Solved: Re: Ipsec Vpn in PAT configuration

prince.p · ‎12-10-2019

Hi All

I have configured IPsec VPN via PAT configuration in a packet tracer. In this, I could able to ping from R1 to R3 router IP address vice versa

But I can't able to ping from R1 LAN pc to R3 Lan Pc vice versa.

My Network Router 1---- Router 2---- Router 3

Below is my configuration detail of Router1

Router1#sh run
Building configuration...

Current configuration : 1327 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
!
!
!
ip dhcp excluded-address 10.1.0.1 10.1.0.20
!
ip dhcp pool network
network 10.1.0.0 255.255.255.0
default-router 10.1.0.1
!
!
!
ip cef
no ipv6 cef
!
!
!
!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
!
crypto isakmp key cisco@123 address 40.165.10.1
!
!
!
crypto ipsec transform-set r1-r3 esp-aes 128 esp-md5-hmac
!
crypto map ipsec-map 10 ipsec-isakmp
set peer 40.165.10.1
set transform-set r1-r3
match address vpn-traffic
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface FastEthernet0/0
ip address 20.165.10.1 255.255.255.252
ip nat outside
duplex auto
speed auto
crypto map ipsec-map
!
interface FastEthernet0/1
ip address 10.1.0.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
ip nat inside source list 1 interface FastEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 20.165.10.2
!
ip flow-export version 9
!
!
access-list 1 permit 10.1.0.0 0.0.0.255
ip access-list extended vpn-traffic
permit ip 10.1.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 10.1.0.0 0.0.0.255 any
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end

Below is my Router 2 configuration

Router2#sh run

Building configuration...

Current configuration : 583 bytes

!

version 12.4

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname Router

!

ip cef

no ipv6 cef

!

spanning-tree mode pvst

!

interface FastEthernet0/0

ip address 20.165.10.2 255.255.255.252

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 40.165.10.2 255.255.255.252

duplex auto

speed auto

!

interface Vlan1

no ip address

shutdown

!

ip classless

!

ip flow-export version 9

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

end

Below is my Router 3 configuration

Router3#sh run
Building configuration...

Current configuration : 1347 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
!
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.20
!
ip dhcp pool Router
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
!
!
!
ip cef
no ipv6 cef
!
!
!
!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
!
crypto isakmp key cisco@123 address 20.165.10.1
!
!
!
crypto ipsec transform-set r1-r3 esp-aes 128 esp-md5-hmac
!
crypto map ipsec-map 10 ipsec-isakmp
set peer 20.165.10.1
set transform-set r1-r3
match address vpn-traffic
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface FastEthernet0/0
ip address 40.165.10.1 255.255.255.252
ip nat outside
duplex auto
speed auto
crypto map ipsec-map
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
ip nat inside source list 1 interface FastEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 40.165.10.2
!
ip flow-export version 9
!
!
access-list 1 permit 192.168.1.0 0.0.0.255
ip access-list extended vpn-traffic
permit ip 192.168.1.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end

can anyone help me how to configure IPsec VPN Via PAT configuration

Jon Marshall · ‎12-10-2019

The first acl is used for NAT and you are saying do not NAT the 10.1.0.x IPs if the destination IPs are 192.168.1.x.

The second acl is used to tell the router which traffic to send down the VPN tunnel.

If you did not tell the router not to NAT those 10.1.0.x IPs in the first acl then the traffic would not match the second acl and would not be sent through the tunnel.

Jon

View solution in original post

Georg Pauwen · ‎12-11-2019

Hello,

the access list on R3 is wrong. You have:

access-list 100 deny ip 192.168.0.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 any

It needs to be:

access-list 100 deny ip 192.168.1.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any

View solution in original post

Georg Pauwen · ‎12-10-2019

Hello,

typically, you need to deny the traffic that is going through the VPN from being NATted. Make the changes marked in bold to your Router1 and Router3 configurations:

Router1#

Current configuration : 1327 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
ip dhcp excluded-address 10.1.0.1 10.1.0.20
!
ip dhcp pool network
network 10.1.0.0 255.255.255.0
default-router 10.1.0.1
!
ip cef
no ipv6 cef
!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
!
crypto isakmp key cisco@123 address 40.165.10.1
!
crypto ipsec transform-set r1-r3 esp-aes 128 esp-md5-hmac
!
crypto map ipsec-map 10 ipsec-isakmp
set peer 40.165.10.1
set transform-set r1-r3
match address vpn-traffic
!
spanning-tree mode pvst
!
interface FastEthernet0/0
ip address 20.165.10.1 255.255.255.252
ip nat outside
duplex auto
speed auto
crypto map ipsec-map
!
interface FastEthernet0/1
ip address 10.1.0.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
ip nat inside source list 100 interface FastEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 20.165.10.2
!
ip flow-export version 9
!
access-list 100 deny 10.1.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 100 permit ip 10.1.0.0 0.0.0.255 any
!
ip access-list extended vpn-traffic
permit ip 10.1.0.0 0.0.0.255 192.168.1.0 0.0.0.255
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
end

Router3#

Current configuration : 1347 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
ip dhcp excluded-address 192.168.1.1 192.168.1.20
!
ip dhcp pool Router
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
!
ip cef
no ipv6 cef
!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
!
crypto isakmp key cisco@123 address 20.165.10.1
!
crypto ipsec transform-set r1-r3 esp-aes 128 esp-md5-hmac
!
crypto map ipsec-map 10 ipsec-isakmp
set peer 20.165.10.1
set transform-set r1-r3
match address vpn-traffic
!
spanning-tree mode pvst
!
interface FastEthernet0/0
ip address 40.165.10.1 255.255.255.252
ip nat outside
duplex auto
speed auto
crypto map ipsec-map
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
ip nat inside source list 100 interface FastEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 40.165.10.2
!
ip flow-export version 9
!
access-list 100 deny 192.168.1.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 100 permit 192.168.1.0 0.0.0.255
ip access-list extended vpn-traffic
permit ip 192.168.1.0 0.0.0.255 10.1.0.0 0.0.0.255
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
end

prince.p · ‎12-10-2019

Hi Georg,

Thanks for your solution.i need to know why we need to deny traffic from R1 to R3.

In my configuration, I already permit traffic from R1 lan to R3 lan ie

# permit ip 10.1.0.0 0.0.0.255 192.168.1.0 0.0.0.255.

can you explain the reason why we need to deny traffic from R1 to R3 from being Nated

Georg Pauwen · ‎12-10-2019

Hello,

does it work now ?

Traffic within the VPN encryption domain must be excluded from NAT, because the VPN does not recognize the NAT address (that is the IP address of the NAT outside interface) and will drop it.

prince.p · ‎12-10-2019

Hi georg,
I need to know we deny and permit same IP address for the access-list

access-list 100 deny 10.1.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 100 permit ip 10.1.0.0 0.0.0.255 any
!
ip access-list extended vpn-traffic
permit ip 10.1.0.0 0.0.0.255 192.168.1.0 0.0.0.255
!
In first acl we deny traffic 10.1.0.0 0.0.0.255 192.168.0.1 0.0.0.255 and in second acl we permit same IP address. This makes me confuse . Can you please explain this.

Jon Marshall · ‎12-10-2019

The first acl is used for NAT and you are saying do not NAT the 10.1.0.x IPs if the destination IPs are 192.168.1.x.

The second acl is used to tell the router which traffic to send down the VPN tunnel.

If you did not tell the router not to NAT those 10.1.0.x IPs in the first acl then the traffic would not match the second acl and would not be sent through the tunnel.

Jon

prince.p · ‎12-10-2019

thanks, Jon now my doubt is cleared

Georg Pauwen · ‎12-10-2019

Hello,

in addition to what Jon says, the access lists also need to mirror each other on each side of the VPN...

prince.p · ‎12-10-2019

Thanks George. now my doubt is cleared

prince.p · ‎12-11-2019

Hi George,

As you said i modified the command, but still I can't able to ping from Router 1 Lan to Router 3 Lan

Below is the command

Router 1

Router#sh run
Building configuration...

Current configuration : 1354 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
!
!
!
ip dhcp excluded-address 10.1.0.1 10.1.0.20
!
ip dhcp pool network
network 10.1.0.0 255.255.255.0
default-router 10.1.0.1
!
!
!
ip cef
no ipv6 cef
!
!
!
!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
!
crypto isakmp key cisco@123 address 40.165.10.1
!
!
!
crypto ipsec transform-set prince esp-aes 128 esp-md5-hmac
!
crypto map ipsec-map 10 ipsec-isakmp
set peer 40.165.10.1
set transform-set prince
match address vpn-traffic
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface FastEthernet0/0
ip address 20.165.10.1 255.255.255.252
ip nat outside
duplex auto
speed auto
crypto map ipsec-map
!
interface FastEthernet0/1
ip address 10.1.0.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
ip nat inside source list 100 interface FastEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 20.165.10.2
!
ip flow-export version 9
!
!
ip access-list extended vpn-traffic
permit ip 10.1.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 deny ip 10.1.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 permit ip 10.1.0.0 0.0.0.255 any
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end

Router 3

Router3#sh run
Building configuration...

Current configuration : 1372 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router3
!
!
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.20
!
ip dhcp pool Router
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
!
!
!
ip cef
no ipv6 cef
!
!
!
!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
!
crypto isakmp key cisco@123 address 20.165.10.1
!
!
!
crypto ipsec transform-set prince esp-aes 128 esp-md5-hmac
!
crypto map ipsec-map 10 ipsec-isakmp
set peer 20.165.10.1
set transform-set prince
match address vpn-traffic
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface FastEthernet0/0
ip address 40.165.10.1 255.255.255.252
ip nat outside
duplex auto
speed auto
crypto map ipsec-map
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
ip nat inside source list 100 interface FastEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 40.165.10.2
!
ip flow-export version 9
!
!
ip access-list extended vpn-traffic
permit ip 192.168.1.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 100 deny ip 192.168.0.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end

Georg Pauwen · ‎12-11-2019

Hello,

the access list on R3 is wrong. You have:

access-list 100 deny ip 192.168.0.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 any

It needs to be:

access-list 100 deny ip 192.168.1.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any

prince.p · ‎12-11-2019

Thanks, George

Now I can able to Ping from R1 LAN to R3 LAN