Solved

Policy Nat Cisco router

Posted on 2014-04-24
6
639 Views
Last Modified: 2014-06-30
Need some help, setting up site-to-site VPN, ASA on one side and a Cisco 891 on my side.

The other side of the VPN requires that I NAT our inside address range to a single public IP that will be allowed on the VPN as our encryption domain.

The remote IP address that I need to communicate with over the tunnel is xxx.xxx.xxx.151. The local private address range is xxx.xxx.251.0/24 and the public IP that I am trying to NAT these inside addresses to is xxx.xxx.xxx.117.

Here is the basic setup:

ip nat pool test xxx.xxx.xxx.117 xxx.xxx.xxx.117 netmask 255.255.255.0

ip nat inside source route-map test pool test overload

route-map test permit 10
 match ip address 146

access-list 146 permit ip xxx.xxx.251.0 0.0.0.255 host xxx.xxx.xxx.151

crypto map VPN 1 ipsec-isakmp
 description Tunnel to test
 set peer xxx.xxx.xxx.150
 set transform-set aes-sha
 match address 145

access-list 145 permit ip host xxx.xxx.xxx.117 host xxx.xxx.xxx.151

access-list for the regular NAT overload for the internet with the deny statements for traffic for across the VPN:

access-list 100 deny   ip xxx.xxx.251.0 0.0.0.255 host xxx.xxx.xxx.151
access-list 100 deny   ip xxx.xxx.xxx.0 0.0.0.255 host xxx,xxx,xxx.151
access-list 100 deny   ip  xxx.xxx.251.0 0.0.0.255  xxx.xxx.xxx.0 0.0.0.255
access-list 100 deny   ip  xxx.xxx.251.0 0.0.0.255  xxx.xxx.xxx.0 0.0.0.255
access-list 100 deny   ip  xxx.xxx.251.0 0.0.0.255  xxx.xxx.xxx.0 0.0.0.255
access-list 100 deny   ip  xxx.xxx.251.0 0.0.0.255  xxx.xxx.xxx.0 0.0.0.255
access-list 100 deny   ip  xxx.xxx.251.0 0.0.0.255  xxx.xxx.xxx.0 0.0.0.255
access-list 100 permit ip xxx.xxx.251.0 0.0.0.255 any

When I try a ping to the remote host on the VPN (xxx.xxx.xxx.151) the local address that I ping from on the xxx.xxx.251.0 network is supposed to NAT to the xxx.xxx.xxx.117 address which is what is allowed across the VPN.

How ever when I look at the NAT translations, I don't see any translation between the inside local address of the device I ping from and the 117 public address.

Any help or suggestions would be helpful.
0
Comment
Question by:keagle79
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 28

Expert Comment

by:asavener
ID: 40022624
The biggest cause of problems like this that I've encountered is typos.  Double check every line to make sure the IP addresses are correct.

Next, do a show access-list 150 and see if you're getting hits on the access list.
0
 

Author Comment

by:keagle79
ID: 40023123
That's just it, when i try to ping the address on the remote side of the tunnel and look at the access list for the NAT pool no hits.

The router never tries to NAT the inside address to the .117 address in the NAT pool.  Therefore the router never even tries to bring up the VPN tunnel.  I have set this up on other 800 series routers, but for some reason this 891 router doesn't seem to understand what to do.
0
 
LVL 28

Expert Comment

by:asavener
ID: 40023419
Do you have ip nat inside and ip nat outside applied to the correct interfaces?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 28

Expert Comment

by:asavener
ID: 40023435
Also, try running "clear ip nat translations *".
0
 

Author Comment

by:keagle79
ID: 40023448
Regular NAT is working fine for internet traffic, the problem is just when I try to policy NAT the specific VPN traffic to the .117 public address.
0
 
LVL 28

Accepted Solution

by:
asavener earned 500 total points
ID: 40023465
Try clearing the nat translations.  Also, sometimes removing and re-adding the nat commands at the interface level can fix weird little quirks like this.

Both those steps can be done with minimal impact.
0

Featured Post

Save the day with this special offer from ATEN!

Save 30% on the CV211 using promo code EXPERTS30 now through April 30th. The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Telepresence on backup 3 81
Router Question 12 88
EIGRP Bandwidth 9 62
Cisco HSRP - Do i need more than one WAN IP ? 7 52
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
This article is a step by step guide on how to create a basic PTP link using Ubiquiti airOS devices. This guide can be used on the following Ubiquiti AirMAX devices. Nanostation, Bullets, AirBridge, Nanobeam, NanoBridge to name a few. Please review …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question