cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
349
Views
0
Helpful
1
Replies

LISP and static Outside NAT

Hello,

my scenario
Lisp Site connected to Internet and GetVPN. This Lisp Site has also an IPsec IKEv1 tunnel bound. Lisp in generell is working without any problems. The IKEv1 tunnel is also working without any problems (phase 1 and phase 2 active and has spi).  At the other end of the IPSec tunnel there is a company which don´t allow the inside IP-Adresses from the Lisp site.  At the Lisp Site the interface pointing into the local LAN is configured with ip nat inside. The interface pointing directly to the internet is configured with ip nat outside.
The external company must reach only one ip-address (static ip nat outside) of the local lan from the lisp site.
The external company build up the connection to the inside Lisp site lan. Regarding this, I have to configure a static ip nat outside (nat outside global nat outside local) command. It seems that my configuration in general is okay, but if the external company do a ping to the global NAT address, the crypto map encrypt the packets, the lisp site decrypt the packets but no encrypt into the IPSec tunnel back. If I do a sh ip nat translation, there is no nat translation done.  If I have a look at the „order of operation“ outside to inside there is the first point (IPSec decrypt, which is okay, nat outside to inside which is not working) Routing is the third step.
So where is my problem?
I have build via GNS3 a 100% identical scenario. There I can see the same issue. Here are my configuration and my debug outputs inclusive the show commands.
The router name RepCZ-LR01 are the customer facing router and the router name Info are the external company.
GetVPN output:
RepCZ-LR01#sh cry gdoi 
GROUP INFORMATION
    Group Name               : V4GROUP-0001
    Group Identity           : 10001
    Group Type               : GDOI (ISAKMP)
    Crypto Path              : ipv4
    Key Management Path      : ipv4
    Rekeys received          : 0
    IPSec SA Direction       : Both
     Group Server list       : 10.11.1.5

                               

Group Member Information For Group V4GROUP-0001:
    IPSec SA Direction       : Both
    ACL Received From KS     : gdoi_group_V4GROUP-0001_temp_acl
    Group member             : 10.11.3.106     vrf: None
       Local addr/port       : 10.11.3.106/848
       Remote addr/port      : 10.11.1.5/848
       fvrf/ivrf             : None/None
       Version               : 1.0.12
       Registration status   : Registered
       Registered with       : 10.11.1.5
       Re-registers in       : 6815 sec
       Succeeded registration: 1
       Attempted registration: 1
       Last rekey from       : 0.0.0.0
       Last rekey seq num    : 0
       Multicast rekey rcvd  : 0
       DP Error Monitoring   : OFF
       IPSEC init reg executed    : 0
       IPSEC init reg postponed   : 0
       Active TEK Number     : 1
       SA Track (OID/status) : disabled
       allowable rekey cipher: any
       allowable rekey hash  : any
       allowable transformtag: any ESP
    Rekeys cumulative
       Total received        : 0
       After latest register : 0
       Rekey Received        : never
 ACL Downloaded From KS 10.11.1.5:
   access-list   permit ip any any
RepCZ-LR01#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
10.11.1.5       10.11.3.106     GDOI_IDLE         1001 ACTIVE
213.168.177.231 52.202.207.191  QM_IDLE           1002 ACTIVE
IPv6 Crypto ISAKMP SA
 
 
 
Infor#ping 10.10.103.1 source loopback 0
 
 
 
 
Infor#sh cry ips sa
interface: Ethernet0/1
    Crypto map tag: EDI1_MAP, local addr 52.202.207.191
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.20.0.0/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (10.10.103.0/255.255.255.0/0/0)
   current_peer 213.168.177.231 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: 52.202.207.191, remote crypto endpt.: 213.168.177.231
     plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/1
     current outbound spi: 0xF550878F(4115695503)
     PFS (Y/N): N, DH group: none
     inbound esp sas:
      spi: 0x63850DF4(1669664244)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 1, flow_id: SW:1, sibling_flags 80004040, crypto map: EDI1_MAP
        sa timing: remaining key lifetime (k/sec): (4242759/28683)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
          
     inbound ah sas:
          
     inbound pcp sas:
     outbound esp sas:
      spi: 0xF550878F(4115695503)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: SW:2, sibling_flags 80004040, crypto map: EDI1_MAP
        sa timing: remaining key lifetime (k/sec): (4242759/28683)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
     outbound ah sas:
     outbound pcp sas:
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.20.0.0/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (10.213.0.0/255.255.0.0/0/0)
   current_peer 213.168.177.231 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: 52.202.207.191, remote crypto endpt.: 213.168.177.231
     plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/1
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none
     inbound esp sas:
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
     outbound ah sas:
     outbound pcp sas:
RepCZ-LR01#
 
interface: Ethernet0/0.899
    Crypto map tag: EDI1_MAP, local addr 213.168.177.231
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.10.103.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.20.0.0/255.255.0.0/0/0)
   current_peer 52.202.207.191 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: 213.168.177.231, remote crypto endpt.: 52.202.207.191
     plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0.899
     current outbound spi: 0x63850DF4(1669664244)
     PFS (Y/N): N, DH group: none

          

     inbound esp sas:
      spi: 0xF550878F(4115695503)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 3, flow_id: SW:3, sibling_flags 80000040, crypto map: EDI1_MAP
        sa timing: remaining key lifetime (k/sec): (4303467/28752)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

          

     inbound ah sas:

          

     inbound pcp sas:

          

     outbound esp sas:
      spi: 0x63850DF4(1669664244)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 4, flow_id: SW:4, sibling_flags 80000040, crypto map: EDI1_MAP
        sa timing: remaining key lifetime (k/sec): (4303467/28752)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

          

     outbound ah sas:

          

     outbound pcp sas:

          

   protected vrf: (none)
 
 
RepCZ-LR01#  sh ip nat trans
Pro Inside global      Inside local       Outside local      Outside global
--- ---                ---                10.213.15.1        10.10.103.1
RepCZ-LR01#
 
 
RepCZ-LR01# sh ip cef 10.10.103.1 detail 
0.0.0.0/0, epoch 0, flags [cover dependents, check lisp eligibility, default route]
  LISP remote EID: 2 packets 416 bytes fwd action signal, cfg as EID space
  LISP source path list
    attached to LISP0
  Covered dependent prefixes: 5
    notify cover updated: 5
  1 IPL source [no flags]
  recursive via 213.168.177.225
    attached to Ethernet0/0.899
RepCZ-LR01#
 
 
 
RepCZ-LR01#debug ip nat 
IP NAT debugging is on
RepCZ-LR01#
 
— no output ——
 
 
 
 
 
 
RepCZ-LR01#sh run
Building configuration...
Current configuration : 6355 bytes
!
! Last configuration change at 08:13:16 UTC Thu Jul 13 2017 by cisco
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RepCZ-LR01
!
boot-start-marker
boot-end-marker
!
!
vrf definition ITW
 !
 address-family ipv4
 exit-address-family
!
vrf definition Mgmt-intf
 !
 address-family ipv4
 exit-address-family
!
!
aaa new-model
aaa local authentication attempts max-fail 3
!
!
aaa authentication login default local
aaa authorization exec default local if-authenticated 
!
!
!
!
!
aaa session-id common
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
no ip icmp rate-limit unreachable
!
!
!
!
!
!
!
!
!
!
!
!
no ip domain lookup
ip domain name xxxx
ip cef    
no ipv6 cef
!
multilink bundle-name authenticated
!
redundancy
!
no cdp log mismatch duplex
!
ip tcp synwait-time 5
ip tftp source-interface Loopback0
ip ssh version 2
ip scp server enable
!
!
!
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 16
!
crypto isakmp policy 21
 encr aes 256
 authentication pre-share
 group 5
crypto isakmp key yyyy address 10.11.1.5      
crypto isakmp key xxxx address 52.202.207.191 
!
!
crypto ipsec transform-set infor_tset esp-aes 256 esp-sha-hmac 
 mode tunnel
crypto ipsec df-bit clear
!         
!
crypto gdoi group V4GROUP-0001
 identity number 10001
 server address ipv4 10.11.1.5
 client registration interface Loopback0
!
!
crypto map EDI1_MAP 21 ipsec-isakmp 
 set peer 52.202.207.191
 set security-association lifetime seconds 28800
 set transform-set infor_tset 
 match address InforPROD_Endpoint_List
!
crypto map MAP-V4-0001 10 gdoi 
 set group V4GROUP-0001
!
!
!
!
!
interface Loopback0
 ip address 10.11.3.106 255.255.255.255
!         
interface Loopback1
 vrf forwarding ITW
 ip address 10.11.3.108 255.255.255.255
!
interface LISP0
!
interface LISP0.1
 ip mtu 1456
 ip tcp adjust-mss 1380
 crypto map MAP-V4-0001
!
interface Ethernet0/0
 no ip address
!
interface Ethernet0/0.898
 description ***Interface ISP2***
 encapsulation dot1Q 898
 ip address 78.110.209.130 255.255.255.248
 ip nat outside
 ip virtual-reassembly in
!
interface Ethernet0/0.899
 description ***Interface_ISP1***
 encapsulation dot1Q 899
 ip address 213.168.177.231 255.255.255.240
 ip nat outside
 ip virtual-reassembly in
 crypto map EDI1_MAP
!
interface Ethernet0/1
 no ip address
!
interface Ethernet0/1.894
 description ***Inside Interface LISP Router to Outside Interface FW01***
 encapsulation dot1Q 894
 vrf forwarding ITW
 ip address 10.11.3.10 255.255.255.248
!
interface Ethernet0/1.895
 description ***Inside Interface LISP Router to Outside Interface FW01***
 encapsulation dot1Q 895
 ip address 10.11.3.1 255.255.255.248
 ip nat inside
 ip virtual-reassembly in
!
!
router lisp
 locator-set 3-Repov
  IPv4-interface Ethernet0/0.899 priority 1 weight 1
  auto-discover-rlocs
  exit
 !
 eid-table default instance-id 0
  database-mapping 10.11.3.0/29 locator-set 3-Repov
  database-mapping 10.11.3.8/29 locator-set 3-Repov
  database-mapping 10.11.3.40/29 locator-set 3-Repov
  database-mapping 10.11.3.106/32 locator-set 3-Repov
  exit
 !
 eid-table vrf ITW instance-id 1
  database-mapping 10.11.3.8/29 locator-set 3-Repov
  database-mapping 10.11.3.32/29 locator-set 3-Repov
  database-mapping 10.11.3.108/32 locator-set 3-Repov
  database-mapping 10.213.15.0/24 locator-set 3-Repov
  database-mapping 10.219.4.12/32 locator-set 3-Repov
  database-mapping 140.171.6.128/27 locator-set 3-Repov
  database-mapping 140.171.143.0/25 locator-set 3-Repov
  database-mapping 140.171.186.0/24 locator-set 3-Repov
  exit
 !
 loc-reach-algorithm rloc-probing
 ipv4 itr map-resolver 185.119.33.180
 ipv4 itr
 ipv4 etr map-server 185.119.33.180 key zzzz
 ipv4 etr
 exit
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat inside source route-map ISP1 interface Ethernet0/0.899 overload
ip nat outside source static 10.10.103.1 10.213.15.1
ip route 0.0.0.0 0.0.0.0 213.168.177.225
ip route 0.0.0.0 0.0.0.0 78.110.209.129 2
ip route 10.11.3.40 255.255.255.248 10.11.3.3
ip route 10.213.15.0 255.255.255.0 10.11.3.3
ip route 140.171.6.128 255.255.255.224 10.11.3.3
ip route 140.171.143.0 255.255.255.128 10.11.3.3
ip route 140.171.186.0 255.255.255.0 10.11.3.3
ip route vrf ITW 10.11.3.32 255.255.255.248 10.11.3.12
ip route vrf ITW 10.213.15.0 255.255.255.0 10.11.3.12
ip route vrf ITW 10.219.4.12 255.255.255.255 10.11.3.12
ip route vrf ITW 140.171.6.128 255.255.255.224 10.11.3.12
ip route vrf ITW 140.171.143.0 255.255.255.128 10.11.3.12
ip route vrf ITW 140.171.186.0 255.255.255.0 10.11.3.12
!
ip access-list extended InforPROD_Endpoint_List
 permit ip 10.213.0.0 0.0.255.255 10.20.0.0 0.0.255.255
 permit ip 10.10.103.0 0.0.0.255 10.20.0.0 0.0.255.255
ip access-list extended nonat_ITW_EDI_CRYPTO
 deny   ip any host 10.20.10.32
 deny   ip any host 10.10.103.1
 permit ip 10.0.0.0 0.255.255.255 any
 permit ip 10.213.15.0 0.0.0.255 any
!
logging source-interface Loopback1 vrf ITW
logging host 140.171.149.235 vrf ITW
!
route-map ISP2 permit 10
 match ip address 10
!
route-map ISP1 permit 10
 match ip address nonat_ITW_EDI_CRYPTO
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!         
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 transport input none
!
!
end
RepCZ-LR01#
 
 
 
 
 
 
Infor#sh run
Building configuration...
Current configuration : 2477 bytes
!
! Last configuration change at 08:08:58 UTC Thu Jul 13 2017
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Infor
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
no ip icmp rate-limit unreachable
!
!
!
!
!
!
!
!
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
cts logging verbose
!
!
!
redundancy
!
no cdp log mismatch duplex
!
ip tcp synwait-time 5
!
!         
!
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
crypto isakmp key xxxxx address 213.168.177.231
!
!
crypto ipsec transform-set infor_tset esp-aes 256 esp-sha-hmac 
 mode tunnel
!
!
!
crypto map EDI1_MAP 21 ipsec-isakmp 
 set peer 213.168.177.231
 set security-association lifetime seconds 28800
 set transform-set infor_tset 
 match address InforPROD_Endpoint_List
!
!
!
!         
!
interface Loopback0
 ip address 10.20.10.32 255.255.255.0
!
interface Ethernet0/1
 ip address 52.202.207.191 255.255.255.0
 crypto map EDI1_MAP
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 52.202.207.1
!
ip access-list extended InforPROD_Endpoint_List
 permit ip 10.20.0.0 0.0.255.255 10.213.0.0 0.0.255.255
 permit ip 10.20.0.0 0.0.255.255 10.10.103.0 0.0.0.255
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
 transport input none
!
!
end
Infor# 
 
Hope anyone can help me….
Regards,
Lorenz
1 Reply 1

Lorenz,

post the GNS3 project file, that will make it easier (and faster) to troubleshoot this...