cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3461
Views
0
Helpful
27
Replies

2921 router working example of a route-map - NEEDED

Hi does anyone have an example of a route-map that works on a 2921?  I have an issue with PAT and L3 tunnel that I'm hoping that route-map will help.

1) The L3 tunnel shows up at the distant end as the outside address instead of the private address.

2) The PAT blocks the inside address:port from working  through the L3 tunnel.

 

Here is the L3 tunnel and the route-map that did not work :-/  Thanks for your help.

 

==================--------------===========================
================== route-map ===========================
==================--------------===========================

ip nat source static tcp 192.168.175.4 80 192.168.168.235 8888 route-map NONAT

access-list 177 deny ip host 192.168.175.4 192.168.177.0 0.0.0.255
access-list 177 permit ip host 192.168.175.4 any

route-map NONAT permit 10
match ip address 177

remotertr175(config)#ip nat source static tcp 192.168.175.4 80 192.168.168.235$
ip nat source static tcp 192.168.175.4 80 192.168.168.235 8888 route-map NONAT
^
% Invalid input detected at '^' marker.

remotertr175(config)#ip nat source static tcp 192.168.175.4 80 192.168.168.235 8888 ?
extendable Extend this translation when used
no-alias Do not create an alias for the global address
no-payload No translation of embedded address/port in the payload
vrf Specify vrf
<cr>

==================--------------===========================
================== IPSEC Tunnel ===========================
==================--------------===========================

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
crypto isakmp key firewallcx address 192.168.168.236
!
crypto map CMAP 76 ipsec-isakmp
set peer 192.168.168.236
set transform-set TS
match address VPN_TRAFFIC_176
!
ip route 192.168.176.0 255.255.255.0 192.168.168.236
ip access-list extended VPN_TRAFFIC_176
permit tcp 192.168.175.0 0.0.0.255 192.168.176.0 0.0.0.255
permit ip 192.168.175.0 0.0.0.255 192.168.176.0 0.0.0.255

27 Replies 27

Richard Burts
Hall of Fame
Hall of Fame

I am not clear what is going on here. But I believe that the immediate issue is that you are doing a static translation and trying to control it with a route map. But when you use on line help (the ?) it does not show an option for a route map or an access list when doing static translation. I have seen the access list or route map to control translation when it was dynamic translation but not for static translation.

 

As a side note there is a redundancy in the acl you are using to identify vpn traffic

permit tcp 192.168.175.0 0.0.0.255 192.168.176.0 0.0.0.255
permit ip 192.168.175.0 0.0.0.255 192.168.176.0 0.0.0.255

There is no need to identify tcp traffic if you are then going to permit all ip traffic for those addresses.

 

HTH

 

Rick

 

HTH

Rick

Hi Rick, OH :-/  That's why there is only a route map on a RTR as follows. 

 

But why does the ipsec tunnel come out the other end with a SOURCE IP ADDRESS of the outside address instead of the originating private 192.168.176.x address?

 

FOLLOWS HERE

# ip nat source route-map ...

Then it does:

# ip nat source route-map MYRMAP interface

or

# ip nat source route-map MYRMAP pool

 

 

I am not clear about this statement

But why does the ipsec tunnel come out the other end with a SOURCE IP ADDRESS of the outside address instead of the originating private 192.168.176.x address?

My best guess at this point is that there is an issue at the other peer and it is doing address translation on the vpn traffic where the vpn traffic should be exempted from translation. Perhaps you could post from the remote peer the crypto map, the acl used to identify traffic for encryption, and any of the config for address translation?

 

HTH

 

Rick

 

HTH

Rick

I had the redundancy in because I was going to lock it down to tcp only.  But I never got this to work properly on the 2921 so I got it working on an ASA.  So I guess that I'm stuck with an ASA, I prefer routers.  ASA will not ping through a tunnel, it has to see "interesting" traffic before it brings up the tunnel :-\

Perhaps I am not understanding correctly what you are saying here

ASA will not ping through a tunnel, it has to see "interesting" traffic before it brings up the tunnel :-\

It is a common behavior on both router and ASA that it needs to see "interesting" traffic to bring up the tunnel. Perhaps you are referring to the fact that the router has the ability to ping and to specify the source address of the ping?

 

HTH

 

Rick

 

HTH

Rick

Yes that has to be it.  I've put "management-access inside" on both ASAs connect with an L3 tunnel and still can't ping through the tunnel from LAN to LAN.  Without being able to source the ping, I'm guessing that it should be assuming the inside address?  At least that is what shows up in "sh arp" inside addresses.  I can't even ping a PC or a switch at the distant end from the ASA.  I could always to that on a RTR.....

I suspect that there are several issues but I did not look very much past the first one that I found. Network 192.168.172.0 is defined as a locally connected subnet of both the ASA and the router. The ASA interface G0/1 and router interface G0/1.172 are configured as being in 192.168.172.0.

 

HTH

 

Rick

HTH

Rick

A RTR will ping the other router through the tunnel even if there is not PC hanging off the end.  I didn't know that a router is building it each time when traffic is presented.  I just looked like it was up all the time.  There are no ACLs on the interfaces so sourcing is not needed. 

FROM 192.168.175.1 outside 192.168.168.235

remotertr175#ping 192.168.176.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.176.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
remotertr175#ping 192.168.177.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.177.1, timeout is 2 seconds:
!!!!!
remotertr175#sh cry ipsec sa

local ident (addr/mask/prot/port): (192.168.175.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.176.0/255.255.255.0/0/0)

local crypto endpt.: 192.168.168.235, remote crypto endpt.: 192.168.168.236

local ident (addr/mask/prot/port): (192.168.175.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.177.0/255.255.255.0/0/0)

local crypto endpt.: 192.168.168.235, remote crypto endpt.: 192.168.168.237

 

Jon Marshall
Hall of Fame
Hall of Fame

 

It's not clear exactly what you are trying to do but if you want to use a route map with a static NAT then you cannot use  "ip nat source" you need to use "ip nat <inside|outside> source" syntax. 

 

Jon

 

 

Still not entirely sure what you are looking to do but have a look at this thread for an example of using a route map with a static NAT and a VPN tunnel - 

 

https://community.cisco.com/t5/routing/ipsec-with-ip-nat-inside-source-static/td-p/2689248

 

there is no reason why it would not work on your router as far as I know. 

 

Jon

Hi John,

I followed your example.

ip nat inside source static tcp 192.168.175.3 80 192.168.168.235 8888 route-map NO_NAT_192.168.177.0

route-map NO_NAT_192.168.177.0 deny 10
match ip address DENY_NAT_192.168.177.0

ip access-list extended DENY_NAT_192.168.177.0
deny ip 192.168.177.0 0.0.0.255 192.168.175.0 0.0.0.255
deny ip 192.168.175.0 0.0.0.255 192.168.177.0 0.0.0.255

 

But I realized that what I'm doing is Port Mapping an http call from the outside external WAN address and translating it to an inside host address and port.  Looks like route-map is only available for inside to outside.  There is an "add-route" for outside to inside.

 

So at first I tried this: ==========================================

ip nat inside source static tcp 192.168.175.3 80 192.168.168.235 8888 route-map NO_NAT_192.168.177.0

route-map NO_NAT_192.168.177.0 deny 10
match ip address DENY_NAT_192.168.177.0

ip access-list extended DENY_NAT_192.168.177.0
deny ip 192.168.177.0 0.0.0.255 192.168.175.0 0.0.0.255
deny ip 192.168.175.0 0.0.0.255 192.168.177.0 0.0.0.255

 

Realized my mistake and tried this: ====================================

remotertr175(config)# ip nat outside source static tcp 192.168.175.177 80 192.168.168.235 8888 route-map NO_NAT_192.168.177.0 ?
% Unrecognized command


remotertr175(config)#$ ip nat outside source static tcp 192.168.175.177 80 192.168.168.235 8888 ?
add-route Add a static route for outside local address
extendable Extend this translation when used
no-alias Do not create an alias for the local address
no-payload No translation of embedded address/port in the payload
redundancy NAT redundancy operation
vrf Specify vrf
<cr>

remotertr175(config)#ip nat outside source static tcp 192.168.175.177 80 192.$

 

 

Static NAT works in both directions so if the inside IP is 192.168.175.3 and the outside IP is 192.168.168.235 then "ip nat inside" is the correct syntax. 

 

Note the above IPs would be the destination IPs in the packet ie. the destination IP on the outside would be 192.168.168.235 port 8888 and you would be translating this to the destination IP on the inside of 192.168.175.3 port 80. 

 

Jon

I gave it my best shot and it did not work, there are no hits through the NAT at port 8888 from an outside PC showing in a tcpdump on the http server at 192.168.175.3.  Here is the NAT.  There must be something wrong with the NAT.... 

 

ip nat inside source static tcp 192.168.175.3 80 192.168.168.235 8888 route-map NO_NAT_192.168.176.0

route-map NO_NAT_192.168.176.0 deny 10
match ip address DENY_NAT_192.168.176.0

ip access-list extended DENY_NAT_192.168.176.0
deny ip 192.168.176.0 0.0.0.255 192.168.175.0 0.0.0.255
deny ip 192.168.175.0 0.0.0.255 192.168.176.0 0.0.0.2

 

Here is a tcpdump through the tunnel to 192.168.175.3 80 from 192.168.176.4 

 

root@studio1:/home/vbox# tcpdump -n | grep 192.168.176
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s31f6, link-type EN10MB (Ethernet), capture size 262144 bytes
10:43:33.948698 IP 192.168.176.4.60008 > 192.168.175.3.80: Flags [S], seq 1417375719, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
10:43:33.948766 IP 192.168.175.3.80 > 192.168.176.4.60008: Flags [S.], seq 427422819, ack 1417375720, win 28120, options [mss 1406,nop,nop,sackOK,nop,wscale 7], length 0
10:43:33.949914 IP 192.168.176.4.60008 > 192.168.175.3.80: Flags [.], ack 1, win 16520, length 0
10:43:33.950376 IP 192.168.176.4.60008 > 192.168.175.3.80: Flags [P.], seq 1:455, ack 1, win 16520, length 454: HTTP: GET / HTTP/1.1
10:43:33.950469 IP 192.168.175.3.80 > 192.168.176.4.60008: Flags [.], ack 455, win 229, length 0
10:43:33.953324 IP 192.168.175.3.80 > 192.168.176.4.60008: Flags [.], seq 1:1407, ack 455, win 229, length 1406: HTTP: HTTP/1.1 200 OK
10:43:33.953337 IP 192.168.175.3.80 > 192.168.176.4.60008: Flags [.], seq 1407:2813, ack 455, win 229, length 1406: HTTP
10:43:33.953341 IP 192.168.175.3.80 > 192.168.176.4.60008: Flags [P.], seq 2813:3478, ack 455, win 229, length 665: HTTP
10:43:33.957883 IP 192.168.176.4.60008 > 192.168.175.3.80: Flags [.], ack 3478, win 16520, length 0
10:43:33.970768 IP 192.168.176.4.60008 > 192.168.175.3.80: Flags [P.], seq 455:866, ack 3478, win 16520, length 411: HTTP: GET /icons/ubuntu-logo.png HTTP/1.1
10:43:33.971458 IP 192.168.175.3.80 > 192.168.176.4.60008: Flags [P.], seq 3478:3658, ack 866, win 237, length 180: HTTP: HTTP/1.1 304 Not Modified
10:43:34.171807 IP 192.168.176.4.60008 > 192.168.175.3.80: Flags [.], ack 3658, win 16475, length 0
10:43:38.958501 IP 192.168.175.3.80 > 192.168.176.4.60008: Flags [F.], seq 3658, ack 866, win 237, length 0
10:43:38.959965 IP 192.168.176.4.60008 > 192.168.175.3.80: Flags [.], ack 3659, win 16475, length 0
10:43:38.960024 IP 192.168.176.4.60008 > 192.168.175.3.80: Flags [F.], seq 866, ack 3659, win 16475, length 0
10:43:38.960051 IP 192.168.175.3.80 > 192.168.176.4.60008: Flags [.], ack 867, win 237, length 0

 

 

 

 

 

--------------------------================================----------------------------

Point of interest, I had a relic L3 tunnel setup on the 2921 for 192.168.172.0 and noticed that "cry ipsec sa" was showing something up - I happened to reuse 192.168.172.0 on an ASA 5520 which is also connect to the "outside" switch.  So I put in the mirror L3 tunnel on the ASA and guess what?  The tunnel is up (after I added the route statement :-)).

 

Sorry still looking into this....

 

 

 

--------------------------================================----------------------------