
ip nat inside source static tcp 192.168.90.3 25 217.36.230.125 25 route-map SDM_RMAP_1 extendable
ip nat inside source static tcp 192.168.90.3 443 217.36.230.125 443 route-map SDM_RMAP_1 extendable
ip nat inside source static tcp 192.168.90.3 1723 217.36.230.125 1723 extendable
ip nat inside source static tcp 192.168.90.5 3389 217.36.230.125 3389 route-map SDM_RMAP_1 extendable
ip nat inside source static udp 192.168.90.6 4569 217.36.230.125 4569 route-map SDM_RMAP_1 extendable
ip nat inside source static tcp 192.168.90.4 8001 217.36.230.125 8001 route-map SDM_RMAP_1 extendable
ip nat inside source static 192.168.90.6 217.36.230.125 route-map SIP_NAT extendable
!
access-list 23 permit 192.168.90.0 0.0.0.254
access-list 23 permit 192.168.91.0 0.0.0.254
access-list 100 deny ip 192.168.90.0 0.0.0.255 192.168.91.0 0.0.0.255
access-list 100 permit ip 192.168.90.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.90.0 0.0.0.255 192.168.91.0 0.0.0.255
access-list 103 deny ip 192.168.92.0 0.0.0.255 192.168.90.0 0.0.0.255
access-list 103 permit ip 192.168.92.0 0.0.0.255 any
access-list 104 deny ip 192.168.9.0 0.0.0.255 192.168.90.0 0.0.0.255
access-list 104 permit ip 192.168.9.0 0.0.0.255 any
access-list 105 deny icmp any any echo
access-list 105 permit ip any any
access-list 158 remark Trixbox
access-list 158 permit udp any any range 10001 20000
access-list 158 permit udp any any range 5060 5082
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
route-map SIP_NAT permit 10
match ip address 158
!
route-map SDM_RMAP_1 permit 1
match ip address 100
!
route-map SDM_RMAP_2 permit 1
match ip address 103
!
route-map SDM_RMAP_3 permit 1
match ip address 104
what happens now is when i boot the router no VPN, if a remove:
ip nat inside source static 192.168.90.6 217.36.230.125 route-map SIP_NAT extendable
clear ip nat trans
add:
ip nat inside source static 192.168.90.6 217.36.230.125 route-map SIP_NAT extendable
everything works!!!!
That is until i reload
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source route-map SDM_RMAP_2 interface Dialer0 overload
ip nat inside source route-map SDM_RMAP_3 interface Dialer0 overload
ip nat inside source static tcp 192.168.90.3 25 217.36.230.125 25 route-map SDM_RMAP_1 extendable
ip nat inside source static tcp 192.168.90.3 443 217.36.230.125 443 route-map SDM_RMAP_1 extendable
ip nat inside source static tcp 192.168.90.3 1723 217.36.230.125 1723 extendable
ip nat inside source static tcp 192.168.90.5 3389 217.36.230.125 3389 route-map SDM_RMAP_1 extendable
ip nat inside source static udp 192.168.90.6 4569 217.36.230.125 4569 route-map SDM_RMAP_1 extendable
ip nat inside source static tcp 192.168.90.4 8001 217.36.230.125 8001 route-map SDM_RMAP_1 extendable
ip nat inside source static 192.168.90.6 217.36.230.125 route-map SIP_NAT extendable
!
access-list 23 permit 192.168.90.0 0.0.0.254
access-list 23 permit 192.168.91.0 0.0.0.254
access-list 100 deny ip 192.168.90.0 0.0.0.255 192.168.91.0 0.0.0.255
access-list 100 permit ip 192.168.90.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.90.0 0.0.0.255 192.168.91.0 0.0.0.255
access-list 103 deny ip 192.168.92.0 0.0.0.255 192.168.90.0 0.0.0.255
access-list 103 permit ip 192.168.92.0 0.0.0.255 any
access-list 104 deny ip 192.168.9.0 0.0.0.255 192.168.90.0 0.0.0.255
access-list 104 permit ip 192.168.9.0 0.0.0.255 any
access-list 105 deny icmp any any echo
access-list 105 permit ip any any
access-list 158 remark Trixbox
access-list 158 permit udp any any range 10001 20000
access-list 158 permit udp any any range 5060 5082
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
route-map SIP_NAT permit 10
match ip address 158
!
route-map SDM_RMAP_1 permit 1
match ip address 100
!
route-map SDM_RMAP_2 permit 1
match ip address 103
!
route-map SDM_RMAP_3 permit 1
match ip address 104
what happens now is when i boot the router no VPN, if a remove:
ip nat inside source static 192.168.90.6 217.36.230.125 route-map SIP_NAT extendable
clear ip nat trans
add:
ip nat inside source static 192.168.90.6 217.36.230.125 route-map SIP_NAT extendable
everything works!!!!
That is until i reload
In ref. to your "That is until i reload", are you talking the device or a client?
Did you copy running-config startup-config ?
Did you copy running-config startup-config ?
ASKER
when i say reload, i would wr mem. then reload, this would reboot the 877, once this is done it will not allow the vpn traffic until the rules is removed, nat table cleard then readded, almost like it load the rules in the wrong order?
ASKER
ok ive left the box running now for an hour and the traffic has stopped, this time without a reload, so i think this is a red herring. i feel there is an issue with the statement as all the previous port forwards are PAT but im guessing the one im trying to add is NAT, this is obviously causing my nonat traffic to be NAT'd?
Not sure what version you are running:
Try issuing the 1 prior in the command like:
ip nat inside 1 source static 192.168.90.6 217.36.230.125 route-map SIP_NAT extendable
Try issuing the 1 prior in the command like:
ip nat inside 1 source static 192.168.90.6 217.36.230.125 route-map SIP_NAT extendable
ASKER
that would not allow me to enter, here is my version.
Cisco#sh ver
Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(24)T1, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Sat 20-Jun-09 02:20 by prod_rel_team
ROM: System Bootstrap, Version 12.3(8r)YI3, RELEASE SOFTWARE
Cisco uptime is 1 hour, 48 minutes
System returned to ROM by reload
System image file is "flash:c870-advipservicesk 9-mz.124-2 4.T1.bin"
Last reload reason: Reload Command
Cisco#sh ver
Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(24)T1, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Sat 20-Jun-09 02:20 by prod_rel_team
ROM: System Bootstrap, Version 12.3(8r)YI3, RELEASE SOFTWARE
Cisco uptime is 1 hour, 48 minutes
System returned to ROM by reload
System image file is "flash:c870-advipservicesk
Last reload reason: Reload Command
Change:
inside 1 source
to
inside source 1 static
My typo. Sorry
inside 1 source
to
inside source 1 static
My typo. Sorry
ASKER
still will not allow the command, the 1 is highlighted as the error.
ASKER
here is a copy of the sh ip nat trans:
Cisco#sh ip nat trans
Pro Inside global Inside local Outside local Outside global
tcp 217.36.230.125:443 192.168.90.3:443 82.132.231.81:43807 82.132.231.81:43807
tcp 217.36.230.125:1723 192.168.90.3:1723 --- ---
tcp 217.36.230.125:20679 192.168.90.3:20679 199.47.216.144:80 199.47.216.144:80
tcp 217.36.230.125:21368 192.168.90.3:21368 64.239.246.16:80 64.239.246.16:80
tcp 217.36.230.125:21376 192.168.90.3:21376 212.118.234.147:443 212.118.234.147:443
tcp 217.36.230.125:21377 192.168.90.3:21377 199.47.216.178:443 199.47.216.178:443
udp 217.36.230.125:56473 192.168.90.3:56473 208.67.222.222:53 208.67.222.222:53
udp 217.36.230.125:57016 192.168.90.3:57016 208.67.222.222:53 208.67.222.222:53
tcp 217.36.230.125:62116 192.168.90.4:62116 212.118.234.130:443 212.118.234.130:443
udp 217.36.230.125:59485 192.168.90.5:59485 208.67.222.222:53 208.67.222.222:53
udp 217.36.230.125:123 192.168.90.6:123 131.211.39.72:123 131.211.39.72:123
udp 217.36.230.125:123 192.168.90.6:123 198.137.202.16:123 198.137.202.16:123
udp 217.36.230.125:123 192.168.90.6:123 208.87.221.228:123 208.87.221.228:123
udp 217.36.230.125:500 192.168.90.6:500 82.3.230.204:500 82.3.230.204:500
udp 217.36.230.125:500 192.168.90.6:500 82.3.230.204:500 82.3.230.204:500
udp 217.36.230.125:4569 192.168.90.6:4569 192.168.91.3:4569 192.168.91.3:4569
udp 217.36.230.125:1024 192.168.90.6:5060 77.240.48.94:5060 77.240.48.94:5060
tcp 217.36.230.125:53494 192.168.90.12:53494 199.47.216.144:80 199.47.216.144:80
Pro Inside global Inside local Outside local Outside global
tcp 217.36.230.125:53508 192.168.90.12:53508 212.118.234.138:443 212.118.234.138:443
tcp 217.36.230.125:53520 192.168.90.12:53520 107.20.250.7:443 107.20.250.7:443
tcp 217.36.230.125:33599 192.168.90.15:33599 173.192.219.157:5222 173.192.219.157:5222
tcp 217.36.230.125:47648 192.168.90.15:47648 217.12.4.46:80 217.12.4.46:80
tcp 217.36.230.125:52664 192.168.90.15:52664 173.194.78.188:5228 173.194.78.188:5228
tcp 217.36.230.125:60230 192.168.90.15:60230 74.125.230.132:80 74.125.230.132:80
tcp 217.36.230.125:25 192.168.90.3:25 --- ---
tcp 217.36.230.125:443 192.168.90.3:443 --- ---
tcp 217.36.230.125:3389 192.168.90.5:3389 --- ---
tcp 217.36.230.125:8001 192.168.90.4:8001 --- ---
--- 217.36.230.125 192.168.90.6 --- ---
Cisco#sh ip nat trans
Pro Inside global Inside local Outside local Outside global
tcp 217.36.230.125:443 192.168.90.3:443 82.132.231.81:43807 82.132.231.81:43807
tcp 217.36.230.125:1723 192.168.90.3:1723 --- ---
tcp 217.36.230.125:20679 192.168.90.3:20679 199.47.216.144:80 199.47.216.144:80
tcp 217.36.230.125:21368 192.168.90.3:21368 64.239.246.16:80 64.239.246.16:80
tcp 217.36.230.125:21376 192.168.90.3:21376 212.118.234.147:443 212.118.234.147:443
tcp 217.36.230.125:21377 192.168.90.3:21377 199.47.216.178:443 199.47.216.178:443
udp 217.36.230.125:56473 192.168.90.3:56473 208.67.222.222:53 208.67.222.222:53
udp 217.36.230.125:57016 192.168.90.3:57016 208.67.222.222:53 208.67.222.222:53
tcp 217.36.230.125:62116 192.168.90.4:62116 212.118.234.130:443 212.118.234.130:443
udp 217.36.230.125:59485 192.168.90.5:59485 208.67.222.222:53 208.67.222.222:53
udp 217.36.230.125:123 192.168.90.6:123 131.211.39.72:123 131.211.39.72:123
udp 217.36.230.125:123 192.168.90.6:123 198.137.202.16:123 198.137.202.16:123
udp 217.36.230.125:123 192.168.90.6:123 208.87.221.228:123 208.87.221.228:123
udp 217.36.230.125:500 192.168.90.6:500 82.3.230.204:500 82.3.230.204:500
udp 217.36.230.125:500 192.168.90.6:500 82.3.230.204:500 82.3.230.204:500
udp 217.36.230.125:4569 192.168.90.6:4569 192.168.91.3:4569 192.168.91.3:4569
udp 217.36.230.125:1024 192.168.90.6:5060 77.240.48.94:5060 77.240.48.94:5060
tcp 217.36.230.125:53494 192.168.90.12:53494 199.47.216.144:80 199.47.216.144:80
Pro Inside global Inside local Outside local Outside global
tcp 217.36.230.125:53508 192.168.90.12:53508 212.118.234.138:443 212.118.234.138:443
tcp 217.36.230.125:53520 192.168.90.12:53520 107.20.250.7:443 107.20.250.7:443
tcp 217.36.230.125:33599 192.168.90.15:33599 173.192.219.157:5222 173.192.219.157:5222
tcp 217.36.230.125:47648 192.168.90.15:47648 217.12.4.46:80 217.12.4.46:80
tcp 217.36.230.125:52664 192.168.90.15:52664 173.194.78.188:5228 173.194.78.188:5228
tcp 217.36.230.125:60230 192.168.90.15:60230 74.125.230.132:80 74.125.230.132:80
tcp 217.36.230.125:25 192.168.90.3:25 --- ---
tcp 217.36.230.125:443 192.168.90.3:443 --- ---
tcp 217.36.230.125:3389 192.168.90.5:3389 --- ---
tcp 217.36.230.125:8001 192.168.90.4:8001 --- ---
--- 217.36.230.125 192.168.90.6 --- ---
Not that i have any idea as to why this does not work!
Why not try
access-list 158 permit udp any any range 10001 20000 log
access-list 158 permit udp any any range 5060 5082 log
and see if anything else is being caught by this.
Greg
Why not try
access-list 158 permit udp any any range 10001 20000 log
access-list 158 permit udp any any range 5060 5082 log
and see if anything else is being caught by this.
Greg
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
This was known before hand, i was looking for a better solution to do this.
ip access-list extended UDP_RTP
permit udp host 192.168.90.6 any range 10001 20000
permit udp host 192.168.90.6 any range 5060 5082
You might want to add the following:
permit udp host 192.168.90.6 any range 4569 4570
And try again. If this doesn't resolve your issue, please let us know. Hope this helps.