11-20-2017 12:21 PM - edited 03-05-2019 09:31 AM
Hi Everybody,
I have a NAT issue with a ISR 4331 with a working configuration from a 2911 router. When a VPN client tries to connect to 10.226.26.1 port 443 there is not translation to 10.220.202.24. There are matches in VPN_ACL but the VPN client not connect. NAT table isn't registering anything. This is the configuration:
no service pad
service tcp-keepalives-in
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
no service dhcp
no platform punt-keepalive disable-kernel-core
!
hostname Office_Router_4520
!
boot-start-marker
boot system bootflash:isr4300-universalk9.03.16.06.S.155-3.S6-ext.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
logging buffered 40960
!
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication ppp default local
aaa authorization exec default group tacacs+ none
aaa authorization commands 0 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
aaa accounting nested
aaa accounting exec default
action-type start-stop
group tacacs+
!
aaa accounting commands 0 default
action-type start-stop
group tacacs+
!
aaa accounting commands 15 default
action-type start-stop
group tacacs+
!
aaa accounting network default
action-type start-stop
group tacacs+
!
aaa accounting system default
action-type start-stop
group tacacs+
!
aaa session-id common
clock timezone CRC -6 0
no ip source-route
!
no ip bootp server
!
no ip domain lookup
!
!
ntp max-associations 2
!
!
subscriber templating
!
multilink bundle-name authenticated
!
!
key chain EIGRP-key-757
key 757
key-string !! SUPPRESSED !!
!
!
!
license boot level securityk9
!
spanning-tree extend system-id
!
!
redundancy
mode none
!
!
vlan internal allocation policy ascending
!
!
interface Loopback0
description For NAT of VPN clients
ip address 5.203.140.1 255.255.255.0
no ip redirects
no ip unreachables
ip nat outside
ip virtual-reassembly
!
interface Loopback10
description Remote administration of router
ip address 10.215.140.1 255.255.255.255
no ip redirects
no ip unreachables
!
interface Loopback26
description For VPN Nat
ip address 10.226.26.2 255.255.255.0
no ip redirects
no ip unreachables
ip nat outside
!
interface Tunnel1
description Tunnel to HQ via service provider
bandwidth 2048
ip address 10.221.140.2 255.255.255.252
no ip redirects
no ip unreachables
ip nat outside
ip authentication mode eigrp 757 md5
ip authentication key-chain eigrp 757 EIGRP-key-757
delay 2000
tunnel source GigabitEthernet0/0/1
tunnel destination 10.210.1.1
tunnel key !! SUPPRESSED !!
!
!
interface GigabitEthernet0/0/0
shutdown
!
!
interface GigabitEthernet0/0/1
description Link to Service Provider
ip address 10.210.1.140 255.255.255.0
no ip redirects
no ip unreachables
load-interval 30
negotiation auto
no cdp enable
!
interface GigabitEthernet0/0/2
shutdown
!
interface GigabitEthernet0/1/0
description Connection to VPN Client 10.1.3.6
switchport access vlan 140
no cdp enable
spanning-tree portfast
ip virtual-reassembly
!
interface GigabitEthernet0/1/1
description Connection to VPN Client 10.1.3.10
switchport access vlan 140
spanning-tree portfast
!
interface GigabitEthernet0/1/2
shutdown
!
interface GigabitEthernet0/1/3
shutdown
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
interface Vlan1
no ip address
shutdown
!
interface Vlan140
description SVI for VPN Clients
ip address 10.1.3.1 255.255.255.0
no ip redirects
no ip unreachables
ip nat inside
ip access-group VPN_ACL in
!
!
router eigrp 757
distribute-list 33 in
network 5.203.140.0 0.0.0.255
network 10.215.140.1 0.0.0.0
network 10.221.140.0 0.0.0.3
passive-interface Loopback0
passive-interface Loopback10
passive-interface Loopback26
passive-interface GigabitEthernet0/0/0
passive-interface GigabitEthernet0/0/1
eigrp stub connected
!
ip nat inside source static 10.1.3.6 5.203.140.6
ip nat inside source static 10.1.3.10 5.203.140.10
!
ip nat outside source static 10.220.202.24 10.226.26.1
!
ip forward-protocol nd
no ip http server
no ip http secure-server
ip tftp source-interface Loopback10
!
!
ip access-list extended VPN_ACL
remark Access of VPN Clients
remark VPN Client # 4525
permit tcp host 10.1.3.6 host 10.226.26.1 eq 443
remark VPN Client # 4526
permit tcp host 10.1.3.10 host 10.226.26.1 eq 443
remark Allow ICMP to gateway
permit icmp 10.1.3.0 0.0.0.255 10.1.3.0 0.0.0.255
deny ip any any log
!
access-list 9 permit 192.168.64.128 0.0.0.15
access-list 9 deny any log
access-list 10 permit 10.210.1.1
access-list 10 permit 10.211.1.1
access-list 10 permit 192.168.64.128 0.0.0.15
access-list 10 deny any log
access-list 20 permit 192.168.64.10
access-list 20 permit 192.168.64.11
access-list 20 permit any
access-list 33 permit 10.224.30.0 0.0.0.255
access-list 33 permit 10.220.202.0 0.0.0.255
access-list 33 permit 192.168.64.0 0.0.0.255
access-list 33 permit 192.168.128.0 0.0.0.255
access-list 33 permit 192.168.160.0 0.0.0.255
!
!
control-plane
!
!
line con 0
logging synchronous
stopbits 1
line aux 0
no exec
stopbits 1
line vty 0 3
access-class 10 in
exec-timeout 5 0
privilege level 15
logging synchronous
transport input telnet ssh
line vty 4
access-class 9 in
exec-timeout 2 0
privilege level 15
logging synchronous
transport input telnet ssh
!
no network-clock synchronization automatic
ntp authentication-key 1 md5 !! SUPPRESSED !!
ntp authenticate
ntp trusted-key 1
ntp access-group peer 20
ntp server 192.168.64.10 key 1 prefer source Loopback10
ntp server 192.168.64.11 key 1 source Loopback10
!
end
show access-lists VPN_ACL
Extended IP access list VPN_ACL
10 permit tcp host 10.1.3.6 host 10.226.26.1 eq 443 (3 matches)
20 permit tcp host 10.1.3.10 host 10.226.26.1 eq 443 (3 matches)
30 permit icmp 10.1.3.0 0.0.0.255 10.1.3.0 0.0.0.255 (4 matches)
40 deny ip any any log (2 matches)
show ip nat tra
Pro Inside global Inside local Outside local Outside global
--- --- --- 10.226.26.1 10.220.202.24
--- 5.203.140.10 10.1.3.10 --- ---
--- 5.203.140.6 10.1.3.6 --- ---
I really appreciate your help,
Alex
11-21-2017 12:51 AM
Hello,
try and add:
ip nat outside source static add-route
to your configuration.
Which IOS version are you running ?
11-21-2017 01:35 PM
Hi Georg,
I tried with that command for nat outside but the result was the same.
The IOS-XE version is Cisco IOS Software, ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.5(3)S6. Image isr4300-universalk9.03.16.06.S.155-3.S6-ext.SPA.bin.
Regards
11-21-2017 08:04 AM
Hello
i cannot review you config well from my phone but your nat statements do not look correct - you seem to be applying static outside nat towards an outside interface and also your outside global addressing doesn’t match any wan or VPN subnet and your not specifying tcp port 443 for https
As I said at first glance you nat config looks incorrect - I’m sure other could verify this
res
paul
11-21-2017 02:07 PM
Hi Paul
This is the routing table:
show ip route
Gateway of last resort is not set
5.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
C 5.203.140.0/24 is directly connected, Loopback0
L 5.203.140.1/32 is directly connected, Loopback0
L 5.203.140.6/32 is directly connected, Loopback0
L 5.203.140.10/32 is directly connected, Loopback0
10.0.0.0/8 is variably subnetted, 18 subnets, 3 masks
C 10.1.3.0/24 is directly connected, Vlan140
L 10.1.3.1/32 is directly connected, Vlan140
C 10.210.1.0/24 is directly connected, GigabitEthernet0/0/1
L 10.210.1.140/32 is directly connected, GigabitEthernet0/0/1
S 10.211.1.0/30 [1/0] via 10.212.140.1
C 10.212.140.0/30 is directly connected, GigabitEthernet0/0/0
L 10.212.140.2/32 is directly connected, GigabitEthernet0/0/0
C 10.215.140.1/32 is directly connected, Loopback10
D EX 10.220.202.0/24 [170/1762048] via 10.221.140.1, 1d00h, Tunnel1
C 10.221.140.0/30 is directly connected, Tunnel1
L 10.221.140.2/32 is directly connected, Tunnel1
D 10.224.30.210/32 [90/1889792] via 10.221.140.1, 1d00h, Tunnel1
D 10.224.30.220/32 [90/1889792] via 10.221.140.1, 1d00h, Tunnel1
C 10.226.26.0/24 is directly connected, Loopback26
L 10.226.26.1/32 is directly connected, Loopback26
L 10.226.26.2/32 is directly connected, Loopback26
If the vpn client with ip 10.1.3.6 tries to connect to 10.226.26.1, the nat outside should translate 10.226.26.1 to 10.220.202.24 and the nat inside translate 10.1.3.6 to 5.203.140.6. But it didn't happen.
When the vpn client tries to connect to 10.220.202.24 (without ACL in) the nat inside translation works and connect.
This seems like the nat outside is not working.
11-21-2017 03:02 PM
Hello,
you said the same configuration worked on a 2900 router, can you post that configuration ?
11-28-2017 07:55 AM
Hello again
I already solved this by moving the loopback 26 to the HQ router and including the 10.226.26.0/24 network in the routing by EIGRP. In this way the nat outside 10.220.202.24 -> 10.226.27.1 worked. Something not very eclectic but effective.
Thanks for your time
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: