Lorenz,

lorenz_essensohn · ‎07-17-2017

Hello,

my scenario

Lisp Site connected to Internet and GetVPN. This Lisp Site has also an IPsec IKEv1 tunnel bound. Lisp in generell is working without any problems. The IKEv1 tunnel is also working without any problems (phase 1 and phase 2 active and has spi). At the other end of the IPSec tunnel there is a company which don´t allow the inside IP-Adresses from the Lisp site. At the Lisp Site the interface pointing into the local LAN is configured with ip nat inside. The interface pointing directly to the internet is configured with ip nat outside.

The external company must reach only one ip-address (static ip nat outside) of the local lan from the lisp site.

The external company build up the connection to the inside Lisp site lan. Regarding this, I have to configure a static ip nat outside (nat outside global nat outside local) command. It seems that my configuration in general is okay, but if the external company do a ping to the global NAT address, the crypto map encrypt the packets, the lisp site decrypt the packets but no encrypt into the IPSec tunnel back. If I do a sh ip nat translation, there is no nat translation done. If I have a look at the „order of operation“ outside to inside there is the first point (IPSec decrypt, which is okay, nat outside to inside which is not working) Routing is the third step.

So where is my problem?

I have build via GNS3 a 100% identical scenario. There I can see the same issue. Here are my configuration and my debug outputs inclusive the show commands.

The router name RepCZ-LR01 are the customer facing router and the router name Info are the external company.

GetVPN output:

RepCZ-LR01#sh cry gdoi

GROUP INFORMATION

Group Name : V4GROUP-0001

Group Identity : 10001

Group Type : GDOI (ISAKMP)

Crypto Path : ipv4

Key Management Path : ipv4

Rekeys received : 0

IPSec SA Direction : Both

Group Server list : 10.11.1.5

Group Member Information For Group V4GROUP-0001:

IPSec SA Direction : Both

ACL Received From KS : gdoi_group_V4GROUP-0001_temp_acl

Group member : 10.11.3.106 vrf: None

Local addr/port : 10.11.3.106/848

Remote addr/port : 10.11.1.5/848

fvrf/ivrf : None/None

Version : 1.0.12

Registration status : Registered

Registered with : 10.11.1.5

Re-registers in : 6815 sec

Succeeded registration: 1

Attempted registration: 1

Last rekey from : 0.0.0.0

Last rekey seq num : 0

Multicast rekey rcvd : 0

DP Error Monitoring : OFF

IPSEC init reg executed : 0

IPSEC init reg postponed : 0

Active TEK Number : 1

SA Track (OID/status) : disabled

allowable rekey cipher: any

allowable rekey hash : any

allowable transformtag: any ESP

Rekeys cumulative

Total received : 0

After latest register : 0

Rekey Received : never

ACL Downloaded From KS 10.11.1.5:

access-list permit ip any any

RepCZ-LR01#sh cry isa sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

10.11.1.5 10.11.3.106 GDOI_IDLE 1001 ACTIVE

213.168.177.231 52.202.207.191 QM_IDLE 1002 ACTIVE

IPv6 Crypto ISAKMP SA

Infor#ping 10.10.103.1 source loopback 0

Infor#sh cry ips sa

interface: Ethernet0/1

Crypto map tag: EDI1_MAP, local addr 52.202.207.191

protected vrf: (none)

local ident (addr/mask/prot/port): (10.20.0.0/255.255.0.0/0/0)

remote ident (addr/mask/prot/port): (10.10.103.0/255.255.255.0/0/0)

current_peer 213.168.177.231 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 52.202.207.191, remote crypto endpt.: 213.168.177.231

plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/1

current outbound spi: 0xF550878F(4115695503)

PFS (Y/N): N, DH group: none

inbound esp sas:

spi: 0x63850DF4(1669664244)

transform: esp-256-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 1, flow_id: SW:1, sibling_flags 80004040, crypto map: EDI1_MAP

sa timing: remaining key lifetime (k/sec): (4242759/28683)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xF550878F(4115695503)

transform: esp-256-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2, flow_id: SW:2, sibling_flags 80004040, crypto map: EDI1_MAP

sa timing: remaining key lifetime (k/sec): (4242759/28683)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

protected vrf: (none)

local ident (addr/mask/prot/port): (10.20.0.0/255.255.0.0/0/0)

remote ident (addr/mask/prot/port): (10.213.0.0/255.255.0.0/0/0)

current_peer 213.168.177.231 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 52.202.207.191, remote crypto endpt.: 213.168.177.231

plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/1

current outbound spi: 0x0(0)

PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

RepCZ-LR01#

interface: Ethernet0/0.899

Crypto map tag: EDI1_MAP, local addr 213.168.177.231

protected vrf: (none)

local ident (addr/mask/prot/port): (10.10.103.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.20.0.0/255.255.0.0/0/0)

current_peer 52.202.207.191 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 213.168.177.231, remote crypto endpt.: 52.202.207.191

plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0.899

current outbound spi: 0x63850DF4(1669664244)

PFS (Y/N): N, DH group: none

inbound esp sas:

spi: 0xF550878F(4115695503)

transform: esp-256-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 3, flow_id: SW:3, sibling_flags 80000040, crypto map: EDI1_MAP

sa timing: remaining key lifetime (k/sec): (4303467/28752)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x63850DF4(1669664244)

transform: esp-256-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 4, flow_id: SW:4, sibling_flags 80000040, crypto map: EDI1_MAP

sa timing: remaining key lifetime (k/sec): (4303467/28752)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

protected vrf: (none)

RepCZ-LR01# sh ip nat trans

Pro Inside global Inside local Outside local Outside global

--- --- --- 10.213.15.1 10.10.103.1

RepCZ-LR01#

RepCZ-LR01# sh ip cef 10.10.103.1 detail

0.0.0.0/0, epoch 0, flags [cover dependents, check lisp eligibility, default route]

LISP remote EID: 2 packets 416 bytes fwd action signal, cfg as EID space

LISP source path list

attached to LISP0

Covered dependent prefixes: 5

notify cover updated: 5

1 IPL source [no flags]

recursive via 213.168.177.225

attached to Ethernet0/0.899

RepCZ-LR01#

RepCZ-LR01#debug ip nat

IP NAT debugging is on

RepCZ-LR01#

— no output ——

RepCZ-LR01#sh run

Building configuration...

Current configuration : 6355 bytes

!

! Last configuration change at 08:13:16 UTC Thu Jul 13 2017 by cisco

!

version 15.5

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname RepCZ-LR01

!

boot-start-marker

boot-end-marker

!

vrf definition ITW

!

address-family ipv4

exit-address-family

!

vrf definition Mgmt-intf

!

address-family ipv4

exit-address-family

!

aaa new-model

aaa local authentication attempts max-fail 3

!

aaa authentication login default local

aaa authorization exec default local if-authenticated

!

aaa session-id common

!

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

!

no ip icmp rate-limit unreachable

!

no ip domain lookup

ip domain name xxxx

ip cef

no ipv6 cef

!

multilink bundle-name authenticated

!

redundancy

!

no cdp log mismatch duplex

!

ip tcp synwait-time 5

ip tftp source-interface Loopback0

ip ssh version 2

ip scp server enable

!

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 16

!

crypto isakmp policy 21

encr aes 256

authentication pre-share

group 5

crypto isakmp key yyyy address 10.11.1.5

crypto isakmp key xxxx address 52.202.207.191

!

crypto ipsec transform-set infor_tset esp-aes 256 esp-sha-hmac

mode tunnel

crypto ipsec df-bit clear

!

crypto gdoi group V4GROUP-0001

identity number 10001

server address ipv4 10.11.1.5

client registration interface Loopback0

!

crypto map EDI1_MAP 21 ipsec-isakmp

set peer 52.202.207.191

set security-association lifetime seconds 28800

set transform-set infor_tset

match address InforPROD_Endpoint_List

!

crypto map MAP-V4-0001 10 gdoi

set group V4GROUP-0001

!

interface Loopback0

ip address 10.11.3.106 255.255.255.255

!

interface Loopback1

vrf forwarding ITW

ip address 10.11.3.108 255.255.255.255

!

interface LISP0

!

interface LISP0.1

ip mtu 1456

ip tcp adjust-mss 1380

crypto map MAP-V4-0001

!

interface Ethernet0/0

no ip address

!

interface Ethernet0/0.898

description ***Interface ISP2***

encapsulation dot1Q 898

ip address 78.110.209.130 255.255.255.248

ip nat outside

ip virtual-reassembly in

!

interface Ethernet0/0.899

description ***Interface_ISP1***

encapsulation dot1Q 899

ip address 213.168.177.231 255.255.255.240

ip nat outside

ip virtual-reassembly in

crypto map EDI1_MAP

!

interface Ethernet0/1

no ip address

!

interface Ethernet0/1.894

description ***Inside Interface LISP Router to Outside Interface FW01***

encapsulation dot1Q 894

vrf forwarding ITW

ip address 10.11.3.10 255.255.255.248

!

interface Ethernet0/1.895

description ***Inside Interface LISP Router to Outside Interface FW01***

encapsulation dot1Q 895

ip address 10.11.3.1 255.255.255.248

ip nat inside

ip virtual-reassembly in

!

router lisp

locator-set 3-Repov

IPv4-interface Ethernet0/0.899 priority 1 weight 1

auto-discover-rlocs

exit

!

eid-table default instance-id 0

database-mapping 10.11.3.0/29 locator-set 3-Repov

database-mapping 10.11.3.8/29 locator-set 3-Repov

database-mapping 10.11.3.40/29 locator-set 3-Repov

database-mapping 10.11.3.106/32 locator-set 3-Repov

exit

!

eid-table vrf ITW instance-id 1

database-mapping 10.11.3.8/29 locator-set 3-Repov

database-mapping 10.11.3.32/29 locator-set 3-Repov

database-mapping 10.11.3.108/32 locator-set 3-Repov

database-mapping 10.213.15.0/24 locator-set 3-Repov

database-mapping 10.219.4.12/32 locator-set 3-Repov

database-mapping 140.171.6.128/27 locator-set 3-Repov

database-mapping 140.171.143.0/25 locator-set 3-Repov

database-mapping 140.171.186.0/24 locator-set 3-Repov

exit

!

loc-reach-algorithm rloc-probing

ipv4 itr map-resolver 185.119.33.180

ipv4 itr

ipv4 etr map-server 185.119.33.180 key zzzz

ipv4 etr

exit

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

ip nat inside source route-map ISP1 interface Ethernet0/0.899 overload

ip nat outside source static 10.10.103.1 10.213.15.1

ip route 0.0.0.0 0.0.0.0 213.168.177.225

ip route 0.0.0.0 0.0.0.0 78.110.209.129 2

ip route 10.11.3.40 255.255.255.248 10.11.3.3

ip route 10.213.15.0 255.255.255.0 10.11.3.3

ip route 140.171.6.128 255.255.255.224 10.11.3.3

ip route 140.171.143.0 255.255.255.128 10.11.3.3

ip route 140.171.186.0 255.255.255.0 10.11.3.3

ip route vrf ITW 10.11.3.32 255.255.255.248 10.11.3.12

ip route vrf ITW 10.213.15.0 255.255.255.0 10.11.3.12

ip route vrf ITW 10.219.4.12 255.255.255.255 10.11.3.12

ip route vrf ITW 140.171.6.128 255.255.255.224 10.11.3.12

ip route vrf ITW 140.171.143.0 255.255.255.128 10.11.3.12

ip route vrf ITW 140.171.186.0 255.255.255.0 10.11.3.12

!

ip access-list extended InforPROD_Endpoint_List

permit ip 10.213.0.0 0.0.255.255 10.20.0.0 0.0.255.255

permit ip 10.10.103.0 0.0.0.255 10.20.0.0 0.0.255.255

ip access-list extended nonat_ITW_EDI_CRYPTO

deny ip any host 10.20.10.32

deny ip any host 10.10.103.1

permit ip 10.0.0.0 0.255.255.255 any

permit ip 10.213.15.0 0.0.0.255 any

!

logging source-interface Loopback1 vrf ITW

logging host 140.171.149.235 vrf ITW

!

route-map ISP2 permit 10

match ip address 10

!

route-map ISP1 permit 10

match ip address nonat_ITW_EDI_CRYPTO

!

control-plane

!

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

line aux 0

exec-timeout 0 0

privilege level 15

logging synchronous

line vty 0 4

transport input none

!

end

RepCZ-LR01#

Infor#sh run

Building configuration...

Current configuration : 2477 bytes

!

! Last configuration change at 08:08:58 UTC Thu Jul 13 2017

!

version 15.5

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Infor

!

boot-start-marker

boot-end-marker

!

no aaa new-model

!

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

!

no ip icmp rate-limit unreachable

!

no ip domain lookup

ip cef

no ipv6 cef

!

multilink bundle-name authenticated

!

cts logging verbose

!

redundancy

!

no cdp log mismatch duplex

!

ip tcp synwait-time 5

!

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 5

crypto isakmp key xxxxx address 213.168.177.231

!

crypto ipsec transform-set infor_tset esp-aes 256 esp-sha-hmac

mode tunnel

!

crypto map EDI1_MAP 21 ipsec-isakmp

set peer 213.168.177.231

set security-association lifetime seconds 28800

set transform-set infor_tset

match address InforPROD_Endpoint_List

!

interface Loopback0

ip address 10.20.10.32 255.255.255.0

!

interface Ethernet0/1

ip address 52.202.207.191 255.255.255.0

crypto map EDI1_MAP

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

ip route 0.0.0.0 0.0.0.0 52.202.207.1

!

ip access-list extended InforPROD_Endpoint_List

permit ip 10.20.0.0 0.0.255.255 10.213.0.0 0.0.255.255

permit ip 10.20.0.0 0.0.255.255 10.10.103.0 0.0.0.255

!

control-plane

!

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

line aux 0

exec-timeout 0 0

privilege level 15

logging synchronous

line vty 0 4

login

transport input none

!

end

Infor#

Hope anyone can help me….

Regards,

Lorenz

Georg Pauwen · ‎07-17-2017

Lorenz,

post the GNS3 project file, that will make it easier (and faster) to troubleshoot this...

LISP and static Outside NAT