10-29-2020 04:32 AM - edited 10-29-2020 05:55 AM
I have a CISCO1921 with IOS 15.3(3)M5 and its behaviour differs from what I would expect from the config.
Overview:
Problem:
Connections to NAT overload are matched in ACL_NAT_FROM_LAN (see below), but the behaviour and output of 'show ip nat translations' differs from what I would expect from the ACL/ configuration:
1) first discrepancy:
Connections to a public IP Z.Z.Z.Z sourced from within 10.4.10.0/23 get overloaded with X.X.X.X (BUT WHY?!) - anyways a connection or ping the the public IP does not work. (There is no outgoing ACL configured.)
# show ip nat translations
Pro Inside global Inside local Outside local Outside global tcp X.X.X.X:58993 10.4.10.65:58993 Z.Z.Z.Z:80 Z.Z.Z.Z:80
2) second discrepancy:
Connections to private addresses reachable behind the IPSEC-tunnel (10.4.0.0/24) sourced from 10.4.10.0/23 show up as overloaded (BUT WHY?!) - anyways connections or pings to the private network behind the tunnel work - so obviously they don't get overloaded with the public IP X.X.X.X on the outside interface..
# show ip nat translations
Pro Inside global Inside local Outside local Outside global tcp X.X.X.X:55800 10.4.11.150:55800 10.4.0.152:3128 10.4.0.152:3128 tcp X.X.X.X:55825 10.4.11.150:55825 10.4.0.152:3128 10.4.0.152:3128 tcp X.X.X.X:55827 10.4.11.150:55827 10.4.0.152:3128 10.4.0.152:3128 tcp X.X.X.X:55828 10.4.11.150:55828 10.4.0.152:3128 10.4.0.152:3128 tcp X.X.X.X:55862 10.4.11.150:55862 10.4.0.152:3128 10.4.0.152:3128 tcp X.X.X.X:55863 10.4.11.150:55863 10.4.0.152:3128 10.4.0.152:3128 tcp X.X.X.X:55864 10.4.11.150:55864 10.4.0.152:3128 10.4.0.152:3128 tcp X.X.X.X:55865 10.4.11.150:55865 10.4.0.152:3128 10.4.0.152:3128 tcp X.X.X.X:55866 10.4.11.150:55866 10.4.0.152:3128 10.4.0.152:3128 tcp X.X.X.X:56442 10.4.11.150:56442 10.4.0.130:8080 10.4.0.130:8080
Configuration
Please see the shortened config below & and thanks in advance for your feedback!
! crypto map CM_VPN 20 ipsec-isakmp set peer Y.Y.Y.Y set transform-set ESP-AES-128-SHA match address VPN_MATCH ! ! object-group network NETS_LOCAL 10.4.10.0 255.255.254.0 ! object-group network RFC_Private 10.0.0.0 255.0.0.0 172.16.0.0 255.240.0.0 192.168.0.0 255.255.0.0 ! ! interface GigabitEthernet0/0 description *** OUTSIDE *** no ip address pppoe enable group global pppoe-client dial-pool-number 1 ! ! interface GigabitEthernet0/1 description *** INSIDE *** ip address 10.4.11.254 255.255.254.0 ip helper-address 10.4.0.150 ip nat inside ! ! interface Dialer1 description *** 10 MBIT RR *** ip access-group ACL_FW_FROM_OUTSIDE in ip nat outside dialer pool 1 dialer-group 1 crypto map CM_VPN ! ip nat inside source list ACL_NAT_FROM_LAN interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.4.12.0 255.255.255.0 10.4.11.253
ip route 10.4.14.0 255.255.255.0 10.4.11.253 ! ip access-list extended ACL_NAT_FROM_LAN permit ip host 10.4.11.150 any log deny ip 10.4.10.0 0.0.1.255 10.4.0.0 0.0.255.255 deny ip object-group NETS_LOCAL object-group RFC_Private deny gre any any deny ip 10.4.12.0 0.0.0.255 10.4.0.0 0.0.255.255 permit ip host 10.4.10.68 any permit ip 10.4.12.0 0.0.0.255 any permit ip 10.4.0.0 0.0.255.255 any log ! ip access-list extended VPN_MATCH permit ip 10.4.10.0 0.0.1.255 10.4.0.0 0.0.0.255 permit ip 10.4.10.0 0.0.1.255 10.4.1.0 0.0.0.255 permit ip 10.4.10.0 0.0.1.255 10.4.4.0 0.0.0.255 permit ip 10.4.10.0 0.0.1.255 10.4.5.0 0.0.0.255 permit ip 10.4.10.0 0.0.1.255 10.4.20.0 0.0.1.255 permit ip 10.4.10.0 0.0.1.255 10.4.30.0 0.0.1.255 permit ip 10.4.10.0 0.0.1.255 10.4.40.0 0.0.1.255 permit ip 10.4.10.0 0.0.1.255 10.4.50.0 0.0.1.255 permit ip 10.4.10.0 0.0.1.255 10.10.14.0 0.0.0.255 permit ip 10.4.12.0 0.0.0.255 10.4.0.0 0.0.0.255 permit ip 10.4.12.0 0.0.0.255 10.4.1.0 0.0.0.255 permit ip 10.4.12.0 0.0.0.255 10.4.4.0 0.0.0.255 permit ip 10.4.12.0 0.0.0.255 10.4.5.0 0.0.0.255 permit ip 10.4.12.0 0.0.0.255 10.4.20.0 0.0.1.255 permit ip 10.4.12.0 0.0.0.255 10.4.30.0 0.0.1.255 permit ip 10.4.12.0 0.0.0.255 10.4.40.0 0.0.1.255 permit ip 10.4.12.0 0.0.0.255 10.4.50.0 0.0.1.255 permit ip 10.4.12.0 0.0.0.255 10.10.14.0 0.0.0.255 permit ip 10.4.14.0 0.0.0.255 10.4.0.0 0.0.0.255 permit ip 10.4.14.0 0.0.0.255 10.4.20.0 0.0.1.255 permit ip 10.4.14.0 0.0.0.255 10.4.24.0 0.0.0.255 permit ip 10.4.14.0 0.0.0.255 10.10.14.0 0.0.0.255 permit gre any any !
/edit
Added ip routes to the configuration excerpt.
10-29-2020 04:57 AM - edited 10-29-2020 05:07 AM
Hello
You have quite a convoluted nat access-list which doesn’t make sense
First of all nat doesn’t like LOG keyword appended to any access-list it relates to
Then it seems you have ace entries that is denying nat on a subnet range which includes the subnet you want to nat and lasty you have entries that nat wont even use?
interface GigabitEthernet0/1
description *** INSIDE ***
ip address 10.4.11.254 255.255.254.0
ip nat inside
ip access-list extended ACL_NAT_FROM_LAN
permit ip host 10.4.11.150 any log
deny ip 10.4.10.0 0.0.1.255 10.4.0.0 0.0.255.255
deny ip object-group NETS_LOCAL object-group RFC_Private <- denying 10.4.10.0/23 ip range to other RFC addressing (does your global addressing incorporate this?)
deny gre any any
deny ip 10.4.12.0 0.0.0.255 10.4.0.0 0.0.255.255 < 10.4.12.0/24 isn’t on the lan interface
permit ip host 10.4.10.68 any
permit ip 10.4.12.0 0.0.0.255 any <- doesn’t exist on the lan interface
permit ip 10.4.0.0 0.0.255.255 any log and not specific enough (10.4.10.0 0.0.254.255)
10-29-2020 05:10 AM
I think the subnet is issue here
ip address 10.4.11.254 255.255.254.0
this for interface that meaning /23 so
IPSec without NAT which host ?
with overload which host?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide