Solved: NAT - Cisco 1841

khan0071 · ‎12-18-2018

Hi guys,

I have a cisco 1841 on a remote site connected to main site ASA via VPN. Here is how the topology is like:

Fa0/1 is outside

fa0/0 is inside.

inside subnet is 10.7.20.0

VPN connection is established however, I am having issue connecting to one of the printers. in the VPN encryption domain I am using subnet 10.7.21.0 and printer IP is 10.7.20.4. so i am using a static NAT to point traffic destined for 10.7.21.2 to be forwarded to 10.7.20.4. However, as soon as I use the following command I start to see duplicate ip address error for 10.7.20.4.

the NAT commands I am using are:

ip nat inside source static 10.7.20.4 10.7.21.2
ip nat outside source static 10.7.21.2 10.7.20.4

and I am seeing encaps and decaps in IPSEC for VPN.

has anyone seen this issue before? if so, what am I doing wrong? and how can I fix this?

Please let me know if you require any further information?

regards,

paul driver · ‎12-19-2018

Hello

@khan0071 wrote:

However, as soon as I use the following command I start to see duplicate ip address error for 10.7.20.4.

the NAT commands I am using are:

ip nat inside source static 10.7.20.4 10.7.21.2
ip nat outside source static 10.7.21.2 10.7.20.4

Absolutely expected and the reason being its your static nat entries.
Your nat router now has by default created an arp entry for 10.7.20.4, which will be the same mac-address of your physical lan interface 10.7.20.254, So now you have duplicate mac-address for two different ip addresses.

You should be able to negate this by applying no-alias on the the outside static nat entry

ip nat outside source static 10.7.21.2 10.7.20.4 no-alias
clear arp

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Georg Pauwen · ‎12-18-2018

Hello,

have you excluded the VPN traffic from the NAT access list ? Post the full configuration of your router...

khan0071 · ‎12-18-2018

Hi George,

yes, I have. here is the config:

!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key xxxxx address a.a.a.a
crypto isakmp key xxxxx address b.b.b.b
!
!
crypto ipsec transform-set Equancy esp-3des esp-md5-hmac
crypto ipsec df-bit clear
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to one
set peer a.a.a.a
set security-association lifetime seconds 28800
set transform-set Equancy
match address abcdef
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to abcdef_new
set peer b.b.b.b
set security-association lifetime seconds 28800
set transform-set Equancy
match address two-new
!
!
!

!
interface FastEthernet0/0
description $ETH-SW-LAUNCH$$INTF-INFO-FE 0$$FW_INSIDE$$ETH-LAN$
ip address 10.7.20.254 255.255.255.0
ip nat inside
ip virtual-reassembly
speed auto
full-duplex
no mop enabled
!
interface FastEthernet0/1
description $FW_OUTSIDE$$ETH-WAN$
ip address a.b.c.d 255.255.255.240
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
crypto ipsec df-bit clear
!
ip route 0.0.0.0 0.0.0.0 a.b.c.d
ip route 10.10.12.0 255.255.255.0 a.b.c.e
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload
ip nat outside source static 10.7.21.2 10.7.20.4
ip nat outside source static 10.7.21.2 10.7.20.4
!
ip access-list extended any
remark SDM_ACL Category=2
permit tcp any any
permit udp any any
permit icmp any any
permit ip any any
ip access-list extended abcdef
permit ip 10.7.20.0 0.0.0.255 remote 0.0.0.7
permit ip 10.7.20.0 0.0.0.255 10.128.160.0 0.0.1.255
permit ip 10.7.20.0 0.0.0.255 host 10.128.127.196
ip access-list extended abcdef-new
permit ip 10.7.21.0 0.0.0.7 remote 0.0.1.255 log
permit ip 10.7.20.0 0.0.0.7 remote 0.0.1.255 log
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.7.20.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 10.7.20.0 0.0.0.255
access-list 100 deny ip 10.7.20.0 0.0.0.255 remote 0.0.0.7
access-list 100 deny ip 10.7.20.0 0.0.0.255 10.128.160.0 0.0.1.255
access-list 100 deny ip 10.7.20.0 0.0.0.255 host 10.128.127.196
access-list 100 permit ip 10.7.20.0 0.0.0.255 any
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 100
!

khan0071 · ‎12-18-2018

but as I said the issue is when I use the 2 NAT command it shows the eth0/0 mac address against the 10.7.20.4 in the ARP entry instead of the actual mac address of the printer - which can be seen in the router lease.

Georg Pauwen · ‎12-18-2018

Hello,

whatever you NAT is not going through the VPN. I am not clear on what your goal is. From which local IP address on the router side to which IP address on the ASA side do you you want to connect ?

khan0071 · ‎12-18-2018

HI George,

the goal is that print server behind an ASA on the main site should be able to connect to a printer whose IP address is 10.7.20.4 but NATed to 10.7.21.2. because on the main site side 10.7.20.0 is already used. so I am NAT traffic on 1841 router using static NAT in a way that traffic destined for 10.7.21.2 is forwarded to 10.7.20.4 in 1841 router LAN.

make sense?

Georg Pauwen · ‎12-18-2018

Hello,

is traffic from the ASA (or whatever is behind it) to 10.7.21.2 actually reaching the 1841 router ? How did you set this up on the ASA ?

Actually, post the config of the ASA as well...

Georg Pauwen · ‎12-18-2018

Hello,

I cannot visualize your network. You are using 10.7.20.0/24 on both sides ? And on the 1841, you have a default route that goes out the NATted outside interface ? Does your ASA have a static NAT entry ?

Please provide a schematic drawing of your network including which IP address spaces are being used where...

khan0071 · ‎12-19-2018

H George,

see attached a brief diagram to explain what I am trying to do. Keep in mind this router has two VPN connections and the VPN in question has a 10.7.21.0 subnet in its encryption domain.

Also the VPN in question is also UP and is working fine as I can see traffic arriving at 1841 router. the Only problem is with NATing. as when I configure a NAT I see logs for duplicate IP of the printer and then I can't telnet the printer from the router.

I

khan0071 · ‎12-19-2018

H George,

see attached a brief diagram to explain what I am trying to do. Keep in mind this router has two VPN connections and the VPN in question has a 10.7.21.0 subnet in its encryption domain.

Also the VPN in question is also UP and is working fine as I can see traffic arriving at 1841 router. the Only problem is with NATing. as when I configure a NAT I see logs for duplicate IP of the printer and then I can't telnet the printer from the router.

I

Georg Pauwen · ‎12-19-2018

So the printer is at the remote network, behind the ASA ? Why don't you just include the network where the printer is on in the VPN encryption domain ?

That said, put the printer and the IP address of the printer in the drawing as well, as I still cannot figure out where it is and what the IP address is.

khan0071 · ‎12-19-2018

printer is already in the diagram with IP 10.7.20.4. I can't include 10.7.20.0 in the encryption domain because this is subnet is already used at the main site.

Georg Pauwen · ‎12-19-2018

Hello,

I am sorry, I still don't get it. What is the main site, and what is the remote site ? You are using subnet 10.7.20.0/24 at both the remote and the main site ? How is network 10.7.20.0/24 connected to the site at the right corner above (which I assume is the remote site) ? is it a directly connected network ?

And what is the IP address of the print server ?

khan0071 · ‎12-19-2018

You are wasting mine and yours time mate. I have mentioned a 100 times that main site has an ASa and the remote site has a 1841.

this is not about VPN but rather about the duplicate IP address issue when I create a static NAT.

don't worry about it though. I will hopefully resolve it and let you know :)

Georg Pauwen · ‎12-19-2018

Hello,

I am not trying to argue with you, I am just trying to help. I cannot figure out where your duplicate network is, since it is nowhere in the drawing. Also you say that 10.7.21.0 is part of the encryption domain, but I don't see that network anywhere in an access list on the 1841 router:

crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to one
set peer a.a.a.a
set security-association lifetime seconds 28800
set transform-set Equancy
match address abcdef

!

ip access-list extended abcdef
permit ip 10.7.20.0 0.0.0.255 remote 0.0.0.7
permit ip 10.7.20.0 0.0.0.255 10.128.160.0 0.0.1.255
permit ip 10.7.20.0 0.0.0.255 host 10.128.127.196

Also, there is a second sequence of the same crypto map, which uses an access list that does not exist.

crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to abcdef_new
set peer b.b.b.b
set security-association lifetime seconds 28800
set transform-set Equancy
match address two-new

There is an access list that mentions 10.7.21.0, but that access list is not used anywhere.

ip access-list extended abcdef-new
permit ip 10.7.21.0 0.0.0.7 remote 0.0.1.255 log
permit ip 10.7.20.0 0.0.0.7 remote 0.0.1.255 log

Also, you say that the router has two working VPN connections, I don't see how and where, since only one crypto map is correctly configured.

For someone who just reads this for the first time and doesn't know anything about your network other than what you post, this is confusing.