Re: 2921 router working example of a route-map - NEEDED - Page 2

clyde.a.huffman.ctr@mail.mil · ‎03-28-2019

Hi does anyone have an example of a route-map that works on a 2921? I have an issue with PAT and L3 tunnel that I'm hoping that route-map will help.

1) The L3 tunnel shows up at the distant end as the outside address instead of the private address.

2) The PAT blocks the inside address:port from working through the L3 tunnel.

Here is the L3 tunnel and the route-map that did not work :-/ Thanks for your help.

==================--------------===========================
================== route-map ===========================
==================--------------===========================

ip nat source static tcp 192.168.175.4 80 192.168.168.235 8888 route-map NONAT

access-list 177 deny ip host 192.168.175.4 192.168.177.0 0.0.0.255
access-list 177 permit ip host 192.168.175.4 any

route-map NONAT permit 10
match ip address 177

remotertr175(config)#ip nat source static tcp 192.168.175.4 80 192.168.168.235$
ip nat source static tcp 192.168.175.4 80 192.168.168.235 8888 route-map NONAT
^
% Invalid input detected at '^' marker.

remotertr175(config)#ip nat source static tcp 192.168.175.4 80 192.168.168.235 8888 ?
extendable Extend this translation when used
no-alias Do not create an alias for the global address
no-payload No translation of embedded address/port in the payload
vrf Specify vrf
<cr>

==================--------------===========================
================== IPSEC Tunnel ===========================
==================--------------===========================

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
crypto isakmp key firewallcx address 192.168.168.236
!
crypto map CMAP 76 ipsec-isakmp
set peer 192.168.168.236
set transform-set TS
match address VPN_TRAFFIC_176
!
ip route 192.168.176.0 255.255.255.0 192.168.168.236
ip access-list extended VPN_TRAFFIC_176
permit tcp 192.168.175.0 0.0.0.255 192.168.176.0 0.0.0.255
permit ip 192.168.175.0 0.0.0.255 192.168.176.0 0.0.0.255

Richard Burts · ‎03-29-2019

I believe that there are 2 issues with the route map and acl as you have posted them

route-map NO_NAT_192.168.176.0 deny 10
match ip address DENY_NAT_192.168.176.0

ip access-list extended DENY_NAT_192.168.176.0
deny ip 192.168.176.0 0.0.0.255 192.168.175.0 0.0.0.255
deny ip 192.168.175.0 0.0.0.255 192.168.176.0 0.0.0.2

The first issue is that your route map statement is a deny and the acl that it references is also deny statements. If the route map statement is a deny then the acl statements must be permit if the traffic is not to be translated.

The second issue is that the route map is not permitting any traffic. Seems to me that after denying what should not be translated there should be something to permit and translate other traffic.

HTH

Rick

HTH

Rick

clyde.a.huffman.ctr@mail.mil · ‎03-29-2019

Thanks Rick, I'll work on this Monday.

Did you see the cool stuff from connecting the 2921 to the 5520? I never though that it would even connect. Not to say that it is actually encrypted...

remotertr175#sh ip nat nvi translations ver
Pro Source global Source local Destin local Destin global
tcp 192.168.168.235:888 192.168.174.66:80 --- --- <---------------is 8888 truncated?
create 08:14:50, use 00:22:08 timeout:0,
flags:

LOOKS TO ME LIKE inside AND outside ARE MIXED UP ?????

remotertr175#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 192.168.168.235:8888 192.168.175.3:80 -- ---
remotertr175#

clyde.a.huffman.ctr@mail.mil · ‎04-01-2019

I tried to do just the opposite just to get the route-map to work. It never opens the port 8888 on the outside interface?

I put a "deny ip any any" at the end just in case. Still does not work.... but I can access 192.168.175.3 80 through the L3 tunnel.... :-0

CORRECTION wildcard instead of netmask ---------------opposite----------BUT STILL DOES NOT WORK

ip nat inside source static tcp 192.168.175.3 80 192.168.168.235 8888 route-map TEST_NAT_192.168.176.0 extendable

route-map TEST_NAT_192.168.176.0 permit 11
match ip address PERMIT_NAT_192.168.176.0

ip access-list extended PERMIT_NAT_192.168.176.0
permit ip 192.168.168.0 0.0.0.255 host 192.168.175.3

clyde.a.huffman.ctr@mail.mil · ‎04-01-2019

I trued to reverse it to permit but I still can't get it to work.

--------------------opposite-------------------------------
ip nat inside source static tcp 192.168.175.3 80 192.168.168.235 8888 route-map TEST_NAT_192.168.176.0 extendable
route-map TEST_NAT_192.168.176.0 permit 11
match ip address PERMIT_NAT_192.168.176.0
ip access-list extended PERMIT_NAT_192.168.176.0
permit ip 192.168.168.0 0.0.0.255 host 192.168.175.3
deny ip any any

clyde.a.huffman.ctr@mail.mil · ‎04-01-2019

Cool "Note the above IPs would be the destination IPs in the packet ie. the destination IP on the outside would be 192.168.168.235 port 8888 and you would be translating this to the destination IP on the inside of 192.168.175.3 port 80" So if the nat is changed to outside it would also be destination address?

clyde.a.huffman.ctr@mail.mil · ‎04-01-2019

Hi Jon, I'm trying to get the 2921 to build a L3 tunnel to another 2921 and let the internet PAT the inside web server 80 by hitting the outside address on port 8888. The PAT does not let the remote PC access the web server 80 through the tunnel.

Richard Burts · ‎04-01-2019

If you are trying to get a 2921 to build a tunnel to another 2921 then post the config of both 2921 and an explanation of the topology of the network (what is connected to what and how does the data from one 2921 get to the other 2921).

HTH

Rick

HTH

Rick

Georg Pauwen · ‎03-28-2019

Hello,

in addition to Richards's remarks, it would be useful to see the full configurations of both sides. Right now, it does not look like the NAT exclusion ACL and the crypto map ACL are mirrors of each other...

So if possible post the entire configs of both ends...

clyde.a.huffman.ctr@mail.mil · ‎03-28-2019

clyde.a.huffman.ctr@mail.mil · ‎03-29-2019

This may give some insight into why the 5520 works and the 2921 doesn't.

Here is an IPSEC tunnel between a ASA 5520 and RTR 2921. Note how the 2921 comes out of the tunnel with the outside address, but the 5520 uses the inside addresses. Attached are the configurations.

MY GUESS IS THAT ENCRYPTION IS NOT BEING DONE!!!!!

----------------------------================================------------------------------
SESSION 1 is the ASA ((GOOD)) pinging the RTR through the L3 tunnel. Note that the RTR outside WAN interface is used.
----------------------========================================------------------------------------
SESSION 11111111111111111111111111111 LOOK AT BOTH SIDES 111111111111111111111111111111111111111
INITIATE FROM PC 192.168.172.6 on ASA 5520 FIREWALL (inside 192.168.172.1 outside 192.168.168.232)
- to PC 192.168.175.3 on RTR 2921 (inside 192.168.175.1 outside 192.168.168.235)

[root@drupal ahuffman]# ip addr | grep 192
inet 192.168.172.6/24 brd 192.168.172.255 scope global p1p1
[root@drupal ahuffman]#

[root@drupal ahuffman]# ping 192.168.175.3
PING 192.168.175.3 (192.168.175.3) 56(84) bytes of data.
64 bytes from 192.168.168.235: icmp_seq=1 ttl=63 time=1.55 ms <-----------------look at WAN address
64 bytes from 192.168.168.235: icmp_seq=2 ttl=63 time=1.22 ms
64 bytes from 192.168.168.235: icmp_seq=3 ttl=63 time=1.24 ms
64 bytes from 192.168.168.235: icmp_seq=4 ttl=63 time=1.23 ms
64 bytes from 192.168.168.235: icmp_seq=5 ttl=63 time=1.22 ms
64 bytes from 192.168.168.235: icmp_seq=6 ttl=63 time=1.27 ms
64 bytes from 192.168.168.235: icmp_seq=7 ttl=63 time=1.25 ms
64 bytes from 192.168.168.235: icmp_seq=8 ttl=63 time=1.23 ms
64 bytes from 192.168.168.235: icmp_seq=9 ttl=63 time=1.30 ms
^C
--- 192.168.175.3 ping statistics ---
9 packets transmitted, 9 received, 0% packet loss, time 8431ms
rtt min/avg/max/mdev = 1.225/1.283/1.554/0.109 ms

[root@drupal ahuffman]# tcpdump -i p1p1 | grep ICMP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on p1p1, link-type EN10MB (Ethernet), capture size 65535 bytes
12:12:56.790530 IP 192.168.172.6 > 192.168.175.3: ICMP echo request, id 4727, seq 77, length 64
12:12:56.791760 IP 192.168.168.235 > 192.168.172.6: ICMP echo reply, id 4727, seq 77, length 64
12:12:57.792034 IP 192.168.172.6 > 192.168.175.3: ICMP echo request, id 4727, seq 78, length 64
12:12:57.793236 IP 192.168.168.235 > 192.168.172.6: ICMP echo reply, id 4727, seq 78, length 64
12:12:58.793594 IP 192.168.172.6 > 192.168.175.3: ICMP echo request, id 4727, seq 79, length 64
12:12:58.794818 IP 192.168.168.235 > 192.168.172.6: ICMP echo reply, id 4727, seq 79, length 64
^C72 packets captured
1163 packets received by filter
1066 packets dropped by kernel

[root@drupal ahuffman]#

----------------------========================================------------------------------------
SESSION 11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111

INCOMING FROM PC 192.168.172.6 on ASA 5520 FIREWALL (inside 192.168.172.1 outside 192.168.168.232)
- to PC 192.168.175.3 on RTR 2921 (inside 192.168.175.1 outside 192.168.168.235)

vmuser@studio1:~$ ip addr | grep 192
inet 192.168.175.3/24 brd 192.168.175.255 scope global dynamic noprefixroute enp0s31f6
vmuser@studio1:~$

root@studio1:/home/vbox# tcpdump -n | grep ICMP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s31f6, link-type EN10MB (Ethernet), capture size 262144 bytes
12:44:57.215052 IP 192.168.168.232 > 192.168.175.3: ICMP echo request, id 45177, seq 1, length 64
12:44:57.215108 IP 192.168.175.3 > 192.168.168.232: ICMP echo reply, id 45177, seq 1, length 64
12:44:58.216693 IP 192.168.168.232 > 192.168.175.3: ICMP echo request, id 45177, seq 2, length 64
12:44:58.216750 IP 192.168.175.3 > 192.168.168.232: ICMP echo reply, id 45177, seq 2, length 64
12:44:59.218147 IP 192.168.168.232 > 192.168.175.3: ICMP echo request, id 45177, seq 3, length 64
12:44:59.218203 IP 192.168.175.3 > 192.168.168.232: ICMP echo reply, id 45177, seq 3, length 64
12:45:00.219657 IP 192.168.168.232 > 192.168.175.3: ICMP echo request, id 45177, seq 4, length 64
12:45:00.219714 IP 192.168.175.3 > 192.168.168.232: ICMP echo reply, id 45177, seq 4, length 64
12:45:01.221156 IP 192.168.168.232 > 192.168.175.3: ICMP echo request, id 45177, seq 5, length 64
12:45:01.221214 IP 192.168.175.3 > 192.168.168.232: ICMP echo reply, id 45177, seq 5, length 64
12:45:02.222635 IP 192.168.168.232 > 192.168.175.3: ICMP echo request, id 45177, seq 6, length 64
12:45:02.222692 IP 192.168.175.3 > 192.168.168.232: ICMP echo reply, id 45177, seq 6, length 64
12:45:03.224095 IP 192.168.168.232 > 192.168.175.3: ICMP echo request, id 45177, seq 7, length 64
12:45:03.224152 IP 192.168.175.3 > 192.168.168.232: ICMP echo reply, id 45177, seq 7, length 64

----------------------------================================------------------------------
SESSION 2 is the RTR (((BAD))) pinging the ASA through the L3 tunnel. Note that the inside LAN address are used.
----------------------------================================------------------------------
SESSION 2222222222222222222222222222222222222222222222222222222222222222222222222222222222222
INITIATE FROM PC 192.168.175.3 on RTR 2921 (inside 192.168.175.1 outside 192.168.168.235)
- to PC 192.168.172.6 on ASA 5520 FIREWALL (inside 192.168.172.1 outside 192.168.168.232)

vmuser@studio1:~$
vmuser@studio1:~$ ip addr | grep 192
inet 192.168.175.3/24 brd 192.168.175.255 scope global dynamic noprefixroute enp0s31f6
vmuser@studio1:~$

vmuser@studio1:~$ ping 192.168.172.6
PING 192.168.172.6 (192.168.172.6) 56(84) bytes of data.
^C
--- 192.168.172.6 ping statistics ---
18 packets transmitted, 0 received, 100% packet loss, time 17405ms

vmuser@studio1:~$

root@studio1:/home/vbox# tcpdump -n | grep ICMP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s31f6, link-type EN10MB (Ethernet), capture size 262144 bytes
12:57:03.864477 IP 192.168.175.3 > 192.168.172.6: ICMP echo request, id 8642, seq 1, length 64
12:57:04.886071 IP 192.168.175.3 > 192.168.172.6: ICMP echo request, id 8642, seq 2, length 64
12:57:05.910217 IP 192.168.175.3 > 192.168.172.6: ICMP echo request, id 8642, seq 3, length 64
12:57:06.934276 IP 192.168.175.3 > 192.168.172.6: ICMP echo request, id 8642, seq 4, length 64
12:57:07.958236 IP 192.168.175.3 > 192.168.172.6: ICMP echo request, id 8642, seq 5, length 64
12:57:08.982241 IP 192.168.175.3 > 192.168.172.6: ICMP echo request, id 8642, seq 6, length 64
12:57:10.006328 IP 192.168.175.3 > 192.168.172.6: ICMP echo request, id 8642, seq 7, length 64
12:57:11.030221 IP 192.168.175.3 > 192.168.172.6: ICMP echo request, id 8642, seq 8, length 64
12:57:12.054251 IP 192.168.175.3 > 192.168.172.6: ICMP echo request, id 8642, seq 9, length 64
12:57:13.078289 IP 192.168.175.3 > 192.168.172.6: ICMP echo request, id 8642, seq 10, length 64
12:57:14.101992 IP 192.168.175.3 > 192.168.172.6: ICMP echo request, id 8642, seq 11, length 64
12:57:15.126255 IP 192.168.175.3 > 192.168.172.6: ICMP echo request, id 8642, seq 12, length 64
12:57:16.150038 IP 192.168.175.3 > 192.168.172.6: ICMP echo request, id 8642, seq 13, length 64
12:57:17.174260 IP 192.168.175.3 > 192.168.172.6: ICMP echo request, id 8642, seq 14, length 64
12:57:18.198236 IP 192.168.175.3 > 192.168.172.6: ICMP echo request, id 8642, seq 15, length 64
12:57:19.222293 IP 192.168.175.3 > 192.168.172.6: ICMP echo request, id 8642, seq 16, length 64

----------------------------================================------------------------------
SESSION 3 #sh cry ipsec sa - on ASA and RTR - NOTE THAT THERE ARE NO encaps decaps SHOWING
----------------------------================================------------------------------
SESSION 33333333333333333333333333333333333333333333333333333333333333333333333333333333333333

ASA-ASA-ASA-ASA-ASA-ASA-ASA-ASA-ASA-ASA-ASA-ASA-ASA-ASA-ASA-ASA-ASA-ASA-ASA-ASA-ASA-ASA-ASA

allan@allandesk ~ $ ssh cisco@192.168.168.232
cisco@192.168.168.232's password:
Type help or '?' for a list of available commands.
asa172-232> en
Password: ********
asa172-232# sh cry ip
asa172-232# sh cry ipsec sa

There are no ipsec sas
asa172-232#

RTR-RTR-RTR-RTR-RTR-RTR-RTR-RTR-RTR-RTR-RTR-RTR-RTR-RTR-RTR-RTR-RTR-RTR-RTR-RTR-RTR-RTR-RTR

allan@allandesk ~ $ ssh cisco@192.168.168.235
Password:

remotertr175>en
Password:
remotertr175#sh cry ip
remotertr175#sh cry ipsec sa

interface: GigabitEthernet0/0
Crypto map tag: CMAP, local addr 192.168.168.235

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.175.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.172.0/255.255.255.0/0/0)
current_peer 192.168.168.232 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 192.168.168.235, remote crypto endpt.: 192.168.168.232
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.175.0/255.255.255.0/6/0)
remote ident (addr/mask/prot/port): (192.168.172.0/255.255.255.0/6/0)
current_peer 192.168.168.232 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 192.168.168.235, remote crypto endpt.: 192.168.168.232
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:

protected vrf: (none)

Richard Burts · ‎03-30-2019

I have not yet looked at the configs (and will do that later). But want to comment on the output that you post here. It is interesting and unexpected.

- ping from PC connected to ASA to PC connected to router is successful. (sends requests, receives responses)

- ping from PC connected to ASA sees request with source and destination as the PC addresses, but sees responses with source address as the translated address of the router. PC connected to router sees the incoming request with source address as the translated address from the ASA. So the ASA is translating the source address of the outgoing request, and the router is translating the source address of the outgoing response.

- ping from PC connected to router to PC connected to ASA fails. (sends requests, receives no responses)

- the ASA does not show any negotiated ipsec sa. The router does show a negotiated ipsec sa. But there are no encaps and no decaps.

- so the ping traffic is not being encrypted. And it works in only one direction.

More later.

HTH

Rick

HTH

Rick

Richard Burts · ‎03-30-2019

I am not sure what is going on. But the posted configs do not match what is described. Your output describes an ASA with inside address 192.168.172.1 and outside address 192.168.168.232. The posted config for ASA has inside address 192.168.168.233 and outside address 68.106.145.92.

HTH

Rick

HTH

Rick

clyde.a.huffman.ctr@mail.mil · ‎04-01-2019

CORRECTION I updated the original posting (the one with all the funny pings) with the correct ASA configuration (RTR_ASA_L3_here.txt). Sorry about that...

MESSED UP, BUT UT DIDN'T CHANGE ANYTHING The RTR tunnel is set up for crypto map CMAP on the OUTSIDE int... I still get the weird pings....

I had the same configuration on both the RTR and the ASA

RTR !
interface GigabitEthernet0/1.172
description INSIDE_172_to_ASA5520
encapsulation dot1Q 172
ip address 192.168.172.1 255.255.255.0
ip nat enable
ip virtual-reassembly in
!

ASA

interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.172.1 255.255.255.0
!