cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1110
Views
0
Helpful
6
Replies

NAT static configuration works in 29xx but not in ISR 4331

Hi Everybody,

 

I have a NAT issue with a ISR 4331 with a working configuration from a 2911 router. When a VPN client tries to connect to 10.226.26.1 port 443 there is not translation to 10.220.202.24. There are matches in VPN_ACL but the VPN client not connect. NAT table isn't registering anything.  This is the configuration:

 

no service pad
service tcp-keepalives-in
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
no service dhcp
no platform punt-keepalive disable-kernel-core
!
hostname Office_Router_4520
!
boot-start-marker
boot system bootflash:isr4300-universalk9.03.16.06.S.155-3.S6-ext.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
logging buffered 40960
!
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication ppp default local
aaa authorization exec default group tacacs+ none
aaa authorization commands 0 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
aaa accounting nested
aaa accounting exec default
 action-type start-stop
 group tacacs+
!
aaa accounting commands 0 default
 action-type start-stop
 group tacacs+
!
aaa accounting commands 15 default
 action-type start-stop
 group tacacs+
!
aaa accounting network default
 action-type start-stop
 group tacacs+
!
aaa accounting system default
 action-type start-stop
 group tacacs+
!
aaa session-id common
clock timezone CRC -6 0
no ip source-route
!
no ip bootp server
!
no ip domain lookup
!
!
ntp max-associations 2
!
!
subscriber templating
!
multilink bundle-name authenticated
!
!
key chain EIGRP-key-757
 key 757
   key-string !! SUPPRESSED  !!
!
!
!
license boot level securityk9
!
spanning-tree extend system-id
!
!
redundancy
 mode none
!
!
vlan internal allocation policy ascending
!
!
interface Loopback0
 description For NAT of VPN clients
 ip address 5.203.140.1 255.255.255.0
 no ip redirects
 no ip unreachables
 ip nat outside
 ip virtual-reassembly
!
interface Loopback10
 description Remote administration of router
 ip address 10.215.140.1 255.255.255.255
 no ip redirects
 no ip unreachables
!
interface Loopback26
 description For VPN Nat
 ip address 10.226.26.2 255.255.255.0
 no ip redirects
 no ip unreachables
 ip nat outside
!
interface Tunnel1
 description Tunnel to HQ via service provider
 bandwidth 2048
 ip address 10.221.140.2 255.255.255.252
 no ip redirects
 no ip unreachables
 ip nat outside
 ip authentication mode eigrp 757 md5
 ip authentication key-chain eigrp 757 EIGRP-key-757
 delay 2000
 tunnel source GigabitEthernet0/0/1
 tunnel destination 10.210.1.1
 tunnel key !! SUPPRESSED  !!
!
!
interface GigabitEthernet0/0/0
shutdown
!
!
interface GigabitEthernet0/0/1
 description Link to Service Provider
 ip address 10.210.1.140 255.255.255.0
 no ip redirects
 no ip unreachables
 load-interval 30
 negotiation auto
 no cdp enable
!
interface GigabitEthernet0/0/2
 shutdown
!
interface GigabitEthernet0/1/0
 description Connection to VPN Client 10.1.3.6
 switchport access vlan 140
 no cdp enable
 spanning-tree portfast
 ip virtual-reassembly
!
interface GigabitEthernet0/1/1
 description Connection to VPN Client 10.1.3.10
 switchport access vlan 140
 spanning-tree portfast
!
interface GigabitEthernet0/1/2
shutdown
!
interface GigabitEthernet0/1/3
shutdown
!
interface GigabitEthernet0
 vrf forwarding Mgmt-intf
 no ip address
 shutdown
 negotiation auto
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan140
 description SVI for VPN Clients
 ip address 10.1.3.1 255.255.255.0
 no ip redirects
 no ip unreachables
 ip nat inside
 ip access-group VPN_ACL in
!
!
router eigrp 757
 distribute-list 33 in
 network 5.203.140.0 0.0.0.255
 network 10.215.140.1 0.0.0.0
 network 10.221.140.0 0.0.0.3
 passive-interface Loopback0
 passive-interface Loopback10
 passive-interface Loopback26
 passive-interface GigabitEthernet0/0/0
 passive-interface GigabitEthernet0/0/1
 eigrp stub connected
!
ip nat inside source static 10.1.3.6 5.203.140.6
ip nat inside source static 10.1.3.10 5.203.140.10
!
ip nat outside source static 10.220.202.24 10.226.26.1
!
ip forward-protocol nd
no ip http server
no ip http secure-server
ip tftp source-interface Loopback10
!
!
ip access-list extended VPN_ACL
 remark Access of VPN Clients
 remark VPN Client # 4525
 permit tcp host 10.1.3.6 host 10.226.26.1 eq 443
 remark VPN Client # 4526
 permit tcp host 10.1.3.10 host 10.226.26.1 eq 443
 remark Allow ICMP to gateway
 permit icmp 10.1.3.0 0.0.0.255 10.1.3.0 0.0.0.255
 deny   ip any any log
!
access-list 9 permit 192.168.64.128 0.0.0.15
access-list 9 deny   any log
access-list 10 permit 10.210.1.1
access-list 10 permit 10.211.1.1
access-list 10 permit 192.168.64.128 0.0.0.15
access-list 10 deny   any log
access-list 20 permit 192.168.64.10
access-list 20 permit 192.168.64.11
access-list 20 permit any
access-list 33 permit 10.224.30.0 0.0.0.255
access-list 33 permit 10.220.202.0 0.0.0.255
access-list 33 permit 192.168.64.0 0.0.0.255
access-list 33 permit 192.168.128.0 0.0.0.255
access-list 33 permit 192.168.160.0 0.0.0.255
!
!
control-plane
!
!
line con 0
 logging synchronous
 stopbits 1
line aux 0
 no exec
 stopbits 1
line vty 0 3
 access-class 10 in
 exec-timeout 5 0
 privilege level 15
 logging synchronous
 transport input telnet ssh
line vty 4
 access-class 9 in
 exec-timeout 2 0
 privilege level 15
 logging synchronous
 transport input telnet ssh
!
no network-clock synchronization automatic
ntp authentication-key 1 md5 !! SUPPRESSED  !!
ntp authenticate
ntp trusted-key 1
ntp access-group peer 20
ntp server 192.168.64.10 key 1 prefer source Loopback10
ntp server 192.168.64.11 key 1 source Loopback10
!
end

 

 

show access-lists VPN_ACL
Extended IP access list VPN_ACL
    10 permit tcp host 10.1.3.6 host 10.226.26.1 eq 443 (3 matches)
    20 permit tcp host 10.1.3.10 host 10.226.26.1 eq 443 (3 matches)
    30 permit icmp 10.1.3.0 0.0.0.255 10.1.3.0 0.0.0.255 (4 matches)
    40 deny ip any any log (2 matches)

 

 

show ip nat tra
Pro  Inside global         Inside local          Outside local         Outside global
---  ---                   ---                   10.226.26.1           10.220.202.24        
---  5.203.140.10          10.1.3.10             ---                   ---
---  5.203.140.6           10.1.3.6              ---                   ---

 

I really appreciate your help,

 

Alex

6 Replies 6

Hello,

 

try and add:

 

ip nat outside source static add-route

 

to your configuration.

 

Which IOS version are you running ?

 

Hi Georg,

 

I tried with that command for nat outside but the result was the same.

 

The IOS-XE version is Cisco IOS Software, ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.5(3)S6. Image isr4300-universalk9.03.16.06.S.155-3.S6-ext.SPA.bin.

 

Regards

Hello

i cannot review you config well from my phone but your nat statements do not look correct - you seem to be applying static outside nat towards an outside interface and also your outside global addressing doesn’t match any wan or VPN subnet and your not specifying tcp port 443 for https

 

As I said at first glance you nat config looks incorrect - I’m sure other could verify this

 

res

paul

 

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi Paul

 

This is the routing table:


show ip route
Gateway of last resort is not set

      5.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
C        5.203.140.0/24 is directly connected, Loopback0
L        5.203.140.1/32 is directly connected, Loopback0
L        5.203.140.6/32 is directly connected, Loopback0
L        5.203.140.10/32 is directly connected, Loopback0
      10.0.0.0/8 is variably subnetted, 18 subnets, 3 masks
C        10.1.3.0/24 is directly connected, Vlan140
L        10.1.3.1/32 is directly connected, Vlan140
C        10.210.1.0/24 is directly connected, GigabitEthernet0/0/1
L        10.210.1.140/32 is directly connected, GigabitEthernet0/0/1
S        10.211.1.0/30 [1/0] via 10.212.140.1
C        10.212.140.0/30 is directly connected, GigabitEthernet0/0/0
L        10.212.140.2/32 is directly connected, GigabitEthernet0/0/0
C        10.215.140.1/32 is directly connected, Loopback10
D EX     10.220.202.0/24 [170/1762048] via 10.221.140.1, 1d00h, Tunnel1
C        10.221.140.0/30 is directly connected, Tunnel1
L        10.221.140.2/32 is directly connected, Tunnel1
D        10.224.30.210/32 [90/1889792] via 10.221.140.1, 1d00h, Tunnel1
D        10.224.30.220/32 [90/1889792] via 10.221.140.1, 1d00h, Tunnel1
C        10.226.26.0/24 is directly connected, Loopback26
L        10.226.26.1/32 is directly connected, Loopback26
L        10.226.26.2/32 is directly connected, Loopback26

 


If the vpn client with ip 10.1.3.6 tries to connect to 10.226.26.1, the nat outside should translate 10.226.26.1 to 10.220.202.24 and the nat inside translate 10.1.3.6 to 5.203.140.6. But it didn't happen.

When the vpn client tries to connect to 10.220.202.24 (without ACL in) the nat inside translation works and connect.

This seems like the nat outside is not working.

 

Hello,

 

you said the same configuration worked on a 2900 router, can you post that configuration ?

Hello again

 

I already solved this by moving the loopback 26 to the HQ router and including the 10.226.26.0/24 network in the routing by EIGRP. In this way the nat outside 10.220.202.24 -> 10.226.27.1 worked. Something not very eclectic but effective.

 

Thanks for your time

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: