cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
394
Views
0
Helpful
13
Replies
Highlighted
Beginner

Cisco 867VAE NAT overload and static internet issues

I have a Cisco 867VAE with an IPsec to my Cisco ASA. Because the network (192.168.10.0/24) is already used on my site (ASA) I have to NAT the entire network to 172.19.66.0/24 for the communication through the ipsec.

 

As soon as I add the static NAT 192.168.10.0/24 can not reach the internet anymore, in return the communication through the ipsec works.

 

...
ip nat inside source list 180 interface GigabitEthernet2 overload
ip nat inside source static network 192.168.10.0 172.19.66.0 /24 no-alias
...
access-list 180 deny   ip 192.168.10.0 0.0.0.255 10.199.1.0 0.0.0.255
access-list 180 deny   ip 172.19.66.0 0.0.0.255 10.199.1.0 0.0.0.255
access-list 180 deny   ip 192.168.10.0 0.0.0.255 172.18.0.0 0.0.255.255
access-list 180 deny   ip 172.19.66.0 0.0.0.255 172.18.0.0 0.0.255.255
access-list 180 permit ip 192.168.10.0 0.0.0.255 any
access-list 180 permit ip 172.19.66.0 0.0.0.255 any
...

I'm also not sure which network i have to list in acl 180 and did some tests....

 

Any idea or advice?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Sorry, I forgot to post an update. I was not able to do two "ip nat inside" for the whole network without a route-map which Cisco 867 isn't supporting. I finally did the following.

 

access-list 181 permit ip 192.168.10.0 0.0.0.255 172.18.0.0 0.0.255.255
! 
route-map VPN_NAT permit 10
 match ip address 181
!
ip nat inside source static 192.168.10.1 172.19.66.1 route-map VPN_NAT
ip nat inside source static 192.168.10.100 172.19.66.100 route-map VPN_NAT
ip nat inside source static 192.168.10.102 172.19.66.102 route-map VPN_NAT
ip nat inside source static 192.168.10.104 172.19.66.104 route-map VPN_NAT
ip nat inside source static 192.168.10.106 172.19.66.106 route-map VPN_NAT
ip nat inside source static 192.168.10.108 172.19.66.108 route-map VPN_NAT
ip nat inside source static 192.168.10.110 172.19.66.110 route-map VPN_NAT
ip nat inside source static 192.168.10.112 172.19.66.112 route-map VPN_NAT
ip nat inside source static 192.168.10.114 172.19.66.114 route-map VPN_NAT
ip nat inside source static 192.168.10.115 172.19.66.115 route-map VPN_NAT
ip nat inside source static 192.168.10.116 172.19.66.116 route-map VPN_NAT
ip nat inside source static 192.168.10.120 172.19.66.120 route-map VPN_NAT
!
access-list 180 deny   ip 192.168.10.0 0.0.0.255 172.18.0.0 0.0.255.255
access-list 180 permit ip 192.168.10.0 0.0.0.255 any
!
ip nat inside source list 180 interface GigabitEthernet2 overload

View solution in original post

13 REPLIES 13
Highlighted
VIP Mentor

Hello,

 

what traffic is defined in your encryption domain ? Post the full running configuration of your router (show run)...

Highlighted
VIP Mentor

Hello


@sidran001 wrote:

As soon as I add the static NAT 192.168.10.0/24 can not reach the internet anymore, in return the communication through the ipsec works.

 

ip nat inside source static network 192.168.10.0 172.19.66.0 /24 no-alias


Looks like you have negated the rtr from creating arp entries for the translated addressing plus you wouldn’t want static nat performing this fr the whole subnet.
As suggested can you post the running-configuration of the rtr into a file and attach it to your post.

 



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Highlighted
Beginner

 

no parser cache
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname RO01
!
boot-start-marker
boot-end-marker
!
!
logging buffered 16000
enable secret 5 **************
!
aaa new-model
!
!
aaa authentication login vty-con local
aaa authentication login localuser line
aaa authentication login userauthen local
aaa authentication ppp default if-needed local
aaa authorization network groupauthor local 
!
aaa session-id common
wan mode ethernet
clock timezone MEZ 1 0
clock summer-time MESZ recurring last Sun Mar 2:00 last Sun Oct 3:00
no ip source-route
!
ip dhcp excluded-address 192.168.10.255
ip dhcp excluded-address 192.168.10.0 192.168.10.150
!
ip dhcp pool VRMLAN_EXAMPLE
 network 192.168.10.0 255.255.255.0
 default-router 192.168.10.1 
 ip name-server 8.8.8.8
ip name-server 8.8.4.4 lease 0 2 ! ip inspect max-incomplete high 1100 ip inspect max-incomplete low 1100 ip inspect one-minute low 1100 ip inspect one-minute high 1100 ip inspect name INTERNET ftp ip inspect name INTERNET tftp ip inspect name INTERNET tcp ip inspect name INTERNET udp ip inspect name INTERNET realaudio ip inspect name INTERNET icmp ip inspect name INTERNET rtsp ip inspect name INTERNET vdolive ip inspect name INTERNET dns no ip bootp server ip domain lookup source-interface Vlan200 ip domain name example.local ip name-server 1.1.1.1 ip cef no ipv6 cef ! vpdn enable ! username cisco privilege 15 secret 5 ************** ! controller VDSL 0 shutdown ! crypto isakmp policy 10 encr aes 256 authentication pre-share group 2 lifetime 28800 crypto isakmp key ************** address 148.133.208.5 no-xauth crypto isakmp keepalive 30 5 crypto isakmp nat keepalive 15 ! crypto isakmp client configuration group VPN_EXAMPLE key ***************************** dns 172.19.66.1 pool ippool acl 190 ! crypto ipsec transform-set AES256 esp-aes 256 esp-sha-hmac mode tunnel crypto ipsec transform-set AES256_S2S esp-aes 256 esp-sha-hmac mode tunnel ! crypto dynamic-map vpn-dynamic 10 description *** VPN-Clients *** set security-association lifetime seconds 43200 set transform-set AES256 ! crypto map IPSECMAP client authentication list userauthen crypto map IPSECMAP isakmp authorization list groupauthor crypto map IPSECMAP client configuration address respond crypto map IPSECMAP 10 ipsec-isakmp description *** S2S set peer 148.133.208.5 set security-association lifetime seconds 28800 set transform-set AES256_S2S match address 191 qos pre-classify crypto map IPSECMAP 65000 ipsec-isakmp dynamic vpn-dynamic ! interface ATM0 description *** ADSL-Interface no ip address shutdown no atm ilmi-keepalive ! interface Ethernet0 description *** VDSL-Interface no ip address shutdown ! interface FastEthernet0 switchport access vlan 200 no ip address spanning-tree portfast ! interface FastEthernet1 switchport access vlan 200 no ip address spanning-tree portfast ! interface FastEthernet2 switchport access vlan 200 no ip address spanning-tree portfast ! interface GigabitEthernet0 switchport access vlan 200 no ip address spanning-tree portfast ! interface GigabitEthernet1 switchport access vlan 200 no ip address spanning-tree portfast ! interface GigabitEthernet2 description *** WAN ip address 172.31.255.6 255.255.255.252 ip access-group 151 in ip inspect INTERNET out ip nat outside ip virtual-reassembly in duplex auto speed auto crypto map IPSECMAP ! interface Vlan1 no ip address shutdown ! interface Vlan200 ip address 192.168.10.1 255.255.255.0 ip access-group 101 in no ip redirects ip directed-broadcast ip nat inside ip virtual-reassembly in ip tcp adjust-mss 1200 hold-queue 100 out ! ip local pool ippool 10.199.1.0 10.199.1.254 ip forward-protocol nd no ip http server no ip http secure-server ! ip dns server ip nat inside source list 180 interface GigabitEthernet2 overload ip route 0.0.0.0 0.0.0.0 172.31.255.5 ip route 127.0.0.0 255.0.0.0 Null0 ip route 169.254.0.0 255.255.0.0 Null0 ip ssh source-interface Vlan200 ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr ! snmp-server enable traps tty access-list 1 permit 148.133.208.0 0.0.0.15 access-list 1 remark *** SSH access-list 1 permit 172.19.66.0 0.0.0.255 access-list 1 permit 192.168.10.0 0.0.0.255 access-list 1 permit 10.199.1.0 0.0.0.255 access-list 101 permit ip any any access-list 151 remark *** INTERNET -> ROUTER (CBAC) access-list 151 remark *** IPSec -> Router access-list 151 permit esp any host 172.31.255.6 access-list 151 permit udp any host 172.31.255.6 eq isakmp access-list 151 permit udp any host 172.31.255.6 eq non500-isakmp access-list 151 permit ip 10.199.1.0 0.0.0.255 192.168.10.0 0.0.0.255 access-list 151 remark *** NTP access-list 151 permit udp host 130.149.17.21 eq ntp any eq ntp access-list 151 permit udp host 8.8.8.8 eq domain any access-list 151 permit udp host 8.8.4.4 eq domain any access-list 151 remark *** ICMP access-list 151 permit icmp 148.133.208.0 0.0.0.15 any administratively-prohibited access-list 151 permit icmp 148.133.208.0 0.0.0.15 any echo access-list 151 permit icmp any any echo-reply access-list 151 permit icmp 148.133.208.0 0.0.0.15 any packet-too-big access-list 151 permit icmp 148.133.208.0 0.0.0.15 any time-exceeded access-list 151 permit icmp 148.133.208.0 0.0.0.15 any traceroute access-list 151 permit icmp 148.133.208.0 0.0.0.15 any unreachable access-list 151 remark *** SSH access-list 151 permit tcp 148.133.208.0 0.0.0.15 host 172.31.255.6 eq 22 access-list 151 permit icmp 148.133.208.0 0.0.0.15 any administratively-prohibited access-list 151 permit icmp 148.133.208.0 0.0.0.15 any echo access-list 151 permit icmp 148.133.208.0 0.0.0.15 any packet-too-big access-list 151 permit icmp 148.133.208.0 0.0.0.15 any time-exceeded access-list 151 permit icmp 148.133.208.0 0.0.0.15 any traceroute access-list 151 permit icmp 148.133.208.0 0.0.0.15 any unreachable access-list 151 permit tcp 148.133.208.0 0.0.0.15 host 172.31.255.6 eq 22 access-list 151 deny ip any any log access-list 180 deny ip 192.168.10.0 0.0.0.255 10.199.1.0 0.0.0.255 access-list 180 deny ip 172.19.66.0 0.0.0.255 10.199.1.0 0.0.0.255 access-list 180 deny ip 192.168.10.0 0.0.0.255 172.18.0.0 0.0.255.255 access-list 180 deny ip 172.19.66.0 0.0.0.255 172.18.0.0 0.0.255.255 access-list 180 permit ip 192.168.10.0 0.0.0.255 any access-list 180 permit ip 172.19.66.0 0.0.0.255 any access-list 190 deny ip 172.19.66.0 0.0.0.255 10.199.1.0 0.0.0.255 access-list 191 permit ip 172.19.66.0 0.0.0.255 172.18.0.0 0.0.255.255 ! line con 0 location *** Serial exec-timeout 30 0 logging synchronous login authentication vty-con no modem enable history size 30 stopbits 1 line aux 0 line 2 no activation-character no exec transport preferred none transport input all stopbits 1 line vty 0 4 location *** SSH access-class 1 in exec-timeout 30 0 login authentication vty-con history size 30 transport input ssh ! scheduler allocate 60000 1000 sntp server 130.149.17.21 sntp broadcast client ! end

 

Highlighted

Hello,

 

change your access list 180 to the one below, so it contains only two lines:

 

access-list 180 deny ip 172.19.66.0 0.0.0.255 172.18.0.0 0.0.255.255
access-list 180 permit ip 172.19.66.0 0.0.0.255 any

Highlighted

Changed it but still the same problem.

RO01#sh ip access-lists 180
Extended IP access list 180
10 deny ip 172.19.66.0 0.0.0.255 172.18.0.0 0.0.255.255
20 permit ip 172.19.66.0 0.0.0.255 any
Highlighted

Hello,

 

your crypto peer is:

 

set peer 148.133.208.5

 

How is your Cisco router connected ? I assume there is another device ?

Highlighted

Yes there is an other device from the provider. It is in PPPoE passthrough mode, without any firewall on it.
Highlighted

Hello,

 

remove access list 151 from the external interface and check the results:

 

interface GigabitEthernet2
description *** WAN
ip address 172.31.255.6 255.255.255.252
--> no ip access-group 151 in
ip inspect INTERNET out
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map IPSECMAP

Highlighted

still the same problem
Highlighted

Hello,

 

strip the entire configuration down to the bare bone essentials as below:

 

no parser cache
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname RO01
!
boot-start-marker
boot-end-marker
!
logging buffered 16000
enable secret 5 **************
!
aaa new-model
!
aaa authentication login vty-con local
aaa authentication login localuser line
aaa authentication login userauthen local
aaa authentication ppp default if-needed local
aaa authorization network groupauthor local
!
aaa session-id common
wan mode ethernet
clock timezone MEZ 1 0
clock summer-time MESZ recurring last Sun Mar 2:00 last Sun Oct 3:00
no ip source-route
!
ip dhcp excluded-address 192.168.10.255
ip dhcp excluded-address 192.168.10.0 192.168.10.150
!
ip dhcp pool VRMLAN_EXAMPLE
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
ip name-server 8.8.8.8
ip name-server 8.8.4.4
lease 0 2
!
no ip bootp server
ip domain lookup source-interface Vlan200
ip domain name example.local
ip name-server 1.1.1.1
ip cef
no ipv6 cef
!
vpdn enable
!
username cisco privilege 15 secret 5 **************
!
controller VDSL 0
shutdown
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
lifetime 28800
crypto isakmp key ************** address 148.133.208.5 no-xauth
crypto isakmp keepalive 30 5
crypto isakmp nat keepalive 15
!
crypto isakmp client configuration group VPN_EXAMPLE
key *****************************
dns 172.19.66.1
pool ippool
acl 190
!
crypto ipsec transform-set AES256 esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec transform-set AES256_S2S esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto dynamic-map vpn-dynamic 10
description *** VPN-Clients ***
set security-association lifetime seconds 43200
set transform-set AES256
!
crypto map IPSECMAP client authentication list userauthen
crypto map IPSECMAP isakmp authorization list groupauthor
crypto map IPSECMAP client configuration address respond
crypto map IPSECMAP 10 ipsec-isakmp
description *** S2S
set peer 148.133.208.5
set security-association lifetime seconds 28800
set transform-set AES256_S2S
match address 191
qos pre-classify
crypto map IPSECMAP 65000 ipsec-isakmp dynamic vpn-dynamic
!
interface ATM0
description *** ADSL-Interface
no ip address
shutdown
no atm ilmi-keepalive
!
interface Ethernet0
description *** VDSL-Interface
no ip address
shutdown
!
interface FastEthernet0
switchport access vlan 200
no ip address
spanning-tree portfast
!
interface FastEthernet1
switchport access vlan 200
no ip address
spanning-tree portfast
!
interface FastEthernet2
switchport access vlan 200
no ip address
spanning-tree portfast
!
interface GigabitEthernet0
switchport access vlan 200
no ip address
spanning-tree portfast
!
interface GigabitEthernet1
switchport access vlan 200
no ip address
spanning-tree portfast
!
interface GigabitEthernet2
description *** WAN
ip address 172.31.255.6 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map IPSECMAP
!
interface Vlan1
no ip address
shutdown
!
interface Vlan200
ip address 192.168.10.1 255.255.255.0
no ip redirects
ip directed-broadcast
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1200
hold-queue 100 out
!
ip local pool ippool 10.199.1.0 10.199.1.254
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip dns server
ip nat inside source list 180 interface GigabitEthernet2 overload
ip route 0.0.0.0 0.0.0.0 172.31.255.5
ip route 127.0.0.0 255.0.0.0 Null0
ip route 169.254.0.0 255.255.0.0 Null0
ip ssh source-interface Vlan200
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
snmp-server enable traps tty
access-list 1 permit 148.133.208.0 0.0.0.15
access-list 1 remark *** SSH
access-list 1 permit 172.19.66.0 0.0.0.255
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 10.199.1.0 0.0.0.255
access-list 180 deny ip 172.19.66.0 0.0.0.255 172.18.0.0 0.0.255.255
access-list 180 permit ip any any
access-list 191 permit ip 172.19.66.0 0.0.0.255 172.18.0.0 0.0.255.255
!
line con 0
location *** Serial
exec-timeout 30 0
logging synchronous
login authentication vty-con
no modem enable
history size 30
stopbits 1
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line vty 0 4
location *** SSH
access-class 1 in
exec-timeout 30 0
login authentication vty-con
history size 30
transport input ssh
!
scheduler allocate 60000 1000
sntp server 130.149.17.21
sntp broadcast client
!
end

Highlighted

Actually, first, try to change the access lists to:

 

access-list 180 deny ip 172.19.66.0 0.0.0.255 172.18.0.0 0.0.255.255
access-list 180 deny ip 192.168.10.0 0.0.0.255 172.18.0.0 0.0.255.255
access-list 180 permit ip 172.19.66.0 0.0.0.255 any
access-list 191 permit ip 172.19.66.0 0.0.0.255 172.18.0.0 0.0.255.255
access-list 191 permit ip 192.168.10.0 0.0.0.255 172.18.0.0 0.0.255.255

Highlighted

They are doing maintenance atm. ... I will try it as soon as the router is online and give you the feedback.
Highlighted

Sorry, I forgot to post an update. I was not able to do two "ip nat inside" for the whole network without a route-map which Cisco 867 isn't supporting. I finally did the following.

 

access-list 181 permit ip 192.168.10.0 0.0.0.255 172.18.0.0 0.0.255.255
! 
route-map VPN_NAT permit 10
 match ip address 181
!
ip nat inside source static 192.168.10.1 172.19.66.1 route-map VPN_NAT
ip nat inside source static 192.168.10.100 172.19.66.100 route-map VPN_NAT
ip nat inside source static 192.168.10.102 172.19.66.102 route-map VPN_NAT
ip nat inside source static 192.168.10.104 172.19.66.104 route-map VPN_NAT
ip nat inside source static 192.168.10.106 172.19.66.106 route-map VPN_NAT
ip nat inside source static 192.168.10.108 172.19.66.108 route-map VPN_NAT
ip nat inside source static 192.168.10.110 172.19.66.110 route-map VPN_NAT
ip nat inside source static 192.168.10.112 172.19.66.112 route-map VPN_NAT
ip nat inside source static 192.168.10.114 172.19.66.114 route-map VPN_NAT
ip nat inside source static 192.168.10.115 172.19.66.115 route-map VPN_NAT
ip nat inside source static 192.168.10.116 172.19.66.116 route-map VPN_NAT
ip nat inside source static 192.168.10.120 172.19.66.120 route-map VPN_NAT
!
access-list 180 deny   ip 192.168.10.0 0.0.0.255 172.18.0.0 0.0.255.255
access-list 180 permit ip 192.168.10.0 0.0.0.255 any
!
ip nat inside source list 180 interface GigabitEthernet2 overload

View solution in original post