topic Re: Cisco 867VAE NAT overload and static internet issues in Routing and SD-WAN

Cisco 867VAE NAT overload and static internet issues

sidp — Thu, 04 Jun 2020 09:42:41 GMT

I have a Cisco 867VAE with an IPsec to my Cisco ASA. Because the network (192.168.10.0/24) is already used on my site (ASA) I have to NAT the entire network to 172.19.66.0/24 for the communication through the ipsec.

As soon as I add the static NAT 192.168.10.0/24 can not reach the internet anymore, in return the communication through the ipsec works.

...
ip nat inside source list 180 interface GigabitEthernet2 overload
ip nat inside source static network 192.168.10.0 172.19.66.0 /24 no-alias
...
access-list 180 deny   ip 192.168.10.0 0.0.0.255 10.199.1.0 0.0.0.255
access-list 180 deny   ip 172.19.66.0 0.0.0.255 10.199.1.0 0.0.0.255
access-list 180 deny   ip 192.168.10.0 0.0.0.255 172.18.0.0 0.0.255.255
access-list 180 deny   ip 172.19.66.0 0.0.0.255 172.18.0.0 0.0.255.255
access-list 180 permit ip 192.168.10.0 0.0.0.255 any
access-list 180 permit ip 172.19.66.0 0.0.0.255 any
...

I'm also not sure which network i have to list in acl 180 and did some tests....

Any idea or advice?

Re: Cisco 867VAE NAT overload and static internet issues

Georg Pauwen — Thu, 04 Jun 2020 10:07:14 GMT

Hello,

what traffic is defined in your encryption domain ? Post the full running configuration of your router (show run)...

Re: Cisco 867VAE NAT overload and static internet issues

paul driver — Thu, 04 Jun 2020 10:37:30 GMT

Hello

@sidp wrote:

As soon as I add the static NAT 192.168.10.0/24 can not reach the internet anymore, in return the communication through the ipsec works.

ip nat inside source static network 192.168.10.0 172.19.66.0 /24 no-alias

Looks like you have negated the rtr from creating arp entries for the translated addressing plus you wouldn’t want static nat performing this fr the whole subnet.
As suggested can you post the running-configuration of the rtr into a file and attach it to your post.

Re: Cisco 867VAE NAT overload and static internet issues

sidp — Thu, 04 Jun 2020 11:22:53 GMT

no parser cache
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname RO01
!
boot-start-marker
boot-end-marker
!
!
logging buffered 16000
enable secret 5 **************
!
aaa new-model
!
!
aaa authentication login vty-con local
aaa authentication login localuser line
aaa authentication login userauthen local
aaa authentication ppp default if-needed local
aaa authorization network groupauthor local 
!
aaa session-id common
wan mode ethernet
clock timezone MEZ 1 0
clock summer-time MESZ recurring last Sun Mar 2:00 last Sun Oct 3:00
no ip source-route
!
ip dhcp excluded-address 192.168.10.255
ip dhcp excluded-address 192.168.10.0 192.168.10.150
!
ip dhcp pool VRMLAN_EXAMPLE
 network 192.168.10.0 255.255.255.0
 default-router 192.168.10.1 
 ip name-server 8.8.8.8
 ip name-server 8.8.4.4
 lease 0 2
!
ip inspect max-incomplete high 1100
ip inspect max-incomplete low 1100
ip inspect one-minute low 1100
ip inspect one-minute high 1100
ip inspect name INTERNET ftp
ip inspect name INTERNET tftp
ip inspect name INTERNET tcp
ip inspect name INTERNET udp
ip inspect name INTERNET realaudio
ip inspect name INTERNET icmp
ip inspect name INTERNET rtsp
ip inspect name INTERNET vdolive
ip inspect name INTERNET dns
no ip bootp server
ip domain lookup source-interface Vlan200
ip domain name example.local
ip name-server 1.1.1.1
ip cef
no ipv6 cef
!
vpdn enable
!
username cisco privilege 15 secret 5 **************
!
controller VDSL 0
 shutdown
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key ************** address 148.133.208.5    no-xauth
crypto isakmp keepalive 30 5
crypto isakmp nat keepalive 15
!
crypto isakmp client configuration group VPN_EXAMPLE
 key *****************************
 dns 172.19.66.1
 pool ippool
 acl 190
!
crypto ipsec transform-set AES256 esp-aes 256 esp-sha-hmac 
 mode tunnel
crypto ipsec transform-set AES256_S2S esp-aes 256 esp-sha-hmac 
 mode tunnel
!
crypto dynamic-map vpn-dynamic 10
 description *** VPN-Clients ***
 set security-association lifetime seconds 43200
 set transform-set AES256 
!
crypto map IPSECMAP client authentication list userauthen
crypto map IPSECMAP isakmp authorization list groupauthor
crypto map IPSECMAP client configuration address respond
crypto map IPSECMAP 10 ipsec-isakmp 
 description *** S2S
 set peer 148.133.208.5
 set security-association lifetime seconds 28800
 set transform-set AES256_S2S 
 match address 191
 qos pre-classify
crypto map IPSECMAP 65000 ipsec-isakmp dynamic vpn-dynamic 
!
interface ATM0
 description *** ADSL-Interface
 no ip address
 shutdown
 no atm ilmi-keepalive
!
interface Ethernet0
 description *** VDSL-Interface
 no ip address
 shutdown
!
interface FastEthernet0
 switchport access vlan 200
 no ip address
 spanning-tree portfast
!
interface FastEthernet1
 switchport access vlan 200
 no ip address
 spanning-tree portfast
!
interface FastEthernet2
 switchport access vlan 200
 no ip address
 spanning-tree portfast
!
interface GigabitEthernet0
 switchport access vlan 200
 no ip address
 spanning-tree portfast
!
interface GigabitEthernet1
 switchport access vlan 200
 no ip address
 spanning-tree portfast
!
interface GigabitEthernet2
 description *** WAN
 ip address 172.31.255.6 255.255.255.252
 ip access-group 151 in
 ip inspect INTERNET out
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map IPSECMAP
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan200
 ip address 192.168.10.1 255.255.255.0
 ip access-group 101 in
 no ip redirects
 ip directed-broadcast
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1200
 hold-queue 100 out
!
ip local pool ippool 10.199.1.0 10.199.1.254
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip dns server
ip nat inside source list 180 interface GigabitEthernet2 overload
ip route 0.0.0.0 0.0.0.0 172.31.255.5
ip route 127.0.0.0 255.0.0.0 Null0
ip route 169.254.0.0 255.255.0.0 Null0
ip ssh source-interface Vlan200
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
snmp-server enable traps tty
access-list 1 permit 148.133.208.0 0.0.0.15
access-list 1 remark *** SSH
access-list 1 permit 172.19.66.0 0.0.0.255
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 10.199.1.0 0.0.0.255
access-list 101 permit ip any any
access-list 151 remark *** INTERNET -> ROUTER (CBAC)
access-list 151 remark *** IPSec -> Router
access-list 151 permit esp any host 172.31.255.6
access-list 151 permit udp any host 172.31.255.6 eq isakmp
access-list 151 permit udp any host 172.31.255.6 eq non500-isakmp
access-list 151 permit ip 10.199.1.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 151 remark *** NTP
access-list 151 permit udp host 130.149.17.21 eq ntp any eq ntp
access-list 151 permit udp host 8.8.8.8 eq domain any
access-list 151 permit udp host 8.8.4.4 eq domain any
access-list 151 remark *** ICMP
access-list 151 permit icmp 148.133.208.0 0.0.0.15 any administratively-prohibited
access-list 151 permit icmp 148.133.208.0 0.0.0.15 any echo
access-list 151 permit icmp any any echo-reply
access-list 151 permit icmp 148.133.208.0 0.0.0.15 any packet-too-big
access-list 151 permit icmp 148.133.208.0 0.0.0.15 any time-exceeded
access-list 151 permit icmp 148.133.208.0 0.0.0.15 any traceroute
access-list 151 permit icmp 148.133.208.0 0.0.0.15 any unreachable
access-list 151 remark *** SSH
access-list 151 permit tcp 148.133.208.0 0.0.0.15 host 172.31.255.6 eq 22
access-list 151 permit icmp 148.133.208.0 0.0.0.15 any administratively-prohibited
access-list 151 permit icmp 148.133.208.0 0.0.0.15 any echo
access-list 151 permit icmp 148.133.208.0 0.0.0.15 any packet-too-big
access-list 151 permit icmp 148.133.208.0 0.0.0.15 any time-exceeded
access-list 151 permit icmp 148.133.208.0 0.0.0.15 any traceroute
access-list 151 permit icmp 148.133.208.0 0.0.0.15 any unreachable
access-list 151 permit tcp 148.133.208.0 0.0.0.15 host 172.31.255.6 eq 22
access-list 151 deny   ip any any log
access-list 180 deny   ip 192.168.10.0 0.0.0.255 10.199.1.0 0.0.0.255
access-list 180 deny   ip 172.19.66.0 0.0.0.255 10.199.1.0 0.0.0.255
access-list 180 deny   ip 192.168.10.0 0.0.0.255 172.18.0.0 0.0.255.255
access-list 180 deny   ip 172.19.66.0 0.0.0.255 172.18.0.0 0.0.255.255
access-list 180 permit ip 192.168.10.0 0.0.0.255 any
access-list 180 permit ip 172.19.66.0 0.0.0.255 any
access-list 190 deny   ip 172.19.66.0 0.0.0.255 10.199.1.0 0.0.0.255
access-list 191 permit ip 172.19.66.0 0.0.0.255 172.18.0.0 0.0.255.255
!
line con 0
 location *** Serial
 exec-timeout 30 0
 logging synchronous
 login authentication vty-con
 no modem enable
 history size 30
 stopbits 1
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 stopbits 1
line vty 0 4
 location *** SSH
 access-class 1 in
 exec-timeout 30 0
 login authentication vty-con
 history size 30
 transport input ssh
!
scheduler allocate 60000 1000
sntp server 130.149.17.21
sntp broadcast client
!
end

Re: Cisco 867VAE NAT overload and static internet issues

Georg Pauwen — Thu, 04 Jun 2020 11:47:33 GMT

Hello,

change your access list 180 to the one below, so it contains only two lines:

access-list 180 deny ip 172.19.66.0 0.0.0.255 172.18.0.0 0.0.255.255
access-list 180 permit ip 172.19.66.0 0.0.0.255 any

Re: Cisco 867VAE NAT overload and static internet issues

sidp — Thu, 04 Jun 2020 11:55:38 GMT

Changed it but still the same problem.

RO01#sh ip access-lists 180
Extended IP access list 180
10 deny ip 172.19.66.0 0.0.0.255 172.18.0.0 0.0.255.255
20 permit ip 172.19.66.0 0.0.0.255 any

Re: Cisco 867VAE NAT overload and static internet issues

Georg Pauwen — Thu, 04 Jun 2020 12:27:33 GMT

Hello,

your crypto peer is:

set peer 148.133.208.5

How is your Cisco router connected ? I assume there is another device ?

Re: Cisco 867VAE NAT overload and static internet issues

sidp — Thu, 04 Jun 2020 12:32:44 GMT

Yes there is an other device from the provider. It is in PPPoE passthrough mode, without any firewall on it.

Re: Cisco 867VAE NAT overload and static internet issues

Georg Pauwen — Thu, 04 Jun 2020 13:37:56 GMT

Hello,

remove access list 151 from the external interface and check the results:

interface GigabitEthernet2
description *** WAN
ip address 172.31.255.6 255.255.255.252
--> no ip access-group 151 in
ip inspect INTERNET out
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map IPSECMAP

Re: Cisco 867VAE NAT overload and static internet issues

sidp — Thu, 04 Jun 2020 14:14:46 GMT

still the same problem

Re: Cisco 867VAE NAT overload and static internet issues

Georg Pauwen — Thu, 04 Jun 2020 15:00:59 GMT

Hello,

strip the entire configuration down to the bare bone essentials as below:

no parser cache
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname RO01
!
boot-start-marker
boot-end-marker
!
logging buffered 16000
enable secret 5 **************
!
aaa new-model
!
aaa authentication login vty-con local
aaa authentication login localuser line
aaa authentication login userauthen local
aaa authentication ppp default if-needed local
aaa authorization network groupauthor local
!
aaa session-id common
wan mode ethernet
clock timezone MEZ 1 0
clock summer-time MESZ recurring last Sun Mar 2:00 last Sun Oct 3:00
no ip source-route
!
ip dhcp excluded-address 192.168.10.255
ip dhcp excluded-address 192.168.10.0 192.168.10.150
!
ip dhcp pool VRMLAN_EXAMPLE
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
ip name-server 8.8.8.8
ip name-server 8.8.4.4
lease 0 2
!
no ip bootp server
ip domain lookup source-interface Vlan200
ip domain name example.local
ip name-server 1.1.1.1
ip cef
no ipv6 cef
!
vpdn enable
!
username cisco privilege 15 secret 5 **************
!
controller VDSL 0
shutdown
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
lifetime 28800
crypto isakmp key ************** address 148.133.208.5 no-xauth
crypto isakmp keepalive 30 5
crypto isakmp nat keepalive 15
!
crypto isakmp client configuration group VPN_EXAMPLE
key *****************************
dns 172.19.66.1
pool ippool
acl 190
!
crypto ipsec transform-set AES256 esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec transform-set AES256_S2S esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto dynamic-map vpn-dynamic 10
description *** VPN-Clients ***
set security-association lifetime seconds 43200
set transform-set AES256
!
crypto map IPSECMAP client authentication list userauthen
crypto map IPSECMAP isakmp authorization list groupauthor
crypto map IPSECMAP client configuration address respond
crypto map IPSECMAP 10 ipsec-isakmp
description *** S2S
set peer 148.133.208.5
set security-association lifetime seconds 28800
set transform-set AES256_S2S
match address 191
qos pre-classify
crypto map IPSECMAP 65000 ipsec-isakmp dynamic vpn-dynamic
!
interface ATM0
description *** ADSL-Interface
no ip address
shutdown
no atm ilmi-keepalive
!
interface Ethernet0
description *** VDSL-Interface
no ip address
shutdown
!
interface FastEthernet0
switchport access vlan 200
no ip address
spanning-tree portfast
!
interface FastEthernet1
switchport access vlan 200
no ip address
spanning-tree portfast
!
interface FastEthernet2
switchport access vlan 200
no ip address
spanning-tree portfast
!
interface GigabitEthernet0
switchport access vlan 200
no ip address
spanning-tree portfast
!
interface GigabitEthernet1
switchport access vlan 200
no ip address
spanning-tree portfast
!
interface GigabitEthernet2
description *** WAN
ip address 172.31.255.6 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map IPSECMAP
!
interface Vlan1
no ip address
shutdown
!
interface Vlan200
ip address 192.168.10.1 255.255.255.0
no ip redirects
ip directed-broadcast
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1200
hold-queue 100 out
!
ip local pool ippool 10.199.1.0 10.199.1.254
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip dns server
ip nat inside source list 180 interface GigabitEthernet2 overload
ip route 0.0.0.0 0.0.0.0 172.31.255.5
ip route 127.0.0.0 255.0.0.0 Null0
ip route 169.254.0.0 255.255.0.0 Null0
ip ssh source-interface Vlan200
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
snmp-server enable traps tty
access-list 1 permit 148.133.208.0 0.0.0.15
access-list 1 remark *** SSH
access-list 1 permit 172.19.66.0 0.0.0.255
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 10.199.1.0 0.0.0.255
access-list 180 deny ip 172.19.66.0 0.0.0.255 172.18.0.0 0.0.255.255
access-list 180 permit ip any any
access-list 191 permit ip 172.19.66.0 0.0.0.255 172.18.0.0 0.0.255.255
!
line con 0
location *** Serial
exec-timeout 30 0
logging synchronous
login authentication vty-con
no modem enable
history size 30
stopbits 1
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line vty 0 4
location *** SSH
access-class 1 in
exec-timeout 30 0
login authentication vty-con
history size 30
transport input ssh
!
scheduler allocate 60000 1000
sntp server 130.149.17.21
sntp broadcast client
!
end

Re: Cisco 867VAE NAT overload and static internet issues

Georg Pauwen — Thu, 04 Jun 2020 15:03:36 GMT

Actually, first, try to change the access lists to:

access-list 180 deny ip 172.19.66.0 0.0.0.255 172.18.0.0 0.0.255.255
access-list 180 deny ip 192.168.10.0 0.0.0.255 172.18.0.0 0.0.255.255
access-list 180 permit ip 172.19.66.0 0.0.0.255 any
access-list 191 permit ip 172.19.66.0 0.0.0.255 172.18.0.0 0.0.255.255
access-list 191 permit ip 192.168.10.0 0.0.0.255 172.18.0.0 0.0.255.255

Re: Cisco 867VAE NAT overload and static internet issues

sidp — Mon, 08 Jun 2020 08:36:52 GMT

They are doing maintenance atm. ... I will try it as soon as the router is online and give you the feedback.

Re: Cisco 867VAE NAT overload and static internet issues

sidp — Mon, 06 Jul 2020 13:56:14 GMT

Sorry, I forgot to post an update. I was not able to do two "ip nat inside" for the whole network without a route-map which Cisco 867 isn't supporting. I finally did the following.

access-list 181 permit ip 192.168.10.0 0.0.0.255 172.18.0.0 0.0.255.255
! 
route-map VPN_NAT permit 10
 match ip address 181
!
ip nat inside source static 192.168.10.1 172.19.66.1 route-map VPN_NAT
ip nat inside source static 192.168.10.100 172.19.66.100 route-map VPN_NAT
ip nat inside source static 192.168.10.102 172.19.66.102 route-map VPN_NAT
ip nat inside source static 192.168.10.104 172.19.66.104 route-map VPN_NAT
ip nat inside source static 192.168.10.106 172.19.66.106 route-map VPN_NAT
ip nat inside source static 192.168.10.108 172.19.66.108 route-map VPN_NAT
ip nat inside source static 192.168.10.110 172.19.66.110 route-map VPN_NAT
ip nat inside source static 192.168.10.112 172.19.66.112 route-map VPN_NAT
ip nat inside source static 192.168.10.114 172.19.66.114 route-map VPN_NAT
ip nat inside source static 192.168.10.115 172.19.66.115 route-map VPN_NAT
ip nat inside source static 192.168.10.116 172.19.66.116 route-map VPN_NAT
ip nat inside source static 192.168.10.120 172.19.66.120 route-map VPN_NAT
!
access-list 180 deny   ip 192.168.10.0 0.0.0.255 172.18.0.0 0.0.255.255
access-list 180 permit ip 192.168.10.0 0.0.0.255 any
!
ip nat inside source list 180 interface GigabitEthernet2 overload