Re: ISR 819 NAT ACL's

1970IT · ‎11-20-2018

Hi All

I am setting up an ISR 819 4g router for the first time and have a few questions.

I have the config 'working' in that I have 4g connection, a IPsec s2s established and traffic nat'd out.

I followed the 819 configuration guide from Cisco.

Where I am struggling is with the Nat statement and ACL's - I will confess I am fairly new to Cisco and use ASDM on the ASA for the most part.

Everything is working outbound and down the tunnel from the ISR to the ASA, Ping, RDP, etc. I can ping clients on the ISR side from the ASA side but cannot RDP for example.

I want to be able to permit and deny traffic using ACL's but whenever I create a new ACL and apply it to the Cellular 0 Interface, all traffic seems to stop flowing and I can get internet access. How can i achieve this but retaining the NAT overload?

Config as follows;

Building configuration...

Current configuration : 4865 bytes
!
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname HOSTNAME
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
enable secret 5
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-854623393
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-854623393
revocation-check none
rsakeypair TP-self-signed-854623393
!
!
!
!
!
!

!
ip dhcp excluded-address 172.16.245.1
ip dhcp excluded-address 172.16.245.131
!
ip dhcp pool DHCP
network 172.16.245.0 255.255.255.0
dns-server 172.16.1.28 8.8.8.8
default-router 172.16.245.1
!
!
!
ip domain name xxx
ip name-server xxx
ip name-server 8.8.8.8
ip cef
no ipv6 cef
!

!
multilink bundle-name authenticated
!
chat-script lte "" "AT!CALL" TIMEOUT 20 "OK"
!
!
!
controller Cellular 0
!
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key PSKHERE address PEER ADDRESS HERE
crypto isakmp keepalive 30
!
!
crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac
mode tunnel
!
!
!
crypto map map-star-s2s 1 ipsec-isakmp
set peer PEER ADDRESS HERE
set transform-set aes-sha
match address acl-star-s2s
!
!
!
interface Cellular0
ip address negotiated
ip access-group acl-inside-access-out out
ip nat outside
ip virtual-reassembly in
encapsulation slip
dialer in-band
dialer string lte
dialer-group 1
crypto map map-star-s2s
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address

!
interface FastEthernet2
no ip address

!
interface FastEthernet3
no ip address

!
interface GigabitEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0
no ip address
shutdown
clock rate 2000000
!
interface Vlan1
ip address 172.16.245.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Dialer0
no ip address
ip virtual-reassembly in
!
ip forward-protocol nd
no ip http server
ip http secure-server
!
!
ip nat inside source list acl_nat interface Cellular0 overload
ip route 0.0.0.0 0.0.0.0 Cellular0 permanent
ip route 172.16.0.0 255.255.0.0 next hop
!
ip access-list extended acl-outside-in
ip access-list extended acl-star-s2s
permit ip 172.16.245.0 0.0.0.255 172.16.1.0 0.0.0.255
ip access-list extended acl_nat
deny ip 172.16.245.0 0.0.0.255 172.16.0.0 0.0.255.255
permit tcp any any eq domain
permit udp any any eq domain
permit tcp any any eq www
permit tcp any any eq 443
permit icmp any any
permit tcp any 172.16.0.0 0.0.255.255 eq 3389
permit udp any 172.16.0.0 0.0.255.255 eq 3389
permit tcp any host 172.16.1.9 eq smtp
permit tcp any 172.16.0.0 0.0.255.255 eq 5900
!
dialer-list 1 protocol ip permit
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
end

Many Thanks

Colin

Georg Pauwen · ‎11-20-2018

Hello,

you don't really need an access list on the Cellular interface, although an anti spoofing access list cannot do any harm. I have made a few adjustments to your config (marked in bold). This is what is how the 819 is usually configured:

Current configuration : 4865 bytes
!
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname HOSTNAME
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
enable secret 5
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-854623393
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-854623393
revocation-check none
rsakeypair TP-self-signed-854623393
!
ip dhcp excluded-address 172.16.245.1
ip dhcp excluded-address 172.16.245.131
!
ip dhcp pool DHCP
network 172.16.245.0 255.255.255.0
dns-server 172.16.1.28 8.8.8.8
default-router 172.16.245.1
!
ip domain name xxx
ip name-server xxx
ip name-server 8.8.8.8
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
chat-script lte "" "AT!CALL" TIMEOUT 20 "OK"
!
controller Cellular 0
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key PSKHERE address PEER ADDRESS HERE
crypto isakmp keepalive 30
!
crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac
mode tunnel
!
crypto map map-star-s2s 1 ipsec-isakmp
set peer PEER ADDRESS HERE
set transform-set aes-sha
match address acl-star-s2s
!
interface Cellular0
ip address negotiated
ip access-group ANTI_SPOOF in
ip nat outside
ip virtual-reassembly in
encapsulation slip
dialer in-band
dialer string lte
dialer-group 1
crypto map map-star-s2s
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface GigabitEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0
no ip address
shutdown
clock rate 2000000
!
interface Vlan1
ip address 172.16.245.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Dialer0
no ip address
ip virtual-reassembly in
!
ip forward-protocol nd
no ip http server
ip http secure-server
!
ip nat inside source list acl_nat interface Cellular0 overload
ip route 0.0.0.0 0.0.0.0 Cellular0 permanent
!
ip access-list extended ANTI_SPOOF
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 224.0.0.0 31.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
permit ip any any
!
ip access-list extended acl-star-s2s
permit ip 172.16.245.0 0.0.0.255 172.16.1.0 0.0.0.255
ip access-list extended acl_nat
deny ip 172.16.245.0 0.0.0.255 172.16.0.0 0.0.255.255
permit ip 172.16.145.0 0.0.0.255 any
!
dialer-list 1 protocol ip permit
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
end

1970IT · ‎11-20-2018

thanks, this is perhaps a bit neater but hasn't resolved my access issue, i cant access devices ISR side from the ASA side through the tunnel. Traffic in the other direction is fine

Richard Burts · ‎11-21-2018

First I would like to address this

i cant access devices ISR side from the ASA side through the tunnel

Can you clarify this? Are you saying that you can not bring up the vpn tunnel by initiating traffic from the ASA side? Or are you saying that even when the tunnel is already up that you can not access ISR resources from the ASA side? The first case is expected behavior. When operating a site to site vpn where one side has a dynamically assigned address (as your ISR does) and the other side has a static address, the tunnel will operate fine but must be initiated from the dynamic side. So I am not surprised if the ASA can not initiate the tunnel. If the ASA can not access the ISR once the tunnel is up then I am surprised and we need to investigate further.

It is a bit of a picky point but I would like to point out something in the nat acl. The address and mask used for the 172.16.0.0 does not match the address and mask used for that network in the crypto acl.

ip access-list extended acl_nat
deny ip 172.16.245.0 0.0.0.255 172.16.0.0 0.0.255.255

it looks like the subnet on the ASA is 172.16.1.0 /24 and so the entry in the nat acl should be 172.16.1.0 0.0.0.255

HTH

Rick

HTH

Rick