topic Re: 2921 router working example of a route-map - NEEDED in Routing and SD-WAN

2921 router working example of a route-map - NEEDED

clyde.a.huffman.ctr@mail.mil — Thu, 28 Mar 2019 14:29:51 GMT

Hi does anyone have an example of a route-map that works on a 2921? I have an issue with PAT and L3 tunnel that I'm hoping that route-map will help.

1) The L3 tunnel shows up at the distant end as the outside address instead of the private address.

2) The PAT blocks the inside address:port from working through the L3 tunnel.

Here is the L3 tunnel and the route-map that did not work 😕 Thanks for your help.

==================--------------===========================
================== route-map ===========================
==================--------------===========================

ip nat source static tcp 192.168.175.4 80 192.168.168.235 8888 route-map NONAT

access-list 177 deny ip host 192.168.175.4 192.168.177.0 0.0.0.255
access-list 177 permit ip host 192.168.175.4 any

route-map NONAT permit 10
match ip address 177

remotertr175(config)#ip nat source static tcp 192.168.175.4 80 192.168.168.235$
ip nat source static tcp 192.168.175.4 80 192.168.168.235 8888 route-map NONAT
^
% Invalid input detected at '^' marker.

remotertr175(config)#ip nat source static tcp 192.168.175.4 80 192.168.168.235 8888 ?
extendable Extend this translation when used
no-alias Do not create an alias for the global address
no-payload No translation of embedded address/port in the payload
vrf Specify vrf
<cr>

==================--------------===========================
================== IPSEC Tunnel ===========================
==================--------------===========================

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
crypto isakmp key firewallcx address 192.168.168.236
!
crypto map CMAP 76 ipsec-isakmp
set peer 192.168.168.236
set transform-set TS
match address VPN_TRAFFIC_176
!
ip route 192.168.176.0 255.255.255.0 192.168.168.236
ip access-list extended VPN_TRAFFIC_176
permit tcp 192.168.175.0 0.0.0.255 192.168.176.0 0.0.0.255
permit ip 192.168.175.0 0.0.0.255 192.168.176.0 0.0.0.255

Re: 2921 router working example of a route-map - NEEDED

Richard Burts — Thu, 28 Mar 2019 14:43:28 GMT

I am not clear what is going on here. But I believe that the immediate issue is that you are doing a static translation and trying to control it with a route map. But when you use on line help (the ?) it does not show an option for a route map or an access list when doing static translation. I have seen the access list or route map to control translation when it was dynamic translation but not for static translation.

As a side note there is a redundancy in the acl you are using to identify vpn traffic

permit tcp 192.168.175.0 0.0.0.255 192.168.176.0 0.0.0.255
permit ip 192.168.175.0 0.0.0.255 192.168.176.0 0.0.0.255

There is no need to identify tcp traffic if you are then going to permit all ip traffic for those addresses.

HTH

Rick

Re: 2921 router working example of a route-map - NEEDED

Jon Marshall — Thu, 28 Mar 2019 15:25:08 GMT

It's not clear exactly what you are trying to do but if you want to use a route map with a static NAT then you cannot use "ip nat source" you need to use "ip nat <inside|outside> source" syntax.

Jon

Re: 2921 router working example of a route-map - NEEDED

Georg Pauwen — Thu, 28 Mar 2019 15:19:04 GMT

Hello,

in addition to Richards's remarks, it would be useful to see the full configurations of both sides. Right now, it does not look like the NAT exclusion ACL and the crypto map ACL are mirrors of each other...

So if possible post the entire configs of both ends...

Re: 2921 router working example of a route-map - NEEDED

clyde.a.huffman.ctr@mail.mil — Thu, 28 Mar 2019 17:01:29 GMT

Hi Rick, OH 😕 That's why there is only a route map on a RTR as follows.

But why does the ipsec tunnel come out the other end with a SOURCE IP ADDRESS of the outside address instead of the originating private 192.168.176.x address?

FOLLOWS HERE

# ip nat source route-map ...

Then it does:

# ip nat source route-map MYRMAP interface

# ip nat source route-map MYRMAP pool

Re: 2921 router working example of a route-map - NEEDED

clyde.a.huffman.ctr@mail.mil — Thu, 28 Mar 2019 17:04:33 GMT

I had the redundancy in because I was going to lock it down to tcp only. But I never got this to work properly on the 2921 so I got it working on an ASA. So I guess that I'm stuck with an ASA, I prefer routers. ASA will not ping through a tunnel, it has to see "interesting" traffic before it brings up the tunnel 😕

Re: 2921 router working example of a route-map - NEEDED

clyde.a.huffman.ctr@mail.mil — Mon, 01 Apr 2019 17:23:57 GMT

Re: 2921 router working example of a route-map - NEEDED

clyde.a.huffman.ctr@mail.mil — Fri, 29 Mar 2019 12:57:00 GMT

Re: 2921 router working example of a route-map - NEEDED

Jon Marshall — Thu, 28 Mar 2019 18:25:07 GMT

Still not entirely sure what you are looking to do but have a look at this thread for an example of using a route map with a static NAT and a VPN tunnel -

https://community.cisco.com/t5/routing/ipsec-with-ip-nat-inside-source-static/td-p/2689248

there is no reason why it would not work on your router as far as I know.

Jon

Re: 2921 router working example of a route-map - NEEDED

Richard Burts — Thu, 28 Mar 2019 18:28:49 GMT

Perhaps I am not understanding correctly what you are saying here

ASA will not ping through a tunnel, it has to see "interesting" traffic before it brings up the tunnel 😕

It is a common behavior on both router and ASA that it needs to see "interesting" traffic to bring up the tunnel. Perhaps you are referring to the fact that the router has the ability to ping and to specify the source address of the ping?

HTH

Rick

Re: 2921 router working example of a route-map - NEEDED

Richard Burts — Thu, 28 Mar 2019 18:33:27 GMT

I am not clear about this statement

But why does the ipsec tunnel come out the other end with a SOURCE IP ADDRESS of the outside address instead of the originating private 192.168.176.x address?

My best guess at this point is that there is an issue at the other peer and it is doing address translation on the vpn traffic where the vpn traffic should be exempted from translation. Perhaps you could post from the remote peer the crypto map, the acl used to identify traffic for encryption, and any of the config for address translation?

HTH

Rick

Re: 2921 router working example of a route-map - NEEDED

clyde.a.huffman.ctr@mail.mil — Thu, 28 Mar 2019 20:25:08 GMT

Hi John,

I followed your example.

ip nat inside source static tcp 192.168.175.3 80 192.168.168.235 8888 route-map NO_NAT_192.168.177.0

route-map NO_NAT_192.168.177.0 deny 10
match ip address DENY_NAT_192.168.177.0

ip access-list extended DENY_NAT_192.168.177.0
deny ip 192.168.177.0 0.0.0.255 192.168.175.0 0.0.0.255
deny ip 192.168.175.0 0.0.0.255 192.168.177.0 0.0.0.255

But I realized that what I'm doing is Port Mapping an http call from the outside external WAN address and translating it to an inside host address and port. Looks like route-map is only available for inside to outside. There is an "add-route" for outside to inside.

So at first I tried this: ==========================================

ip nat inside source static tcp 192.168.175.3 80 192.168.168.235 8888 route-map NO_NAT_192.168.177.0

route-map NO_NAT_192.168.177.0 deny 10
match ip address DENY_NAT_192.168.177.0

ip access-list extended DENY_NAT_192.168.177.0
deny ip 192.168.177.0 0.0.0.255 192.168.175.0 0.0.0.255
deny ip 192.168.175.0 0.0.0.255 192.168.177.0 0.0.0.255

Realized my mistake and tried this: ====================================

remotertr175(config)# ip nat outside source static tcp 192.168.175.177 80 192.168.168.235 8888 route-map NO_NAT_192.168.177.0 ?
% Unrecognized command

remotertr175(config)#$ ip nat outside source static tcp 192.168.175.177 80 192.168.168.235 8888 ?
add-route Add a static route for outside local address
extendable Extend this translation when used
no-alias Do not create an alias for the local address
no-payload No translation of embedded address/port in the payload
redundancy NAT redundancy operation
vrf Specify vrf
<cr>

remotertr175(config)#ip nat outside source static tcp 192.168.175.177 80 192.$

Re: 2921 router working example of a route-map - NEEDED

Jon Marshall — Fri, 29 Mar 2019 09:50:26 GMT

Static NAT works in both directions so if the inside IP is 192.168.175.3 and the outside IP is 192.168.168.235 then "ip nat inside" is the correct syntax.

Note the above IPs would be the destination IPs in the packet ie. the destination IP on the outside would be 192.168.168.235 port 8888 and you would be translating this to the destination IP on the inside of 192.168.175.3 port 80.

Jon

Re: 2921 router working example of a route-map - NEEDED

clyde.a.huffman.ctr@mail.mil — Fri, 29 Mar 2019 15:34:19 GMT

I gave it my best shot and it did not work, there are no hits through the NAT at port 8888 from an outside PC showing in a tcpdump on the http server at 192.168.175.3. Here is the NAT. There must be something wrong with the NAT....

ip nat inside source static tcp 192.168.175.3 80 192.168.168.235 8888 route-map NO_NAT_192.168.176.0

route-map NO_NAT_192.168.176.0 deny 10
match ip address DENY_NAT_192.168.176.0

ip access-list extended DENY_NAT_192.168.176.0
deny ip 192.168.176.0 0.0.0.255 192.168.175.0 0.0.0.255
deny ip 192.168.175.0 0.0.0.255 192.168.176.0 0.0.0.2

Here is a tcpdump through the tunnel to 192.168.175.3 80 from 192.168.176.4

root@studio1:/home/vbox# tcpdump -n | grep 192.168.176
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s31f6, link-type EN10MB (Ethernet), capture size 262144 bytes
10:43:33.948698 IP 192.168.176.4.60008 > 192.168.175.3.80: Flags [S], seq 1417375719, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
10:43:33.948766 IP 192.168.175.3.80 > 192.168.176.4.60008: Flags [S.], seq 427422819, ack 1417375720, win 28120, options [mss 1406,nop,nop,sackOK,nop,wscale 7], length 0
10:43:33.949914 IP 192.168.176.4.60008 > 192.168.175.3.80: Flags [.], ack 1, win 16520, length 0
10:43:33.950376 IP 192.168.176.4.60008 > 192.168.175.3.80: Flags [P.], seq 1:455, ack 1, win 16520, length 454: HTTP: GET / HTTP/1.1
10:43:33.950469 IP 192.168.175.3.80 > 192.168.176.4.60008: Flags [.], ack 455, win 229, length 0
10:43:33.953324 IP 192.168.175.3.80 > 192.168.176.4.60008: Flags [.], seq 1:1407, ack 455, win 229, length 1406: HTTP: HTTP/1.1 200 OK
10:43:33.953337 IP 192.168.175.3.80 > 192.168.176.4.60008: Flags [.], seq 1407:2813, ack 455, win 229, length 1406: HTTP
10:43:33.953341 IP 192.168.175.3.80 > 192.168.176.4.60008: Flags [P.], seq 2813:3478, ack 455, win 229, length 665: HTTP
10:43:33.957883 IP 192.168.176.4.60008 > 192.168.175.3.80: Flags [.], ack 3478, win 16520, length 0
10:43:33.970768 IP 192.168.176.4.60008 > 192.168.175.3.80: Flags [P.], seq 455:866, ack 3478, win 16520, length 411: HTTP: GET /icons/ubuntu-logo.png HTTP/1.1
10:43:33.971458 IP 192.168.175.3.80 > 192.168.176.4.60008: Flags [P.], seq 3478:3658, ack 866, win 237, length 180: HTTP: HTTP/1.1 304 Not Modified
10:43:34.171807 IP 192.168.176.4.60008 > 192.168.175.3.80: Flags [.], ack 3658, win 16475, length 0
10:43:38.958501 IP 192.168.175.3.80 > 192.168.176.4.60008: Flags [F.], seq 3658, ack 866, win 237, length 0
10:43:38.959965 IP 192.168.176.4.60008 > 192.168.175.3.80: Flags [.], ack 3659, win 16475, length 0
10:43:38.960024 IP 192.168.176.4.60008 > 192.168.175.3.80: Flags [F.], seq 866, ack 3659, win 16475, length 0
10:43:38.960051 IP 192.168.175.3.80 > 192.168.176.4.60008: Flags [.], ack 867, win 237, length 0

--------------------------================================----------------------------

Point of interest, I had a relic L3 tunnel setup on the 2921 for 192.168.172.0 and noticed that "cry ipsec sa" was showing something up - I happened to reuse 192.168.172.0 on an ASA 5520 which is also connect to the "outside" switch. So I put in the mirror L3 tunnel on the ASA and guess what? The tunnel is up (after I added the route statement :-)).

Sorry still looking into this....

--------------------------================================----------------------------

Re: 2921 router working example of a route-map - NEEDED

Richard Burts — Fri, 29 Mar 2019 15:35:33 GMT

I believe that there are 2 issues with the route map and acl as you have posted them

route-map NO_NAT_192.168.176.0 deny 10
match ip address DENY_NAT_192.168.176.0

ip access-list extended DENY_NAT_192.168.176.0
deny ip 192.168.176.0 0.0.0.255 192.168.175.0 0.0.0.255
deny ip 192.168.175.0 0.0.0.255 192.168.176.0 0.0.0.2

The first issue is that your route map statement is a deny and the acl that it references is also deny statements. If the route map statement is a deny then the acl statements must be permit if the traffic is not to be translated.

The second issue is that the route map is not permitting any traffic. Seems to me that after denying what should not be translated there should be something to permit and translate other traffic.

HTH

Rick

Re: 2921 router working example of a route-map - NEEDED

clyde.a.huffman.ctr@mail.mil — Mon, 01 Apr 2019 14:48:43 GMT

This may give some insight into why the 5520 works and the 2921 doesn't.

Here is an IPSEC tunnel between a ASA 5520 and RTR 2921. Note how the 2921 comes out of the tunnel with the outside address, but the 5520 uses the inside addresses. Attached are the configurations.

MY GUESS IS THAT ENCRYPTION IS NOT BEING DONE!!!!!

----------------------------================================------------------------------
SESSION 1 is the ASA ((GOOD)) pinging the RTR through the L3 tunnel. Note that the RTR outside WAN interface is used.
----------------------========================================------------------------------------
SESSION 11111111111111111111111111111 LOOK AT BOTH SIDES 111111111111111111111111111111111111111
INITIATE FROM PC 192.168.172.6 on ASA 5520 FIREWALL (inside 192.168.172.1 outside 192.168.168.232)
- to PC 192.168.175.3 on RTR 2921 (inside 192.168.175.1 outside 192.168.168.235)

[root@drupal ahuffman]# ip addr | grep 192
inet 192.168.172.6/24 brd 192.168.172.255 scope global p1p1
[root@drupal ahuffman]#

[root@drupal ahuffman]# ping 192.168.175.3
PING 192.168.175.3 (192.168.175.3) 56(84) bytes of data.
64 bytes from 192.168.168.235: icmp_seq=1 ttl=63 time=1.55 ms <-----------------look at WAN address
64 bytes from 192.168.168.235: icmp_seq=2 ttl=63 time=1.22 ms
64 bytes from 192.168.168.235: icmp_seq=3 ttl=63 time=1.24 ms
64 bytes from 192.168.168.235: icmp_seq=4 ttl=63 time=1.23 ms
64 bytes from 192.168.168.235: icmp_seq=5 ttl=63 time=1.22 ms
64 bytes from 192.168.168.235: icmp_seq=6 ttl=63 time=1.27 ms
64 bytes from 192.168.168.235: icmp_seq=7 ttl=63 time=1.25 ms
64 bytes from 192.168.168.235: icmp_seq=8 ttl=63 time=1.23 ms
64 bytes from 192.168.168.235: icmp_seq=9 ttl=63 time=1.30 ms
^C
--- 192.168.175.3 ping statistics ---
9 packets transmitted, 9 received, 0% packet loss, time 8431ms
rtt min/avg/max/mdev = 1.225/1.283/1.554/0.109 ms

[root@drupal ahuffman]# tcpdump -i p1p1 | grep ICMP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on p1p1, link-type EN10MB (Ethernet), capture size 65535 bytes
12:12:56.790530 IP 192.168.172.6 > 192.168.175.3: ICMP echo request, id 4727, seq 77, length 64
12:12:56.791760 IP 192.168.168.235 > 192.168.172.6: ICMP echo reply, id 4727, seq 77, length 64
12:12:57.792034 IP 192.168.172.6 > 192.168.175.3: ICMP echo request, id 4727, seq 78, length 64
12:12:57.793236 IP 192.168.168.235 > 192.168.172.6: ICMP echo reply, id 4727, seq 78, length 64
12:12:58.793594 IP 192.168.172.6 > 192.168.175.3: ICMP echo request, id 4727, seq 79, length 64
12:12:58.794818 IP 192.168.168.235 > 192.168.172.6: ICMP echo reply, id 4727, seq 79, length 64
^C72 packets captured
1163 packets received by filter
1066 packets dropped by kernel

[root@drupal ahuffman]#

----------------------========================================------------------------------------
SESSION 11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111

INCOMING FROM PC 192.168.172.6 on ASA 5520 FIREWALL (inside 192.168.172.1 outside 192.168.168.232)
- to PC 192.168.175.3 on RTR 2921 (inside 192.168.175.1 outside 192.168.168.235)

vmuser@studio1:~$ ip addr | grep 192
inet 192.168.175.3/24 brd 192.168.175.255 scope global dynamic noprefixroute enp0s31f6
vmuser@studio1:~$

root@studio1:/home/vbox# tcpdump -n | grep ICMP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s31f6, link-type EN10MB (Ethernet), capture size 262144 bytes
12:44:57.215052 IP 192.168.168.232 > 192.168.175.3: ICMP echo request, id 45177, seq 1, length 64
12:44:57.215108 IP 192.168.175.3 > 192.168.168.232: ICMP echo reply, id 45177, seq 1, length 64
12:44:58.216693 IP 192.168.168.232 > 192.168.175.3: ICMP echo request, id 45177, seq 2, length 64
12:44:58.216750 IP 192.168.175.3 > 192.168.168.232: ICMP echo reply, id 45177, seq 2, length 64
12:44:59.218147 IP 192.168.168.232 > 192.168.175.3: ICMP echo request, id 45177, seq 3, length 64
12:44:59.218203 IP 192.168.175.3 > 192.168.168.232: ICMP echo reply, id 45177, seq 3, length 64
12:45:00.219657 IP 192.168.168.232 > 192.168.175.3: ICMP echo request, id 45177, seq 4, length 64
12:45:00.219714 IP 192.168.175.3 > 192.168.168.232: ICMP echo reply, id 45177, seq 4, length 64
12:45:01.221156 IP 192.168.168.232 > 192.168.175.3: ICMP echo request, id 45177, seq 5, length 64
12:45:01.221214 IP 192.168.175.3 > 192.168.168.232: ICMP echo reply, id 45177, seq 5, length 64
12:45:02.222635 IP 192.168.168.232 > 192.168.175.3: ICMP echo request, id 45177, seq 6, length 64
12:45:02.222692 IP 192.168.175.3 > 192.168.168.232: ICMP echo reply, id 45177, seq 6, length 64
12:45:03.224095 IP 192.168.168.232 > 192.168.175.3: ICMP echo request, id 45177, seq 7, length 64
12:45:03.224152 IP 192.168.175.3 > 192.168.168.232: ICMP echo reply, id 45177, seq 7, length 64

----------------------------================================------------------------------
SESSION 2 is the RTR (((BAD))) pinging the ASA through the L3 tunnel. Note that the inside LAN address are used.
----------------------------================================------------------------------
SESSION 2222222222222222222222222222222222222222222222222222222222222222222222222222222222222
INITIATE FROM PC 192.168.175.3 on RTR 2921 (inside 192.168.175.1 outside 192.168.168.235)
- to PC 192.168.172.6 on ASA 5520 FIREWALL (inside 192.168.172.1 outside 192.168.168.232)

vmuser@studio1:~$
vmuser@studio1:~$ ip addr | grep 192
inet 192.168.175.3/24 brd 192.168.175.255 scope global dynamic noprefixroute enp0s31f6
vmuser@studio1:~$

vmuser@studio1:~$ ping 192.168.172.6
PING 192.168.172.6 (192.168.172.6) 56(84) bytes of data.
^C
--- 192.168.172.6 ping statistics ---
18 packets transmitted, 0 received, 100% packet loss, time 17405ms

vmuser@studio1:~$

root@studio1:/home/vbox# tcpdump -n | grep ICMP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s31f6, link-type EN10MB (Ethernet), capture size 262144 bytes
12:57:03.864477 IP 192.168.175.3 > 192.168.172.6: ICMP echo request, id 8642, seq 1, length 64
12:57:04.886071 IP 192.168.175.3 > 192.168.172.6: ICMP echo request, id 8642, seq 2, length 64
12:57:05.910217 IP 192.168.175.3 > 192.168.172.6: ICMP echo request, id 8642, seq 3, length 64
12:57:06.934276 IP 192.168.175.3 > 192.168.172.6: ICMP echo request, id 8642, seq 4, length 64
12:57:07.958236 IP 192.168.175.3 > 192.168.172.6: ICMP echo request, id 8642, seq 5, length 64
12:57:08.982241 IP 192.168.175.3 > 192.168.172.6: ICMP echo request, id 8642, seq 6, length 64
12:57:10.006328 IP 192.168.175.3 > 192.168.172.6: ICMP echo request, id 8642, seq 7, length 64
12:57:11.030221 IP 192.168.175.3 > 192.168.172.6: ICMP echo request, id 8642, seq 8, length 64
12:57:12.054251 IP 192.168.175.3 > 192.168.172.6: ICMP echo request, id 8642, seq 9, length 64
12:57:13.078289 IP 192.168.175.3 > 192.168.172.6: ICMP echo request, id 8642, seq 10, length 64
12:57:14.101992 IP 192.168.175.3 > 192.168.172.6: ICMP echo request, id 8642, seq 11, length 64
12:57:15.126255 IP 192.168.175.3 > 192.168.172.6: ICMP echo request, id 8642, seq 12, length 64
12:57:16.150038 IP 192.168.175.3 > 192.168.172.6: ICMP echo request, id 8642, seq 13, length 64
12:57:17.174260 IP 192.168.175.3 > 192.168.172.6: ICMP echo request, id 8642, seq 14, length 64
12:57:18.198236 IP 192.168.175.3 > 192.168.172.6: ICMP echo request, id 8642, seq 15, length 64
12:57:19.222293 IP 192.168.175.3 > 192.168.172.6: ICMP echo request, id 8642, seq 16, length 64

----------------------------================================------------------------------
SESSION 3 #sh cry ipsec sa - on ASA and RTR - NOTE THAT THERE ARE NO encaps decaps SHOWING
----------------------------================================------------------------------
SESSION 33333333333333333333333333333333333333333333333333333333333333333333333333333333333333

ASA-ASA-ASA-ASA-ASA-ASA-ASA-ASA-ASA-ASA-ASA-ASA-ASA-ASA-ASA-ASA-ASA-ASA-ASA-ASA-ASA-ASA-ASA

allan@allandesk ~ $ ssh cisco@192.168.168.232
cisco@192.168.168.232's password:
Type help or '?' for a list of available commands.
asa172-232> en
Password: ********
asa172-232# sh cry ip
asa172-232# sh cry ipsec sa

There are no ipsec sas
asa172-232#

RTR-RTR-RTR-RTR-RTR-RTR-RTR-RTR-RTR-RTR-RTR-RTR-RTR-RTR-RTR-RTR-RTR-RTR-RTR-RTR-RTR-RTR-RTR

allan@allandesk ~ $ ssh cisco@192.168.168.235
Password:

remotertr175>en
Password:
remotertr175#sh cry ip
remotertr175#sh cry ipsec sa

interface: GigabitEthernet0/0
Crypto map tag: CMAP, local addr 192.168.168.235

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.175.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.172.0/255.255.255.0/0/0)
current_peer 192.168.168.232 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 192.168.168.235, remote crypto endpt.: 192.168.168.232
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.175.0/255.255.255.0/6/0)
remote ident (addr/mask/prot/port): (192.168.172.0/255.255.255.0/6/0)
current_peer 192.168.168.232 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

Re: 2921 router working example of a route-map - NEEDED

clyde.a.huffman.ctr@mail.mil — Fri, 29 Mar 2019 20:17:37 GMT

Thanks Rick, I'll work on this Monday.

Did you see the cool stuff from connecting the 2921 to the 5520? I never though that it would even connect. Not to say that it is actually encrypted...

remotertr175#sh ip nat nvi translations ver
Pro Source global Source local Destin local Destin global
tcp 192.168.168.235:888 192.168.174.66:80 --- --- <---------------is 8888 truncated?
create 08:14:50, use 00:22:08 timeout:0,
flags:

LOOKS TO ME LIKE inside AND outside ARE MIXED UP ?????

remotertr175#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 192.168.168.235:8888 192.168.175.3:80 -- ---
remotertr175#

Re: 2921 router working example of a route-map - NEEDED

Richard Burts — Sat, 30 Mar 2019 12:00:19 GMT

I have not yet looked at the configs (and will do that later). But want to comment on the output that you post here. It is interesting and unexpected.

- ping from PC connected to ASA to PC connected to router is successful. (sends requests, receives responses)

- ping from PC connected to ASA sees request with source and destination as the PC addresses, but sees responses with source address as the translated address of the router. PC connected to router sees the incoming request with source address as the translated address from the ASA. So the ASA is translating the source address of the outgoing request, and the router is translating the source address of the outgoing response.

- ping from PC connected to router to PC connected to ASA fails. (sends requests, receives no responses)

- the ASA does not show any negotiated ipsec sa. The router does show a negotiated ipsec sa. But there are no encaps and no decaps.

- so the ping traffic is not being encrypted. And it works in only one direction.

More later.

HTH

Rick

Re: 2921 router working example of a route-map - NEEDED

Richard Burts — Sat, 30 Mar 2019 17:09:52 GMT

I am not sure what is going on. But the posted configs do not match what is described. Your output describes an ASA with inside address 192.168.172.1 and outside address 192.168.168.232. The posted config for ASA has inside address 192.168.168.233 and outside address 68.106.145.92.

HTH

Rick

Re: 2921 router working example of a route-map - NEEDED

clyde.a.huffman.ctr@mail.mil — Mon, 01 Apr 2019 15:30:30 GMT

I tried to do just the opposite just to get the route-map to work. It never opens the port 8888 on the outside interface?

I put a "deny ip any any" at the end just in case. Still does not work.... but I can access 192.168.175.3 80 through the L3 tunnel.... :-0

CORRECTION wildcard instead of netmask ---------------opposite----------BUT STILL DOES NOT WORK

ip nat inside source static tcp 192.168.175.3 80 192.168.168.235 8888 route-map TEST_NAT_192.168.176.0 extendable

route-map TEST_NAT_192.168.176.0 permit 11
match ip address PERMIT_NAT_192.168.176.0

ip access-list extended PERMIT_NAT_192.168.176.0
permit ip 192.168.168.0 0.0.0.255 host 192.168.175.3