Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
727
Views
0
Helpful
5
Replies

internet access problem with ipsec & nat

Go to solution
johan.lorier
Level 1
Level 1

‎03-14-2013 02:20 AM - edited ‎03-04-2019 07:17 PM

Hi,

I have the following problem.

Situation:

- one main location M, with ASA5510 (v8.3) which has many (about 100) ipsec tunnels to remote locations. Local subnet is 172.16.254.0/24

- some of these remote locations have the same subnet, let's say there are 2 locations which use 192.168.1.0/24

- for one of such location (let's call it A), I create a 'virtual subnet' 192.169.1.0/24 which is a static nat in the router on the location: ip nat inside source static network 192.168.1.0 192.169.1.0 /24 no-alias. This location has a Cisco 881 router.

The problem is that with this NAT configuration, internet traffic on the location A is not possible.

Question: what is the best way to solve this?

dot11 syslog

ip cef

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto ipsec transform-set ipsec_tun_cybercenter esp-3des esp-md5-hmac

crypto map CMAP 1 ipsec-isakmp

set peer x.x.x.x

set transform-set ipsec_tun_cybercenter

match address 105

ip ssh version 2

interface ATM0

no ip address

no ip mroute-cache

no atm ilmi-keepalive

pvc 2/32

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

dsl operating-mode auto

interface FastEthernet0

interface FastEthernet1

interface FastEthernet2

interface FastEthernet3

interface Vlan1

description LAN Interface

ip address 192.168.1.253 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

no ip mroute-cache

interface Dialer0

ip address negotiated

ip access-group 106 out

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp pap sent-username kpn password 7 082A5C40

crypto map CMAP

!

no ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

no ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list 101 interface Dialer0 overload

ip nat inside source static network 192.168.1.0 192.169.1.0 /24 no-alias

access-list 101 deny   ip 192.169.1.0 0.0.0.255 172.16.254.0 0.0.0.255

access-list 101 permit ip 192.169.1.0 0.0.0.255 any

access-list 105 permit ip 192.169.1.0 0.0.0.255 172.16.254.0 0.0.0.255

dialer-list 1 protocol ip permit

no cdp run

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
XIE YAO
Level 1
Level 1

‎03-14-2013 02:33 AM

"ip nat inside source static network 192.168.1.0 192.169.1.0 /24 no-alias"

Perhaps you can try with a policy nat (static nat + route-map) to let nat kich in only for IPsec.

Let's know if it can solve the issue.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
XIE YAO
Level 1
Level 1

‎03-14-2013 02:33 AM

"ip nat inside source static network 192.168.1.0 192.169.1.0 /24 no-alias"

Perhaps you can try with a policy nat (static nat + route-map) to let nat kich in only for IPsec.

Let's know if it can solve the issue.

0 Helpful

Go to solution
johan.lorier
Level 1
Level 1
In response to XIE YAO

‎03-14-2013 06:16 AM

Thanks, i will try it and post the results.

0 Helpful

Go to solution
johan.lorier
Level 1
Level 1
In response to XIE YAO

‎03-15-2013 02:52 AM

Just to confirm that my thoughts are right, this would be the solution:

route-map STATIC_RMAP permit 1

match ip address STATIC_NAT_ACL

ip access-list extended STATIC_NAT_ACL

permit ip 192.168.1.0 0.0.0.255 172.16.254.0 0.0.0.255

ip nat inside source static 192.168.11.2 192.170.11.2 route-map STATIC_RMAP

This would nat only the traffic that is going to the ipsec tunnel. Is this right?

0 Helpful

Go to solution
XIE YAO
Level 1
Level 1
In response to johan.lorier

‎03-16-2013 02:22 AM

Johan,

First, for better understanding, this link describles the difference between access-list approach and route-map approach.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml

And I have labed this scenario in GNS3, it worked with below configuration.

Here R2 is for IPsec, R3 simulates internet, with a loopback interface 8.8.8.8

Configuration:

PC:

PC(config)#do sh run
Building configuration...

Current configuration : 798 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PC
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip subnet-zero
!
!
ip cef
no ip domain lookup
ip domain name lab.local
no ip dhcp use vrf connected
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
no crypto isakmp ccm
!
!
!
!
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
duplex auto
speed auto
!
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end

R1:

R1(config)#do sh run
Building configuration...

Current configuration : 2011 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip subnet-zero
!
!
ip cef
no ip domain lookup
ip domain name lab.local
no ip dhcp use vrf connected
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 8.8.123.2
no crypto isakmp ccm
!
!
crypto ipsec transform-set TS esp-3des esp-sha-hmac
!
crypto map CM 10 ipsec-isakmp
set peer 8.8.123.2
set transform-set TS
match address vpn
!
!
!
!
interface FastEthernet0/0
ip address 8.8.123.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map CM
!
interface FastEthernet1/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 8.8.123.3
ip route 172.16.0.0 255.255.255.0 8.8.123.2
!
!
ip nat pool 169 192.169.1.0 192.169.1.254 netmask 255.255.255.0
ip nat inside source route-map tointernet interface FastEthernet0/0 overload
ip nat inside source route-map toipsec pool 169
!
!
ip access-list extended vpn
permit ip 192.169.1.0 0.0.0.255 172.16.0.0 0.0.0.255 <- match after natted source

access-list 101 permit ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 111 permit ip 192.168.1.0 0.0.0.255 any
!
route-map tointernet deny 10
match ip address 101
!
route-map tointernet permit 20
match ip address 111
!
route-map toipsec permit 10
match ip address 101
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end

R2:

R2#sh run
Building configuration...

Current configuration : 1208 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip subnet-zero
!
!
ip cef
no ip domain lookup
ip domain name lab.local
no ip dhcp use vrf connected
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 8.8.123.1
no crypto isakmp ccm
!
!
crypto ipsec transform-set TS esp-3des esp-sha-hmac
!
crypto map CM 10 ipsec-isakmp
set peer 8.8.123.1
set transform-set TS
match address vpn
!
!
!
!
interface Loopback0
ip address 172.16.0.1 255.255.255.0
!
interface FastEthernet0/0
ip address 8.8.123.2 255.255.255.0
duplex auto
speed auto
crypto map CM
!
no ip http server
no ip http secure-server
ip classless
ip route 192.169.1.0 255.255.255.0 8.8.123.1
!
!
!
!
ip access-list extended vpn
permit ip 172.16.0.0 0.0.0.255 192.169.1.0 0.0.0.255
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end

R3:

R3#sh run
Building configuration...

Current configuration : 815 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip subnet-zero
!
!
ip cef
no ip domain lookup
ip domain name lab.local
no ip dhcp use vrf connected
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
no crypto isakmp ccm
!
!
!
!
interface Loopback0
ip address 8.8.8.8 255.255.255.0
!
interface FastEthernet0/0
ip address 8.8.123.3 255.255.255.0
duplex auto
speed auto
!
no ip http server
no ip http secure-server
ip classless
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end

==================================================================================================================

When PC ping to IPSEC destination, on R1:

*Mar  1 01:28:57.179: NAT*: s=192.168.1.2->192.169.1.1, d=172.16.0.1 [130]

*Mar  1 01:28:57.291: NAT*: s=172.16.0.1, d=192.169.1.1->192.168.1.2 [130]

*Mar  1 01:28:57.351: NAT*: s=192.168.1.2->192.169.1.1, d=172.16.0.1 [131]

*Mar  1 01:28:57.371: NAT*: s=172.16.0.1, d=192.169.1.1->192.168.1.2 [131]

*Mar  1 01:28:57.391: NAT*: s=192.168.1.2->192.169.1.1, d=172.16.0.1 [132]

*Mar  1 01:28:57.419: NAT*: s=172.16.0.1, d=192.169.1.1->192.168.1.2 [132]

*Mar  1 01:28:57.439: NAT*: s=192.168.1.2->192.169.1.1, d=172.16.0.1 [133]

*Mar  1 01:28:57.459: NAT*: s=172.16.0.1, d=192.169.1.1->192.168.1.2 [133]

*Mar  1 01:28:57.479: NAT*: s=192.168.1.2->192.169.1.1, d=172.16.0.1 [134]

When PC ping to 8.8.8.8, on R1:

*Mar  1 01:28:31.659: NAT*: s=192.168.1.2->8.8.123.1, d=8.8.8.8 [120]

*Mar  1 01:28:31.695: NAT*: s=8.8.8.8, d=8.8.123.1->192.168.1.2 [120]

*Mar  1 01:28:31.743: NAT*: s=192.168.1.2->8.8.123.1, d=8.8.8.8 [121]

*Mar  1 01:28:31.799: NAT*: s=8.8.8.8, d=8.8.123.1->192.168.1.2 [121]

*Mar  1 01:28:31.839: NAT*: s=192.168.1.2->8.8.123.1, d=8.8.8.8 [122]

*Mar  1 01:28:31.863: NAT*: s=8.8.8.8, d=8.8.123.1->192.168.1.2 [122]

*Mar  1 01:28:31.883: NAT*: s=192.168.1.2->8.8.123.1, d=8.8.8.8 [123]

*Mar  1 01:28:31.903: NAT*: s=8.8.8.8, d=8.8.123.1->192.168.1.2 [123]

*Mar  1 01:28:31.923: NAT*: s=192.168.1.2->8.8.123.1, d=8.8.8.8 [124] *Mar  1 01:28:31.659: NAT*: s=192.168.1.2->8.8.123.1, d=8.8.8.8 [120]
*Mar  1 01:28:31.695: NAT*: s=8.8.8.8, d=8.8.123.1->192.168.1.2 [120]
*Mar  1 01:28:31.743: NAT*: s=192.168.1.2->8.8.123.1, d=8.8.8.8 [121]
*Mar  1 01:28:31.799: NAT*: s=8.8.8.8, d=8.8.123.1->192.168.1.2 [121]
*Mar  1 01:28:31.839: NAT*: s=192.168.1.2->8.8.123.1, d=8.8.8.8 [122]
*Mar  1 01:28:31.863: NAT*: s=8.8.8.8, d=8.8.123.1->192.168.1.2 [122]
*Mar  1 01:28:31.883: NAT*: s=192.168.1.2->8.8.123.1, d=8.8.8.8 [123]
*Mar  1 01:28:31.903: NAT*: s=8.8.8.8, d=8.8.123.1->192.168.1.2 [123]
*Mar  1 01:28:31.923: NAT*: s=192.168.1.2->8.8.123.1, d=8.8.8.8 [124]

HTH.

0 Helpful

Go to solution
johan.lorier
Level 1
Level 1
In response to XIE YAO

‎03-19-2013 07:23 AM

Static nat + route-map did solve my problem, thanks for your input.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card