Solved

877 - 877 Site to Site traffic stopped working since new Route-Map added

Posted on 2012-04-04
16
1,052 Views
Last Modified: 2012-04-15
Hi all,

I cannot see what is happening and have to say being so busy i seem to be blinded by this.
I have been transferring our VOIP from IAX to SIP, this required i added a new UDP pool to be added to the NAT listings.

When adding the new ip nat inside source line it stops all site to site traffic, as soon as i remove it and clear the ip nat trans all works again.

here is the details:
=======================================================================

ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source route-map SDM_RMAP_2 interface Dialer0 overload
ip nat inside source route-map SDM_RMAP_3 interface Dialer0 overload
ip nat inside source static tcp 192.168.90.3 25 217.36.230.125 25 route-map SDM_RMAP_1 extendable
ip nat inside source static tcp 192.168.90.3 443 217.36.230.125 443 route-map SDM_RMAP_1 extendable
ip nat inside source static tcp 192.168.90.3 1723 217.36.230.125 1723 extendable
ip nat inside source static tcp 192.168.90.5 3389 217.36.230.125 3389 route-map SDM_RMAP_1 extendable
ip nat inside source static udp 192.168.90.6 4569 217.36.230.125 4569 route-map SDM_RMAP_1 extendable
ip nat inside source static tcp 192.168.90.12 5500 217.36.230.125 5500 route-map SDM_RMAP_1 extendable
ip nat inside source static tcp 192.168.90.22 5501 217.36.230.125 5501 route-map SDM_RMAP_1 extendable
ip nat inside source static tcp 192.168.90.36 5501 217.36.230.125 5502 route-map SDM_RMAP_1 extendable
ip nat inside source static tcp 192.168.90.4 8001 217.36.230.125 8001 route-map SDM_RMAP_1 extendable
ip nat inside source static 192.168.90.6 217.36.230.125 route-map SIP_NAT
!
ip access-list extended UDP_RTP
 permit udp host 192.168.90.6 any range 10001 20000
 permit udp host 192.168.90.6 any range 5060 5082
!
access-list 23 permit 192.168.90.0 0.0.0.254
access-list 23 permit 192.168.91.0 0.0.0.254
access-list 100 deny   ip 192.168.90.0 0.0.0.255 192.168.91.0 0.0.0.255
access-list 100 permit ip 192.168.90.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.90.0 0.0.0.255 192.168.91.0 0.0.0.255
access-list 103 deny   ip 192.168.92.0 0.0.0.255 192.168.90.0 0.0.0.255
access-list 103 permit ip 192.168.92.0 0.0.0.255 any
access-list 104 deny   ip 192.168.9.0 0.0.0.255 192.168.90.0 0.0.0.255
access-list 104 permit ip 192.168.9.0 0.0.0.255 any
access-list 105 deny   icmp any any echo
access-list 105 permit ip any any
dialer-list 1 protocol ip permit
no cdp run

!
!
!
!
route-map SIP_NAT permit 1
 match ip address UDP_RTP
!
route-map SDM_RMAP_1 permit 10
 match ip address 100
!
route-map SDM_RMAP_2 permit 1
 match ip address 103
!
route-map SDM_RMAP_3 permit 1
 match ip address 104

========================================================================

so to clarify VPN traffic stops when i activate:
ip nat inside source static 192.168.90.6 217.36.230.125 route-map SIP_NAT

Regards,

Richard
0
Comment
Question by:smartit_richard
  • 10
  • 5
16 Comments
 
LVL 15

Expert Comment

by:The_Warlock
ID: 37811841
In ref. to your section:

ip access-list extended UDP_RTP
 permit udp host 192.168.90.6 any range 10001 20000
 permit udp host 192.168.90.6 any range 5060 5082

You might want to add the following:
permit udp host 192.168.90.6 any range 4569 4570

And try again. If this doesn't resolve your issue, please let us know. Hope this helps.
0
 

Author Comment

by:smartit_richard
ID: 37811873
Thanks for your reponse, the actual ports i have forwarded work fine, what im saying is that the site to site VPN traffic stops as soon as i apply:

ip nat inside source static 192.168.90.6 217.36.230.125 route-map SIP_NAT
0
 
LVL 15

Expert Comment

by:The_Warlock
ID: 37811900
The entire tunnel goes down? Or, just traffic from this host stops working?
0
 

Author Comment

by:smartit_richard
ID: 37811913
the tunnel is still up but the light goes off and the traffic stops.
 if i remove:
ip nat inside source static 192.168.90.6 217.36.230.125 route-map SIP_NAT

and then clear the ip nat trans then traffic starts again and the light comes back on.
0
 

Author Comment

by:smartit_richard
ID: 37811934
ok so i have changed the config slightly:

ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source route-map SDM_RMAP_2 interface Dialer0 overload
ip nat inside source route-map SDM_RMAP_3 interface Dialer0 overload
ip nat inside source static tcp 192.168.90.3 25 217.36.230.125 25 route-map SDM_RMAP_1 extendable
ip nat inside source static tcp 192.168.90.3 443 217.36.230.125 443 route-map SDM_RMAP_1 extendable
ip nat inside source static tcp 192.168.90.3 1723 217.36.230.125 1723 extendable
ip nat inside source static tcp 192.168.90.5 3389 217.36.230.125 3389 route-map SDM_RMAP_1 extendable
ip nat inside source static udp 192.168.90.6 4569 217.36.230.125 4569 route-map SDM_RMAP_1 extendable
ip nat inside source static tcp 192.168.90.4 8001 217.36.230.125 8001 route-map SDM_RMAP_1 extendable
ip nat inside source static 192.168.90.6 217.36.230.125 route-map SIP_NAT extendable
!
access-list 23 permit 192.168.90.0 0.0.0.254
access-list 23 permit 192.168.91.0 0.0.0.254
access-list 100 deny   ip 192.168.90.0 0.0.0.255 192.168.91.0 0.0.0.255
access-list 100 permit ip 192.168.90.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.90.0 0.0.0.255 192.168.91.0 0.0.0.255
access-list 103 deny   ip 192.168.92.0 0.0.0.255 192.168.90.0 0.0.0.255
access-list 103 permit ip 192.168.92.0 0.0.0.255 any
access-list 104 deny   ip 192.168.9.0 0.0.0.255 192.168.90.0 0.0.0.255
access-list 104 permit ip 192.168.9.0 0.0.0.255 any
access-list 105 deny   icmp any any echo
access-list 105 permit ip any any
access-list 158 remark Trixbox
access-list 158 permit udp any any range 10001 20000
access-list 158 permit udp any any range 5060 5082
dialer-list 1 protocol ip permit
no cdp run

!
!
!
!
route-map SIP_NAT permit 10
 match ip address 158
!
route-map SDM_RMAP_1 permit 1
 match ip address 100
!
route-map SDM_RMAP_2 permit 1
 match ip address 103
!
route-map SDM_RMAP_3 permit 1
 match ip address 104

what happens now is when i boot the router no VPN, if a remove:
ip nat inside source static 192.168.90.6 217.36.230.125 route-map SIP_NAT extendable
clear ip nat trans
add:
ip nat inside source static 192.168.90.6 217.36.230.125 route-map SIP_NAT extendable
everything works!!!!

That is until i reload
0
 
LVL 15

Expert Comment

by:The_Warlock
ID: 37812075
In ref. to your "That is until i reload", are you talking the device or a client?

Did you copy running-config startup-config ?
0
 

Author Comment

by:smartit_richard
ID: 37812092
when i say reload, i would wr mem. then reload, this would reboot the 877, once this is done it will not allow the vpn traffic until the rules is removed, nat table cleard then readded, almost like it load the rules in the wrong order?
0
 

Author Comment

by:smartit_richard
ID: 37812129
ok ive left the box running now for an hour and the traffic has stopped, this time without a reload, so i think this is a red herring. i feel there is an issue with the statement as all the previous port forwards are PAT but im guessing the one im trying to add is NAT, this is obviously causing my nonat traffic to be NAT'd?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 15

Expert Comment

by:The_Warlock
ID: 37812141
Not sure what version you are running:

Try issuing the 1 prior in the command like:

ip nat inside 1 source static 192.168.90.6 217.36.230.125 route-map SIP_NAT extendable
0
 

Author Comment

by:smartit_richard
ID: 37812199
that would not allow me to enter, here is my version.

Cisco#sh ver
Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(24)T1, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Sat 20-Jun-09 02:20 by prod_rel_team

ROM: System Bootstrap, Version 12.3(8r)YI3, RELEASE SOFTWARE

Cisco uptime is 1 hour, 48 minutes
System returned to ROM by reload
System image file is "flash:c870-advipservicesk9-mz.124-24.T1.bin"
Last reload reason: Reload Command
0
 
LVL 15

Expert Comment

by:The_Warlock
ID: 37812205
Change:

inside 1 source

to

inside source 1 static



My typo. Sorry
0
 

Author Comment

by:smartit_richard
ID: 37812224
still will not allow the command, the 1 is highlighted as the error.
0
 

Author Comment

by:smartit_richard
ID: 37812373
here is a copy of the sh ip nat trans:

Cisco#sh ip nat trans
Pro Inside global      Inside local       Outside local      Outside global
tcp 217.36.230.125:443 192.168.90.3:443   82.132.231.81:43807 82.132.231.81:43807
tcp 217.36.230.125:1723 192.168.90.3:1723 ---                ---
tcp 217.36.230.125:20679 192.168.90.3:20679 199.47.216.144:80 199.47.216.144:80
tcp 217.36.230.125:21368 192.168.90.3:21368 64.239.246.16:80 64.239.246.16:80
tcp 217.36.230.125:21376 192.168.90.3:21376 212.118.234.147:443 212.118.234.147:443
tcp 217.36.230.125:21377 192.168.90.3:21377 199.47.216.178:443 199.47.216.178:443
udp 217.36.230.125:56473 192.168.90.3:56473 208.67.222.222:53 208.67.222.222:53
udp 217.36.230.125:57016 192.168.90.3:57016 208.67.222.222:53 208.67.222.222:53
tcp 217.36.230.125:62116 192.168.90.4:62116 212.118.234.130:443 212.118.234.130:443
udp 217.36.230.125:59485 192.168.90.5:59485 208.67.222.222:53 208.67.222.222:53
udp 217.36.230.125:123 192.168.90.6:123   131.211.39.72:123  131.211.39.72:123
udp 217.36.230.125:123 192.168.90.6:123   198.137.202.16:123 198.137.202.16:123
udp 217.36.230.125:123 192.168.90.6:123   208.87.221.228:123 208.87.221.228:123
udp 217.36.230.125:500 192.168.90.6:500   82.3.230.204:500   82.3.230.204:500
udp 217.36.230.125:500 192.168.90.6:500   82.3.230.204:500   82.3.230.204:500
udp 217.36.230.125:4569 192.168.90.6:4569 192.168.91.3:4569  192.168.91.3:4569
udp 217.36.230.125:1024 192.168.90.6:5060 77.240.48.94:5060  77.240.48.94:5060
tcp 217.36.230.125:53494 192.168.90.12:53494 199.47.216.144:80 199.47.216.144:80
Pro Inside global      Inside local       Outside local      Outside global
tcp 217.36.230.125:53508 192.168.90.12:53508 212.118.234.138:443 212.118.234.138:443
tcp 217.36.230.125:53520 192.168.90.12:53520 107.20.250.7:443 107.20.250.7:443
tcp 217.36.230.125:33599 192.168.90.15:33599 173.192.219.157:5222 173.192.219.157:5222
tcp 217.36.230.125:47648 192.168.90.15:47648 217.12.4.46:80  217.12.4.46:80
tcp 217.36.230.125:52664 192.168.90.15:52664 173.194.78.188:5228 173.194.78.188:5228
tcp 217.36.230.125:60230 192.168.90.15:60230 74.125.230.132:80 74.125.230.132:80
tcp 217.36.230.125:25  192.168.90.3:25    ---                ---
tcp 217.36.230.125:443 192.168.90.3:443   ---                ---
tcp 217.36.230.125:3389 192.168.90.5:3389 ---                ---
tcp 217.36.230.125:8001 192.168.90.4:8001 ---                ---
--- 217.36.230.125     192.168.90.6       ---                ---
0
 
LVL 15

Expert Comment

by:deepdraw
ID: 37818453
Not that i have any idea as to why this does not work!
Why not try
access-list 158 permit udp any any range 10001 20000 log
access-list 158 permit udp any any range 5060 5082 log
and see if anything else is being caught by this.

Greg
0
 

Accepted Solution

by:
smartit_richard earned 0 total points
ID: 37827850
right i have been forced to create an excel spead sheet and manually create one line per forward for each of the UDP ports i need, i have removed the NAT translation and now just rely on PAT, but seriously Cisco this is not a big ask....
0
 

Author Closing Comment

by:smartit_richard
ID: 37847963
This was known before hand, i was looking for a better solution to do this.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
WAN IP Conflict on Sonicwall 5 59
Hyper-V 2012 and VPN on 2012 R2 breaking virtual switch 9 23
Cisco NBAR 6 17
Cisco prime 3 20
If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now