03-14-2013 02:20 AM - edited 03-04-2019 07:17 PM
Hi,
I have the following problem.
Situation:
- one main location M, with ASA5510 (v8.3) which has many (about 100) ipsec tunnels to remote locations. Local subnet is 172.16.254.0/24
- some of these remote locations have the same subnet, let's say there are 2 locations which use 192.168.1.0/24
- for one of such location (let's call it A), I create a 'virtual subnet' 192.169.1.0/24 which is a static nat in the router on the location: ip nat inside source static network 192.168.1.0 192.169.1.0 /24 no-alias. This location has a Cisco 881 router.
The problem is that with this NAT configuration, internet traffic on the location A is not possible.
Question: what is the best way to solve this?
dot11 syslog
ip cef
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto ipsec transform-set ipsec_tun_cybercenter esp-3des esp-md5-hmac
crypto map CMAP 1 ipsec-isakmp
set peer x.x.x.x
set transform-set ipsec_tun_cybercenter
match address 105
ip ssh version 2
interface ATM0
no ip address
no ip mroute-cache
no atm ilmi-keepalive
pvc 2/32
encapsulation aal5mux ppp dialer
dialer pool-member 1
dsl operating-mode auto
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface Vlan1
description LAN Interface
ip address 192.168.1.253 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
no ip mroute-cache
interface Dialer0
ip address negotiated
ip access-group 106 out
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp pap sent-username kpn password 7 082A5C40
crypto map CMAP
!
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 101 interface Dialer0 overload
ip nat inside source static network 192.168.1.0 192.169.1.0 /24 no-alias
access-list 101 deny ip 192.169.1.0 0.0.0.255 172.16.254.0 0.0.0.255
access-list 101 permit ip 192.169.1.0 0.0.0.255 any
access-list 105 permit ip 192.169.1.0 0.0.0.255 172.16.254.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
Solved! Go to Solution.
03-14-2013 02:33 AM
"ip nat inside source static network 192.168.1.0 192.169.1.0 /24 no-alias"
Perhaps you can try with a policy nat (static nat + route-map) to let nat kich in only for IPsec.
Let's know if it can solve the issue.
03-14-2013 02:33 AM
"ip nat inside source static network 192.168.1.0 192.169.1.0 /24 no-alias"
Perhaps you can try with a policy nat (static nat + route-map) to let nat kich in only for IPsec.
Let's know if it can solve the issue.
03-14-2013 06:16 AM
Thanks, i will try it and post the results.
03-15-2013 02:52 AM
Just to confirm that my thoughts are right, this would be the solution:
route-map STATIC_RMAP permit 1
match ip address STATIC_NAT_ACL
ip access-list extended STATIC_NAT_ACL
permit ip 192.168.1.0 0.0.0.255 172.16.254.0 0.0.0.255
ip nat inside source static 192.168.11.2 192.170.11.2 route-map STATIC_RMAP
This would nat only the traffic that is going to the ipsec tunnel. Is this right?
03-16-2013 02:22 AM
Johan,
First, for better understanding, this link describles the difference between access-list approach and route-map approach.
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml
And I have labed this scenario in GNS3, it worked with below configuration.
Here R2 is for IPsec, R3 simulates internet, with a loopback interface 8.8.8.8
Configuration:
PC:
PC(config)#do sh run
Building configuration...
Current configuration : 798 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PC
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip subnet-zero
!
!
ip cef
no ip domain lookup
ip domain name lab.local
no ip dhcp use vrf connected
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
no crypto isakmp ccm
!
!
!
!
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
duplex auto
speed auto
!
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
R1:
R1(config)#do sh run
Building configuration...
Current configuration : 2011 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip subnet-zero
!
!
ip cef
no ip domain lookup
ip domain name lab.local
no ip dhcp use vrf connected
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 8.8.123.2
no crypto isakmp ccm
!
!
crypto ipsec transform-set TS esp-3des esp-sha-hmac
!
crypto map CM 10 ipsec-isakmp
set peer 8.8.123.2
set transform-set TS
match address vpn
!
!
!
!
interface FastEthernet0/0
ip address 8.8.123.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map CM
!
interface FastEthernet1/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 8.8.123.3
ip route 172.16.0.0 255.255.255.0 8.8.123.2
!
!
ip nat pool 169 192.169.1.0 192.169.1.254 netmask 255.255.255.0
ip nat inside source route-map tointernet interface FastEthernet0/0 overload
ip nat inside source route-map toipsec pool 169
!
!
ip access-list extended vpn
permit ip 192.169.1.0 0.0.0.255 172.16.0.0 0.0.0.255 <- match after natted source
access-list 101 permit ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 111 permit ip 192.168.1.0 0.0.0.255 any
!
route-map tointernet deny 10
match ip address 101
!
route-map tointernet permit 20
match ip address 111
!
route-map toipsec permit 10
match ip address 101
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
R2:
R2#sh run
Building configuration...
Current configuration : 1208 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip subnet-zero
!
!
ip cef
no ip domain lookup
ip domain name lab.local
no ip dhcp use vrf connected
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 8.8.123.1
no crypto isakmp ccm
!
!
crypto ipsec transform-set TS esp-3des esp-sha-hmac
!
crypto map CM 10 ipsec-isakmp
set peer 8.8.123.1
set transform-set TS
match address vpn
!
!
!
!
interface Loopback0
ip address 172.16.0.1 255.255.255.0
!
interface FastEthernet0/0
ip address 8.8.123.2 255.255.255.0
duplex auto
speed auto
crypto map CM
!
no ip http server
no ip http secure-server
ip classless
ip route 192.169.1.0 255.255.255.0 8.8.123.1
!
!
!
!
ip access-list extended vpn
permit ip 172.16.0.0 0.0.0.255 192.169.1.0 0.0.0.255
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
R3:
R3#sh run
Building configuration...
Current configuration : 815 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip subnet-zero
!
!
ip cef
no ip domain lookup
ip domain name lab.local
no ip dhcp use vrf connected
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
no crypto isakmp ccm
!
!
!
!
interface Loopback0
ip address 8.8.8.8 255.255.255.0
!
interface FastEthernet0/0
ip address 8.8.123.3 255.255.255.0
duplex auto
speed auto
!
no ip http server
no ip http secure-server
ip classless
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
==================================================================================================================
When PC ping to IPSEC destination, on R1:
*Mar 1 01:28:57.179: NAT*: s=192.168.1.2->192.169.1.1, d=172.16.0.1 [130]
*Mar 1 01:28:57.291: NAT*: s=172.16.0.1, d=192.169.1.1->192.168.1.2 [130]
*Mar 1 01:28:57.351: NAT*: s=192.168.1.2->192.169.1.1, d=172.16.0.1 [131]
*Mar 1 01:28:57.371: NAT*: s=172.16.0.1, d=192.169.1.1->192.168.1.2 [131]
*Mar 1 01:28:57.391: NAT*: s=192.168.1.2->192.169.1.1, d=172.16.0.1 [132]
*Mar 1 01:28:57.419: NAT*: s=172.16.0.1, d=192.169.1.1->192.168.1.2 [132]
*Mar 1 01:28:57.439: NAT*: s=192.168.1.2->192.169.1.1, d=172.16.0.1 [133]
*Mar 1 01:28:57.459: NAT*: s=172.16.0.1, d=192.169.1.1->192.168.1.2 [133]
*Mar 1 01:28:57.479: NAT*: s=192.168.1.2->192.169.1.1, d=172.16.0.1 [134]
When PC ping to 8.8.8.8, on R1:
*Mar 1 01:28:31.659: NAT*: s=192.168.1.2->8.8.123.1, d=8.8.8.8 [120]
*Mar 1 01:28:31.695: NAT*: s=8.8.8.8, d=8.8.123.1->192.168.1.2 [120]
*Mar 1 01:28:31.743: NAT*: s=192.168.1.2->8.8.123.1, d=8.8.8.8 [121]
*Mar 1 01:28:31.799: NAT*: s=8.8.8.8, d=8.8.123.1->192.168.1.2 [121]
*Mar 1 01:28:31.839: NAT*: s=192.168.1.2->8.8.123.1, d=8.8.8.8 [122]
*Mar 1 01:28:31.863: NAT*: s=8.8.8.8, d=8.8.123.1->192.168.1.2 [122]
*Mar 1 01:28:31.883: NAT*: s=192.168.1.2->8.8.123.1, d=8.8.8.8 [123]
*Mar 1 01:28:31.903: NAT*: s=8.8.8.8, d=8.8.123.1->192.168.1.2 [123]
*Mar 1 01:28:31.923: NAT*: s=192.168.1.2->8.8.123.1, d=8.8.8.8 [124] *Mar 1 01:28:31.659: NAT*: s=192.168.1.2->8.8.123.1, d=8.8.8.8 [120]
*Mar 1 01:28:31.695: NAT*: s=8.8.8.8, d=8.8.123.1->192.168.1.2 [120]
*Mar 1 01:28:31.743: NAT*: s=192.168.1.2->8.8.123.1, d=8.8.8.8 [121]
*Mar 1 01:28:31.799: NAT*: s=8.8.8.8, d=8.8.123.1->192.168.1.2 [121]
*Mar 1 01:28:31.839: NAT*: s=192.168.1.2->8.8.123.1, d=8.8.8.8 [122]
*Mar 1 01:28:31.863: NAT*: s=8.8.8.8, d=8.8.123.1->192.168.1.2 [122]
*Mar 1 01:28:31.883: NAT*: s=192.168.1.2->8.8.123.1, d=8.8.8.8 [123]
*Mar 1 01:28:31.903: NAT*: s=8.8.8.8, d=8.8.123.1->192.168.1.2 [123]
*Mar 1 01:28:31.923: NAT*: s=192.168.1.2->8.8.123.1, d=8.8.8.8 [124]
HTH.
03-19-2013 07:23 AM
Static nat + route-map did solve my problem, thanks for your input.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide