Buy or Renew
Buy or Renew
NOTICE: The community will be in READ-ONLY Sept. 6 – 9 to add Umbrella release notes and announcements. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1968
Views
0
Helpful
11
Replies

ISR4431 NAT with IPIP tunnel

Seth Beauchamp
Level 1
Level 1

‎03-31-2017 05:21 AM - edited ‎03-05-2019 08:17 AM

I have a router sitting behind an ISR4431 that is trying to establish and IPIP tunnel with another router on the internet. The ISR 4431 has an overload NAT statment NATing to the public internet IP. I am unable to establish an IPIP tunnel and it appears to be a problem with NAT. If I use a static 1 to 1 NAT, the tunnel will establish. It was previously working on an old 2801, but I had to replace that with the ISR4431 to upgrade bandwidth. Is there any way to get around this without using a static 1 to 1 NAT?
Labels:
0 Helpful
11 Replies 11

Georg Pauwen
VIP
VIP

‎03-31-2017 01:53 PM

Hello Seth,

are you using route maps in your NAT, e.g:

ip nat inside source route-map IPIP interface FastEthernet0/0 overload

route-map IPIP permit 10
 match ip address 101
 match interface FastEthernet0/0

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

0 Helpful

Seth Beauchamp
Level 1
Level 1
In response to Georg Pauwen

‎03-31-2017 10:39 PM

Nope no route map just an ACL. Such as "ip nat inside source 101 gi1/0/1 overload"

0 Helpful

Georg Pauwen
VIP
VIP
In response to Seth Beauchamp

‎03-31-2017 11:18 PM

Hello Seth,

can you try the route map as in my suggestion ? 

Also, what is the output of 'show ip nat translations' with your current setup ?

0 Helpful

Seth Beauchamp
Level 1
Level 1
In response to Georg Pauwen

‎04-01-2017 11:44 AM

With your routemap i see the following

80.80.79.212 is the public of the tunnel on the internet

100.80.12.37 is the private IP of the tunnel of the internet

100.80.12.38 is the private IP of the tunnel behind the ISR4431

172.16.168.53 is the "public" IP on the tunnel behind the ISR4431 which should be translated to 12.12.175.122

guest01-TW-Internet#show monitor capture SDW_CAP buffer br
-------------------------------------------------------------
# size timestamp source destination protocol
-------------------------------------------------------------
0 62 0.000000 80.80.79.212 -> 12.12.175.122 GRE
1 78 1.590033 100.80.12.38 -> 100.80.12.37 TCP
2 74 1.590033 12.12.175.122 -> 100.80.12.37 TCP
3 78 4.139000 100.80.12.38 -> 100.80.12.37 TCP
4 74 4.139000 12.12.175.122 -> 100.80.12.37 TCP
5 78 5.140007 100.80.12.38 -> 100.80.12.37 TCP
6 74 5.140007 12.12.175.122 -> 100.80.12.37 TCP
7 78 5.725020 172.16.168.53 -> 169.254.169.254 TCP
8 78 6.730025 172.16.168.53 -> 169.254.169.254 TCP
9 78 7.150001 100.80.12.38 -> 100.80.12.37 TCP
10 74 7.150001 12.12.175.122 -> 100.80.12.37 TCP
11 66 8.120004 172.16.168.53 -> 80.80.79.212 GRE
12 78 8.740019 172.16.168.53 -> 169.254.169.254 TCP
13 62 10.051007 80.80.79.212 -> 12.12.175.122 GRE
14 78 11.159995 100.80.12.38 -> 100.80.12.37 TCP
15 74 11.159995 12.12.175.122 -> 100.80.12.37 TCP

guest01-TW-Internet#sh ip nat trans | i 172.16.168.53

guest01-TW-Internet#sh ip nat trans | i 79.212
guest01-TW-Internet#sh ip nat trans | i 100.80
tcp 12.12.175.122:4888 100.80.12.38:48873 100.80.12.37:179 100.80.12.37:179
tcp 12.12.175.122:4108 100.80.12.38:38859 100.80.12.37:179 100.80.12.37:179
tcp 12.12.175.122:4882 100.80.12.38:32944 100.80.12.37:179 100.80.12.37:179
tcp 12.12.175.122:4098 100.80.12.38:39730 100.80.12.37:179 100.80.12.37:179

The only thing I see getting NATed is that bottom command, the ISR should not know about the 100.80.x.x IPs.

guest01-TW-Internet#sh run | sec ip nat inside
ip nat inside source route-map NAT interface GigabitEthernet0/0/1 overload


guest01-TW-Internet#sh run | sec route-map NAT
route-map NAT permit 10
match ip address 110
match interface GigabitEthernet0/0/1

guest01-TW-Internet#sh ip access-lists 110
Extended IP access list 110
10 permit ip 172.16.166.0 0.0.0.255 any
20 permit ip 172.16.168.0 0.0.0.255 any
30 permit ip 172.16.162.0 0.0.1.255 any
40 permit ip 100.80.0.0 0.0.255.255 any

0 Helpful

Georg Pauwen
VIP
VIP
In response to Seth Beauchamp

‎04-01-2017 02:21 PM

Hello Seth,

can you post the configs of both routers ? I want to lab this in GNS3...

0 Helpful

Seth Beauchamp
Level 1
Level 1
In response to Georg Pauwen

‎04-02-2017 09:11 AM

The two endpoints aren't cisco devices, ive included a snapshot of the tunnel interfaces on those devices, let me know if you need more information to go on though.

Side A > ISR4k > (internet) Side B

Keep in mind, the config on Side A and B hasn't changed and was working. Changing from an old cisco 2801 to the newer cisco ISR4k caused this to stop working. So i think its a good assumption the two endpoints are fine.

Preview file
40 KB
Preview file
8 KB
Preview file
39 KB
0 Helpful

Georg Pauwen
VIP
VIP
In response to Seth Beauchamp

‎04-02-2017 11:33 AM

Seth,

there is a global command on the ISR which is relevant for NAT sessions:

ip nat create flow-entries

Try and configure this on your router...

0 Helpful

Seth Beauchamp
Level 1
Level 1
In response to Georg Pauwen

‎04-02-2017 02:44 PM

did not seem to make a difference unfortunatley

0 Helpful

Georg Pauwen
VIP
VIP
In response to Seth Beauchamp

‎04-03-2017 01:46 PM

Hello Seth,

I have done some further research. Can you try and deny IPinIP traffic in your NAT route map:

access-list 110 deny 4 any any

0 Helpful

Seth Beauchamp
Level 1
Level 1
In response to Georg Pauwen

‎04-03-2017 02:50 PM

still nothing. I tried adding that line at the top of the ACL then at the bottom of the ACL. BTW, i can use IPSEC (on the two end points) to hide the IPIP and the tunnel will come up. But unable to do so when IPSEC is removed.

nothing shows up in show ip nat trans

guest01-TW-Internet#sh mon capture SDW_CAP buffer br
-------------------------------------------------------------
# size timestamp source destination protocol
-------------------------------------------------------------
0 78 0.000000 172.16.168.53 -> 169.254.169.254 TCP
1 584 0.098994 172.16.168.53 -> 90.80.212.168 TCP
2 70 0.198995 172.16.168.53 -> 90.80.212.168 TCP
3 70 0.198995 172.16.168.53 -> 90.80.212.168 TCP
4 88 0.198995 172.16.168.53 -> 80.80.79.212 IPinIP
5 84 0.198995 172.16.168.53 -> 80.80.79.212 IPinIP
6 90 0.216984 80.80.79.212 -> 12.12.175.122 IPinIP
7 94 0.349988 80.80.79.212 -> 12.12.175.122 IPinIP
8 585 1.208989 172.16.168.53 -> 90.80.212.168 TCP
9 90 1.220982 80.80.79.212 -> 12.12.175.122 IPinIP
10 70 1.308990 172.16.168.53 -> 90.80.212.168 TCP
11 70 1.308990 172.16.168.53 -> 90.80.212.168 TCP
12 88 1.308990 172.16.168.53 -> 80.80.79.212 IPinIP
13 84 1.308990 172.16.168.53 -> 80.80.79.212 IPinIP
14 78 2.009994 172.16.168.53 -> 169.254.169.254 TCP
15 90 2.226993 80.80.79.212 -> 12.12.175.122 IPinIP
16 597 2.318984 172.16.168.53 -> 90.80.212.168 TCP
17 70 2.419036 172.16.168.53 -> 90.80.212.168 TCP
18 70 2.419036 172.16.168.53 -> 90.80.212.168 TCP
19 88 2.419036 172.16.168.53 -> 80.80.79.212 IPinIP
20 84 2.419036 172.16.168.53 -> 80.80.79.212 IPinIP
21 139 2.829004 172.16.168.53 -> 255.255.255.255 UDP
22 150 2.829004 172.16.168.53 -> 80.80.79.212 IPinIP
23 146 2.829004 172.16.168.53 -> 80.80.79.212 IPinIP
24 90 3.226993 80.80.79.212 -> 12.12.175.122 IPinIP
25 585 3.429030 172.16.168.53 -> 90.80.212.168 TCP
26 70 3.519022 172.16.168.53 -> 90.80.212.168 TCP
27 70 3.519022 172.16.168.53 -> 90.80.212.168 TCP
28 88 3.519022 172.16.168.53 -> 80.80.79.212 IPinIP
29 84 3.519022 172.16.168.53 -> 80.80.79.212 IPinIP

0 Helpful

gusconrad
Level 1
Level 1
In response to Seth Beauchamp

‎05-31-2017 11:31 AM

Hi Seth, I'm facing the same scenario with an 877 router and ADSL wan interface. Have you been able to solve this problem?

Any help will be greatly appreciated.

Regards.

Gustavo

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card