Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
612
Views
0
Helpful
2
Replies

GRE/IPSEC: NAT configuration ´route-map´ not available PT

petterstergren
Level 1
Level 1

‎11-08-2019 03:31 PM

Hi, Could someone help me to understand where it goes wrong with my ping from Local Net to Public? The IPs are beeing transformed via NAT but it won't come back in so I guess there's an issue with my ACLs. I recently set up IPSec so did a few changes to my ACLs. From what I read it could be that I should use a ```route-map nonat``` but that command doesn't seem to exist in PT

PT_v2_8_IPSec_with_NAT_something_odd_with_ACL_Local_to_ISP_error_summery_conf.png

!HQ-IntEdge
!
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 5
!
crypto isakmp key petter address 209.165.202.2
!
!
!
crypto ipsec transform-set HQ-STHLM esp-aes esp-sha-hmac
!
crypto map HQ-STHLM_MAP 10 ipsec-isakmp 
 set peer 209.165.202.2
 set pfs group5
 set security-association lifetime seconds 900
 set transform-set HQ-STHLM 
 match address 101
!
!
interface Tunnel0
 ip address 172.16.36.33 255.255.255.224
 mtu 1476
 tunnel source GigabitEthernet0/0
 tunnel destination 209.165.202.2
!
interface GigabitEthernet0/0
 ip address 209.165.201.2 255.255.255.0
 ip access-group INBOUND in
 ip nat outside
 duplex auto
 speed auto
 crypto map HQ-STHLM_MAP
!
ip nat inside source list NAT_ACL interface GigabitEthernet0/0 overload
ip nat inside source static 172.16.36.29 209.165.201.3 
ip nat inside source static tcp 172.16.36.28 80 209.209.201.2 80 
!
ip access-list extended INBOUND
 permit ip 172.16.8.0 0.0.3.255 172.16.0.0 0.0.3.255
 permit icmp host 209.165.202.2 host 209.165.201.2
 permit udp host 209.165.202.2 host 209.165.201.2 eq isakmp
 permit esp host 209.165.202.2 host 209.165.201.2
 permit ahp host 209.165.202.2 host 209.165.201.2
 deny ip any any
access-list 101 permit ip 172.16.0.0 0.0.3.255 172.16.8.0 0.0.3.255
access-list 101 permit ip any any
access-list 101 permit gre 172.16.0.0 0.0.3.255 172.16.8.0 0.0.3.255
ip access-list extended NAT_ACL
 deny ip 172.16.0.0 0.0.3.255 172.16.8.0 0.0.3.255
 permit ip 172.16.0.0 0.0.3.255 any
! 



!STHLM-IntEdge
!
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 5
!
crypto isakmp key petter address 209.165.201.1
crypto isakmp key petter address 209.165.201.2
!
crypto ipsec transform-set HQ-STHLM esp-aes esp-sha-hmac
!
crypto map HQ-STHLM_MAP 10 ipsec-isakmp 
 set peer 209.165.201.2
 set pfs group5
 set security-association lifetime seconds 900
 set transform-set HQ-STHLM 
 match address 102
!
interface Tunnel0
 ip address 172.16.36.34 255.255.255.224
 mtu 1476
 tunnel source GigabitEthernet0/0/0
 tunnel destination 209.165.201.2
!
interface GigabitEthernet0/0/0
 ip address 209.165.202.2 255.255.255.0
 ip access-group INBOUND in
 crypto map HQ-STHLM_MAP
!
ip nat inside source list NAT_ACL interface GigabitEthernet0/0/0 overload
!
ip access-list extended INBOUND
 permit ip 172.16.0.0 0.0.3.255 172.16.8.0 0.0.3.255
 permit icmp host 209.165.201.2 host 209.165.202.2
 permit udp host 209.165.201.2 host 209.165.202.2 eq isakmp
 permit esp host 209.165.201.2 host 209.165.202.2
 permit ahp host 209.165.201.2 host 209.165.202.2
 deny ip any any
access-list 102 permit ip 172.16.8.0 0.0.3.255 172.16.0.0 0.0.3.255
access-list 102 permit ip any any
access-list 102 permit gre 172.16.8.0 0.0.3.255 172.16.0.0 0.0.3.255
ip access-list extended NAT_ACL
 remark ****** NAT ACL ******
 deny ip 172.16.8.0 0.0.3.255 172.16.0.0 0.0.3.255
 permit ip 172.16.8.0 0.0.3.255 any
!
Labels:
v2_8_IPSEC_Up_NAT_ISSUE.zip
0 Helpful
2 Replies 2

Georg Pauwen
VIP
VIP

‎11-08-2019 11:26 PM

Hello,

 

the access lists you use are slightly wrong. Take out the lines marked with an '-->' and leave the lines marked in bold:

 

HQ-IntEdge

 

access-list 101 permit ip 172.16.0.0 0.0.3.255 172.16.8.0 0.0.3.255
--> no access-list 101 permit ip any any
--> no access-list 101 permit gre 172.16.0.0 0.0.3.255 172.16.8.0 0.0.3.255

!
ip access-list extended NAT_ACL
deny ip 172.16.0.0 0.0.3.255 172.16.8.0 0.0.3.255
permit ip 172.16.0.0 0.0.3.255 any

 

STHLM-IntEdge

 

access-list 102 permit ip 172.16.8.0 0.0.3.255 172.16.0.0 0.0.3.255
--> no access-list 102 permit ip any any
--> no access-list 102 permit gre 172.16.8.0 0.0.3.255 172.16.0.0 0.0.3.255

!
ip access-list extended NAT_ACL
remark ****** NAT ACL ******
deny ip 172.16.8.0 0.0.3.255 172.16.0.0 0.0.3.255
permit ip 172.16.8.0 0.0.3.255 any

0 Helpful

petterstergren
Level 1
Level 1
In response to Georg Pauwen

‎11-11-2019 03:28 AM

Hi,
By removing these lines I seem to also lose my EIGRP exchange over the two sites? How am I supposed to exchange the EIGRP information over the tunnel without these lines?
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card