cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
548
Views
0
Helpful
4
Replies

IPSEC & Routing Help Needed

simon.green
Level 1
Level 1

Hi All,

Hope someone can help me? I have a little problem and cant for the life of me fugure it out! In not to bad on Cisco kit but by no means and expert. I have Cisco 2600 at Head Office (192.168.0.xxx Network) and we have a lynksys at our Sat Site 1 (192.168.254.0) network.

I have a problem where at hq we have 2 IP's NAT'ed from the internet.

77.88.44.82 NAT's to 192.168.0.10

77.88.44.83 NAT's to 192.168.0.12

From the 192.168.0.xxx Network I can ping everything on the 192.168.254.xxx network. From the 192.168.254.xxx Network I can ping everything on the 192.168.0.xxx except 192.168.0.10, and 192.168.0.12.

If i remove the following line from my config:

ip nat inside source static 192.168.0.10 77.88.44.82 route-map nonat
ip nat inside source static 192.168.0.12 77.88.44.83 route-map nonat

I can ping the addresses so i know its something to do with NAT'ing.

Could anybody see anything with my Config as to why its not working? Im using the nonat command but i just cannot figure out what going on.

Here is my Config:

Running Config:

Current configuration : 8527 bytes
!
! Last configuration change at 21:34:32 UTC Wed Mar 3 1993 by cisc0adm1n
! NVRAM config last updated at 02:46:49 UTC Tue Mar 2 1993 by cisc0adm1n
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname NDB-GW1
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
no logging console
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
aaa session-id common
ip subnet-zero
no ip source-route
ip cef
ip tcp synwait-time 10
!
!
ip inspect name ndbfw cuseeme timeout 3600
ip inspect name ndbfw rcmd timeout 3600
ip inspect name ndbfw realaudio timeout 3600
ip inspect name ndbfw udp timeout 15
ip inspect name ndbfw tcp timeout 3600
ip inspect name ndbfw h323 timeout 3600
ip inspect name ndbfw ftp timeout 3600
ip inspect name ndbfw icmp timeout 3600
ip inspect name ndbfw sip timeout 3600
ip inspect name ndbfw rtsp timeout 3600
!
ip audit po max-events 100
no ip bootp server
ip domain name ndb-europe.local
ip name-server 212.50.160.100
ip name-server 213.249.130.100
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ************* address 87.112.122.130
!
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set 3DES-SHA-compression esp-3des esp-sha-hmac comp-lzs
crypto ipsec transform-set AES-SHA-compression esp-aes esp-sha-hmac comp-lzs
!
crypto map VPN-Map-1 10 ipsec-isakmp
set peer 87.112.122.130
set transform-set 3DES-SHA
set pfs group2
match address Crypto-list
!
!
!
interface Null0
no ip unreachables
!
interface ATM0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
pvc 1/50
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
!
interface Ethernet0/0
description Inside Ethernet LAN
ip address 192.168.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
load-interval 30
full-duplex
no cdp enable
hold-queue 100 out
!
interface TokenRing0/0
no ip address
shutdown
ring-speed 16
no cdp enable
!
interface Serial1/0
no ip address
shutdown
no cdp enable
!
interface Serial1/1
no ip address
shutdown
no cdp enable
!
interface Serial1/2
no ip address
shutdown
no cdp enable
!
interface Serial1/3
no ip address
shutdown
no cdp enable
!
interface Dialer0
description Outside Connection to Karoo
bandwidth 960
ip address 77.88.44.81 255.255.255.248
ip access-group 111 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect ndbfw out
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname ***********************
ppp chap password 7 *********************
crypto map VPN-Map-1
!
ip nat inside source list 100 interface Dialer0 overload
ip nat inside source static udp 192.168.0.12 2727 77.88.44.81 2727 extendable
ip nat inside source static udp 192.168.0.12 5082 77.88.44.81 5082 extendable
ip nat inside source static tcp 192.168.0.15 80 77.88.44.81 80 extendable
ip nat inside source static tcp 192.168.0.15 8088 77.88.44.81 8088 extendable
ip nat inside source static tcp 192.168.0.17 8080 77.88.44.81 8080 extendable
ip nat inside source static udp 192.168.0.17 514 77.88.44.81 514 extendable
ip nat inside source static udp 192.168.0.17 162 77.88.44.81 162 extendable
ip nat inside source static 192.168.0.10 77.88.44.82 route-map nonat
ip nat inside source static 192.168.0.12 77.88.44.83 route-map nonat
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
ip dns server
!
ip access-list extended Crypto-list
permit ip 192.168.0.0 0.0.0.255 192.168.254.0 0.0.0.255
!
route-map nonat permit 10
match ip address 121
!
logging trap debugging
logging 192.168.0.17
access-list 4 remark NAT-ACL
access-list 4 permit 192.168.0.0 0.0.0.255
access-list 4 permit 10.10.0.0 0.0.255.255
access-list 100 remark NAT-ACL
access-list 100 deny   ip 192.168.0.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 100 permit ip 10.10.0.0 0.0.255.255 any
access-list 110 permit tcp any any eq domain
access-list 110 permit udp any any eq domain
access-list 110 permit ip 192.168.254.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 110 permit udp host 87.112.122.130 any eq isakmp
access-list 110 permit esp host 87.112.122.130 any
access-list 110 permit tcp any host 77.88.44.81 eq www
access-list 110 permit tcp any host 77.88.44.81 eq 8088
access-list 110 permit tcp any host 77.88.44.81 eq 443
access-list 110 permit tcp any host 77.88.44.81 eq 8080
access-list 110 permit udp any host 77.88.44.81 eq syslog
access-list 110 permit udp any host 77.88.44.81 eq snmptrap
access-list 110 permit tcp any host 77.88.44.82 eq 1723
access-list 110 permit tcp any host 77.88.44.82 eq 4125
access-list 110 permit tcp any host 77.88.44.82 eq 443
access-list 110 permit tcp any host 77.88.44.82 eq 444
access-list 110 permit tcp any host 77.88.44.82 eq 993
access-list 110 permit tcp any host 77.88.44.82 eq smtp
access-list 110 permit tcp any host 77.88.44.82 eq 8019
access-list 110 permit udp any host 77.88.44.82 eq 8019
access-list 110 permit gre any host 77.88.44.82
access-list 110 permit tcp any host 77.88.44.83 eq 2727
access-list 110 permit tcp any host 77.88.44.83 eq 5082
access-list 110 permit udp any host 77.88.44.83 range 5060 5062
access-list 110 permit udp any host 77.88.44.83 range 10000 20000
access-list 110 permit gre any any
access-list 110 deny   ip any any log
access-list 111 permit tcp any any eq domain
access-list 111 permit udp any any eq domain
access-list 111 permit ip 192.168.254.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 111 permit ip 192.168.0.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 111 permit udp host 87.112.122.130 any eq isakmp
access-list 111 permit esp host 87.112.122.130 any
access-list 111 permit tcp any host 77.88.44.81 eq www
access-list 111 permit tcp any host 77.88.44.81 eq 8088
access-list 111 permit tcp any host 77.88.44.81 eq 443
access-list 111 permit tcp any host 77.88.44.81 eq 8080
access-list 111 permit udp any host 77.88.44.81 eq syslog
access-list 111 permit udp any host 77.88.44.81 eq snmptrap
access-list 111 permit tcp any host 77.88.44.82 eq 1723
access-list 111 permit tcp any host 77.88.44.82 eq 4125
access-list 111 permit tcp any host 77.88.44.82 eq 443
access-list 111 permit tcp any host 77.88.44.82 eq 444
access-list 111 permit tcp any host 77.88.44.82 eq 993
access-list 111 permit tcp any host 77.88.44.82 eq smtp
access-list 111 permit tcp any host 77.88.44.82 eq 8019
access-list 111 permit udp any host 77.88.44.82 eq 8019
access-list 111 permit gre any host 77.88.44.82
access-list 111 permit tcp any host 77.88.44.83 eq 2727
access-list 111 permit tcp any host 77.88.44.83 eq 5082
access-list 111 permit udp any host 77.88.44.83 range 5060 5062
access-list 111 permit udp any host 77.88.44.83 range 10000 20000
access-list 111 permit gre any any
access-list 111 deny   ip any any log
access-list 121 deny   ip host 192.168.0.0 192.168.254.0 0.0.0.255
access-list 121 permit ip 192.168.0.10 0.0.0.255 any
no cdp run
!
snmp-server community ndbsnmp RO
snmp-server location Comms Rack - Suite 29
snmp-server contact NDB Support
snmp-server chassis-id Cisco 2600 Router
snmp-server enable traps snmp linkdown linkup coldstart warmstart
snmp-server host 192.168.0.17 version 2c ndbsnmp
!
banner motd ^CC
****************************
*      WARNING BANNER      *
****************************

WARNING - Authorized Access only

The owner and any subsidiary companies, has proprietary rights
over this system and data. Unauthorized access is unlawful and may
result in legal proceedings.

All access to this system is monitored.
^C
!
line con 0
privilege level 15
transport preferred all
transport output all
line aux 0
transport input telnet ssh
transport output all
line vty 0 4
privilege level 15
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
ntp master
!
end

Sh Version:

Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-ADVSECURITYK9-M), Version 12.3(12), RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Mon 29-Nov-04 15:40 by kellythw
Image text-base: 0x80008098, data-base: 0x81321610

ROM: System Bootstrap, Version 12.2(10r)1, RELEASE SOFTWARE (fc1)
ROM: C2600 Software (C2600-ADVSECURITYK9-M), Version 12.3(12), RELEASE SOFTWARE (fc3)

NDB-GW1 uptime is 1 hours, 6 minutes
System returned to ROM by reload at 07:36:39 UTC Thu Mar 4 1993
System restarted at 00:00:02 UTC Mon Mar 1 1993
System image file is "flash:c2600-advsecurityk9-mz.123-12.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html you require further assistance please contact us by sending email to
export@cisco.com. 2612 (MPC860) processor (revision 0x00) with 61440K/4096K bytes of memory.
Processor board ID JAD06420NHZ (3618697550)
M860 processor: part number 0, mask 49
Bridging software.
X.25 software, Version 3.0.0.
1 Ethernet/IEEE 802.3 interface(s)
1 Token Ring/IEEE 802.5 interface(s)
4 Low-speed serial(sync/async) network interface(s)
1 ATM network interface(s)
32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read/Write)

If

cisco

Configuration register is 0x2102

Cheers

Si

4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

Si

I don't know whether this is a typo but your acl 121

access-list 121 deny   ip host 192.168.0.0 192.168.254.0 0.0.0.255
access-list 121 permit ip 192.168.0.10 0.0.0.255 any

the first line should be -

access-list 121 deny ip 192.168.0.0 0.0.0.255 192.168.254.0 0.0.0.255

rather than "ip host 192.168.0.0"

your other line also looks wrong ie. no "host" entry. So acl 121 should look like -

access-list 121 deny ip 192.168.0.0 0.0.0.255 192.168.254.0 0.0.0.255

access-list 121 permit ip host 192.168.0.10 any

access-list 121 permit ip host 192.168.0.12 any

Jon

Hi There,

Many thanks for you response:)

Awsome:) It works:) The only problem i have now though .... 192.168.0.10 is our PPTP VPN Server, which now seems not to want to work. It verifies username and password but gets no further. I think it could possible be a GRE issue? Just wondering if its a coincidence or the above changes have effected it in some way?

Many Thanks For you Help.

Cheers

Si

Hi Again,

Just doing a bit of investigation with the PPTP VPN not working. If i remove the line:

ip nat inside source static 192.168.0.10 77.86.45.82 route-map nonat

and replace with

ip nat inside source static 192.168.0.10 77.86.45.82 - The VPN is fine. But now obviosuly i cannot ping it from the 192.168.254.xxx network again?

Any ideas on how to get around it?

Many Thanks Again

Si

Hi Again

Just doing a bit of investigation with the PPTP VPN not working. If i remove the line:

ip nat inside source static 192.168.0.10 77.86.45.82 route-map nonat

and replace with

ip nat inside source static 192.168.0.10 77.86.45.82 - The VPN is fine. But now obviosuly i cannot ping it from the 192.168.254.xxx network again?

Any ideas on how to get around it?

Many Thanks Again

Si

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: