Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
158
Views
0
Helpful
1
Replies
LISP and static Outside NAT
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
07-17-2017 12:58 AM - edited 03-05-2019 08:51 AM
Hello,
my scenario
Lisp Site connected to Internet and GetVPN. This Lisp Site has also an IPsec IKEv1 tunnel bound. Lisp in generell is working without any problems. The IKEv1 tunnel is also working without any problems (phase 1 and phase 2 active and has spi). At the other end of the IPSec tunnel there is a company which don´t allow the inside IP-Adresses from the Lisp site. At the Lisp Site the interface pointing into the local LAN is configured with ip nat inside. The interface pointing directly to the internet is configured with ip nat outside.
The external company must reach only one ip-address (static ip nat outside) of the local lan from the lisp site.
The external company build up the connection to the inside Lisp site lan. Regarding this, I have to configure a static ip nat outside (nat outside global nat outside local) command. It seems that my configuration in general is okay, but if the external company do a ping to the global NAT address, the crypto map encrypt the packets, the lisp site decrypt the packets but no encrypt into the IPSec tunnel back. If I do a sh ip nat translation, there is no nat translation done. If I have a look at the „order of operation“ outside to inside there is the first point (IPSec decrypt, which is okay, nat outside to inside which is not working) Routing is the third step.
So where is my problem?
I have build via GNS3 a 100% identical scenario. There I can see the same issue. Here are my configuration and my debug outputs inclusive the show commands.
The router name RepCZ-LR01 are the customer facing router and the router name Info are the external company.
GetVPN output:
RepCZ-LR01#sh cry gdoi
GROUP INFORMATION
Group Name : V4GROUP-0001
Group Identity : 10001
Group Type : GDOI (ISAKMP)
Crypto Path : ipv4
Key Management Path : ipv4
Rekeys received : 0
IPSec SA Direction : Both
Group Server list : 10.11.1.5
Group Member Information For Group V4GROUP-0001:
IPSec SA Direction : Both
ACL Received From KS : gdoi_group_V4GROUP-0001_temp_acl
Group member : 10.11.3.106 vrf: None
Local addr/port : 10.11.3.106/848
Remote addr/port : 10.11.1.5/848
fvrf/ivrf : None/None
Version : 1.0.12
Registration status : Registered
Registered with : 10.11.1.5
Re-registers in : 6815 sec
Succeeded registration: 1
Attempted registration: 1
Last rekey from : 0.0.0.0
Last rekey seq num : 0
Multicast rekey rcvd : 0
DP Error Monitoring : OFF
IPSEC init reg executed : 0
IPSEC init reg postponed : 0
Active TEK Number : 1
SA Track (OID/status) : disabled
allowable rekey cipher: any
allowable rekey hash : any
allowable transformtag: any ESP
Rekeys cumulative
Total received : 0
After latest register : 0
Rekey Received : never
ACL Downloaded From KS 10.11.1.5:
access-list permit ip any any
RepCZ-LR01#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.11.1.5 10.11.3.106 GDOI_IDLE 1001 ACTIVE
213.168.177.231 52.202.207.191 QM_IDLE 1002 ACTIVE
IPv6 Crypto ISAKMP SA
Infor#ping 10.10.103.1 source loopback 0
Infor#sh cry ips sa
interface: Ethernet0/1
Crypto map tag: EDI1_MAP, local addr 52.202.207.191
protected vrf: (none)
local ident (addr/mask/prot/port): (10.20.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.10.103.0/255.255.255.0/0/0)
current_peer 213.168.177.231 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 52.202.207.191, remote crypto endpt.: 213.168.177.231
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/1
current outbound spi: 0xF550878F(4115695503)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x63850DF4(1669664244)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, sibling_flags 80004040, crypto map: EDI1_MAP
sa timing: remaining key lifetime (k/sec): (4242759/28683)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xF550878F(4115695503)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, sibling_flags 80004040, crypto map: EDI1_MAP
sa timing: remaining key lifetime (k/sec): (4242759/28683)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (10.20.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.213.0.0/255.255.0.0/0/0)
current_peer 213.168.177.231 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 52.202.207.191, remote crypto endpt.: 213.168.177.231
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
RepCZ-LR01#
interface: Ethernet0/0.899
Crypto map tag: EDI1_MAP, local addr 213.168.177.231
protected vrf: (none)
local ident (addr/mask/prot/port): (10.10.103.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.20.0.0/255.255.0.0/0/0)
current_peer 52.202.207.191 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 213.168.177.231, remote crypto endpt.: 52.202.207.191
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0.899
current outbound spi: 0x63850DF4(1669664244)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xF550878F(4115695503)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3, flow_id: SW:3, sibling_flags 80000040, crypto map: EDI1_MAP
sa timing: remaining key lifetime (k/sec): (4303467/28752)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x63850DF4(1669664244)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 4, flow_id: SW:4, sibling_flags 80000040, crypto map: EDI1_MAP
sa timing: remaining key lifetime (k/sec): (4303467/28752)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
RepCZ-LR01# sh ip nat trans
Pro Inside global Inside local Outside local Outside global
--- --- --- 10.213.15.1 10.10.103.1
RepCZ-LR01#
RepCZ-LR01# sh ip cef 10.10.103.1 detail
0.0.0.0/0, epoch 0, flags [cover dependents, check lisp eligibility, default route]
LISP remote EID: 2 packets 416 bytes fwd action signal, cfg as EID space
LISP source path list
attached to LISP0
Covered dependent prefixes: 5
notify cover updated: 5
1 IPL source [no flags]
recursive via 213.168.177.225
attached to Ethernet0/0.899
RepCZ-LR01#
RepCZ-LR01#debug ip nat
IP NAT debugging is on
RepCZ-LR01#
— no output ——
RepCZ-LR01#sh run
Building configuration...
Current configuration : 6355 bytes
!
! Last configuration change at 08:13:16 UTC Thu Jul 13 2017 by cisco
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RepCZ-LR01
!
boot-start-marker
boot-end-marker
!
!
vrf definition ITW
!
address-family ipv4
exit-address-family
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
!
aaa new-model
aaa local authentication attempts max-fail 3
!
!
aaa authentication login default local
aaa authorization exec default local if-authenticated
!
!
!
!
!
aaa session-id common
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
no ip icmp rate-limit unreachable
!
!
!
!
!
!
!
!
!
!
!
!
no ip domain lookup
ip domain name xxxx
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
redundancy
!
no cdp log mismatch duplex
!
ip tcp synwait-time 5
ip tftp source-interface Loopback0
ip ssh version 2
ip scp server enable
!
!
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 16
!
crypto isakmp policy 21
encr aes 256
authentication pre-share
group 5
crypto isakmp key yyyy address 10.11.1.5
crypto isakmp key xxxx address 52.202.207.191
!
!
crypto ipsec transform-set infor_tset esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec df-bit clear
!
!
crypto gdoi group V4GROUP-0001
identity number 10001
server address ipv4 10.11.1.5
client registration interface Loopback0
!
!
crypto map EDI1_MAP 21 ipsec-isakmp
set peer 52.202.207.191
set security-association lifetime seconds 28800
set transform-set infor_tset
match address InforPROD_Endpoint_List
!
crypto map MAP-V4-0001 10 gdoi
set group V4GROUP-0001
!
!
!
!
!
interface Loopback0
ip address 10.11.3.106 255.255.255.255
!
interface Loopback1
vrf forwarding ITW
ip address 10.11.3.108 255.255.255.255
!
interface LISP0
!
interface LISP0.1
ip mtu 1456
ip tcp adjust-mss 1380
crypto map MAP-V4-0001
!
interface Ethernet0/0
no ip address
!
interface Ethernet0/0.898
description ***Interface ISP2***
encapsulation dot1Q 898
ip address 78.110.209.130 255.255.255.248
ip nat outside
ip virtual-reassembly in
!
interface Ethernet0/0.899
description ***Interface_ISP1***
encapsulation dot1Q 899
ip address 213.168.177.231 255.255.255.240
ip nat outside
ip virtual-reassembly in
crypto map EDI1_MAP
!
interface Ethernet0/1
no ip address
!
interface Ethernet0/1.894
description ***Inside Interface LISP Router to Outside Interface FW01***
encapsulation dot1Q 894
vrf forwarding ITW
ip address 10.11.3.10 255.255.255.248
!
interface Ethernet0/1.895
description ***Inside Interface LISP Router to Outside Interface FW01***
encapsulation dot1Q 895
ip address 10.11.3.1 255.255.255.248
ip nat inside
ip virtual-reassembly in
!
!
router lisp
locator-set 3-Repov
IPv4-interface Ethernet0/0.899 priority 1 weight 1
auto-discover-rlocs
exit
!
eid-table default instance-id 0
database-mapping 10.11.3.0/29 locator-set 3-Repov
database-mapping 10.11.3.8/29 locator-set 3-Repov
database-mapping 10.11.3.40/29 locator-set 3-Repov
database-mapping 10.11.3.106/32 locator-set 3-Repov
exit
!
eid-table vrf ITW instance-id 1
database-mapping 10.11.3.8/29 locator-set 3-Repov
database-mapping 10.11.3.32/29 locator-set 3-Repov
database-mapping 10.11.3.108/32 locator-set 3-Repov
database-mapping 10.213.15.0/24 locator-set 3-Repov
database-mapping 10.219.4.12/32 locator-set 3-Repov
database-mapping 140.171.6.128/27 locator-set 3-Repov
database-mapping 140.171.143.0/25 locator-set 3-Repov
database-mapping 140.171.186.0/24 locator-set 3-Repov
exit
!
loc-reach-algorithm rloc-probing
ipv4 itr map-resolver 185.119.33.180
ipv4 itr
ipv4 etr map-server 185.119.33.180 key zzzz
ipv4 etr
exit
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat inside source route-map ISP1 interface Ethernet0/0.899 overload
ip nat outside source static 10.10.103.1 10.213.15.1
ip route 0.0.0.0 0.0.0.0 213.168.177.225
ip route 0.0.0.0 0.0.0.0 78.110.209.129 2
ip route 10.11.3.40 255.255.255.248 10.11.3.3
ip route 10.213.15.0 255.255.255.0 10.11.3.3
ip route 140.171.6.128 255.255.255.224 10.11.3.3
ip route 140.171.143.0 255.255.255.128 10.11.3.3
ip route 140.171.186.0 255.255.255.0 10.11.3.3
ip route vrf ITW 10.11.3.32 255.255.255.248 10.11.3.12
ip route vrf ITW 10.213.15.0 255.255.255.0 10.11.3.12
ip route vrf ITW 10.219.4.12 255.255.255.255 10.11.3.12
ip route vrf ITW 140.171.6.128 255.255.255.224 10.11.3.12
ip route vrf ITW 140.171.143.0 255.255.255.128 10.11.3.12
ip route vrf ITW 140.171.186.0 255.255.255.0 10.11.3.12
!
ip access-list extended InforPROD_Endpoint_List
permit ip 10.213.0.0 0.0.255.255 10.20.0.0 0.0.255.255
permit ip 10.10.103.0 0.0.0.255 10.20.0.0 0.0.255.255
ip access-list extended nonat_ITW_EDI_CRYPTO
deny ip any host 10.20.10.32
deny ip any host 10.10.103.1
permit ip 10.0.0.0 0.255.255.255 any
permit ip 10.213.15.0 0.0.0.255 any
!
logging source-interface Loopback1 vrf ITW
logging host 140.171.149.235 vrf ITW
!
route-map ISP2 permit 10
match ip address 10
!
route-map ISP1 permit 10
match ip address nonat_ITW_EDI_CRYPTO
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
transport input none
!
!
end
RepCZ-LR01#
Infor#sh run
Building configuration...
Current configuration : 2477 bytes
!
! Last configuration change at 08:08:58 UTC Thu Jul 13 2017
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Infor
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
no ip icmp rate-limit unreachable
!
!
!
!
!
!
!
!
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
cts logging verbose
!
!
!
redundancy
!
no cdp log mismatch duplex
!
ip tcp synwait-time 5
!
!
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key xxxxx address 213.168.177.231
!
!
crypto ipsec transform-set infor_tset esp-aes 256 esp-sha-hmac
mode tunnel
!
!
!
crypto map EDI1_MAP 21 ipsec-isakmp
set peer 213.168.177.231
set security-association lifetime seconds 28800
set transform-set infor_tset
match address InforPROD_Endpoint_List
!
!
!
!
!
interface Loopback0
ip address 10.20.10.32 255.255.255.0
!
interface Ethernet0/1
ip address 52.202.207.191 255.255.255.0
crypto map EDI1_MAP
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 52.202.207.1
!
ip access-list extended InforPROD_Endpoint_List
permit ip 10.20.0.0 0.0.255.255 10.213.0.0 0.0.255.255
permit ip 10.20.0.0 0.0.255.255 10.10.103.0 0.0.0.255
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
transport input none
!
!
end
Infor#
Hope anyone can help me….
Regards,
Lorenz
Labels:
- Labels:
-
Other Routing
1 Reply 1
.jpg "VIP Master"){kind=icon}
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
07-17-2017 11:29 AM
Lorenz,
post the GNS3 project file, that will make it easier (and faster) to troubleshoot this...
Getting Started
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:
Recognize Your Peers
Customers Also Viewed These Support Documents