05-26-2016 04:46 PM - edited 03-05-2019 04:05 AM
Hey all,
So I'm trying to nat two services over an IP SEC tunnel.
<Internet> -----> <Public IP's> -----> <Router 1> -----> <tun interface> -----> <Internet> -----> <router 2>
router 1 config
ip nat inside source route-map NoNat interface GigabitEthernet0/0 overload
ip nat inside source static udp 172.16.70.1 5060 <public IP 1 > 5060 extendable
ip nat inside source static udp 172.16.70.19 53 <public IP 2 > 53 extendable
ip nat inside source static tcp 172.16.70.19 80 <public IP 2 > 80 extendable
interface GigabitEthernet0/0
description Link to network
ip address <public IP 1 > 255.255.255.248
ip nat outside
ip virtual-reassembly in
no ip route-cache
duplex auto
speed auto
media-type rj45
interface Tunnel10
bandwidth 1000000
ip address 10.255.255.1 255.255.255.0
no ip redirects
no ip unreachables
ip mtu 1400
ip nat inside
ip nhrp authentication Y4a]Nwjg
ip nhrp map multicast dynamic
ip nhrp network-id 1006985
ip nhrp holdtime 600
ip virtual-reassembly in
no ip route-cache
delay 1000
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 100698
tunnel protection ipsec profile Orddie
end
route-map NoNat, permit, sequence 10
Match clauses:
ip address (access-lists): NO-NAT
Set clauses:
Policy routing matches: 0 packets, 0 bytes
Extended IP access list NO-NAT
1 deny ip 10.0.0.0 0.255.255.255 172.16.0.0 0.0.255.255
2 deny ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
3 deny ip 172.16.0.0 0.0.255.255 10.0.0.0 0.255.255.255
100 permit ip any any (183353 matches)
ip route 0.0.0.0 0.0.0.0 <router 1 default gw>
ip route 10.0.3.0 255.255.255.0 10.255.255.2
ip route 172.16.0.0 255.255.0.0 10.255.255.4
ip route 192.168.1.0 255.255.255.0 10.255.255.10
Router 2 config
interface GigabitEthernet0/0.10
description Data Network
encapsulation dot1Q 10
ip address 172.16.10.6 255.255.255.0
interface Tunnel10
bandwidth 1000
ip address 10.255.255.4 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication Y4a]Nwjg
ip nhrp map multicast dynamic
ip nhrp map 10.255.255.1 <router 1 public>
ip nhrp map multicast <router 1 public>
ip nhrp network-id 1006985
ip nhrp holdtime 300
ip nhrp nhs 10.255.255.1
delay 1000
tunnel source GigabitEthernet0/0.10
tunnel mode gre multipoint
tunnel key 100698
tunnel protection ipsec profile Orddie
interface GigabitEthernet0/0.70
description VoIP Interface
encapsulation dot1Q 70
ip address 172.16.70.20 255.255.255.0 secondary
ip address 172.16.70.1 255.255.255.0
ip policy route-map DataCenterBound
from router 1, i can ping the 172.16.70.19 IP the nat for port 80 (going to the same host) works just fine.
doing a debug on the ip nat i get the following
May 26 23:25:48.842: NAT: translation failed (A), dropping packet s=172.16.70.19 d=166.170.31.227
according to THIS LINK i issued the the ip subnet-zero on R1.
This is still not working
Solved! Go to Solution.
05-27-2016 12:28 PM
Excellent, do the simple option and change it to a 1:1 NAT. Especially if SIP is going to be involved.
I don't believe it will resolve the issue but it is good practice to run "gold star" software releases, and for this reason I would upgrade the 2821 to 15.1.4M10 as well.
05-26-2016 06:00 PM
What does the route-map DataCentreBound do?
Router 1 config looks good. Note that router2 must route the reply traffic for NAT through the tunnel. The traffic flow must be symmetric.
At the moment I can't see anything on rotuer2 which would guarantee the return traffic to go via the tunnel.
05-27-2016 06:42 AM
hi!
sorry this was missed from the initial report.
this is all on router two. the route map is sending the natted traffic back the DC. Please keep in mind that the TCP mapping to port 80 on the same server works as expected. when i try the DNS query, i can see the ACL matching as well
route-map DataCenterBound, permit, sequence 10
Match clauses:
ip address (access-lists): DataCenterBound
Set clauses:
ip next-hop 10.255.255.1
Nexthop tracking current: 0.0.0.0
10.255.255.1, fib_nh:0,oce:0,status:0
Extended IP access list DataCenterBound
1 deny ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255 (194245 matches)
2 deny ip 172.16.0.0 0.0.255.255 10.0.3.0 0.0.0.255
3 deny ip 172.16.0.0 0.0.255.255 10.0.1.0 0.0.0.255 (1430 matches)
4 deny ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.255.255 (3558 matches)
100 permit tcp host 172.16.70.19 eq www any (333 matches)
101 permit udp host 172.16.70.19 eq domain any (188 matches)
05-27-2016 11:27 AM
I believe your configuration is correct with regard to tcp/80 and udp/53.
Does 172.16.70.19 have just the one IP address configured on it? If it has more than one IP address any chance DNS is responding from a different IP on the same machine?
What are the two router models being used, and what software versions are on them? You have have bit an IOS bug.
Is <public ip 2> used for anything else? Could you change this to being a 1:1 NAT (also change the access-list DataCenterBound to match)?
no ip nat inside source static udp 172.16.70.19 53 <public IP 2> 53 extendable
no ip nat inside source static tcp 172.16.70.19 80 <public IP 2 > 80 extendable
ip nat inside source static 172.16.70.19 <public IP 2> 53 extendable
05-27-2016 12:20 PM
hi!
if i do a full 1:1 nat everything works.
<public ip 2> is not used for anything else.
the 172.16.70.19 server has a single IP address and confirmed im able to pull DNS query's via LAN.
Router 1 as follows
Cisco IOS Software, 3800 Software (C3825-ADVIPSERVICESK9-M), Version 15.1(4)M10, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Tue 24-Mar-15 09:50 by prod_rel_team
ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
WilkesBarre-3825-01 uptime is 1 week, 1 hour, 27 minutes
System returned to ROM by power-on
System restarted at 13:48:11 EDT Fri May 20 2016
System image file is "flash:c3825-advipservicesk9-mz.151-4.M10.bin"
Last reload type: Normal Reload
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
Cisco 3825 (revision 1.2) with 487424K/36864K bytes of memory.
Processor board ID FTX1223A3XK
2 Gigabit Ethernet interfaces
2 Virtual Private Network (VPN) Modules
DRAM configuration is 64 bits wide with parity enabled.
479K bytes of NVRAM.
125440K bytes of ATA System CompactFlash (Read/Write)
License Info:
License UDI:
-------------------------------------------------
Device# PID SN
-------------------------------------------------
*0 CISCO3825 FTX1223A3XK
Router 2 is as follows
Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 15.1(2)T5, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Wed 18-Apr-12 12:05 by prod_rel_team
ROM: System Bootstrap, Version 12.3(8r)T7, RELEASE SOFTWARE (fc1)
Yrk-2ndFL-2821 uptime is 1 day, 16 hours, 22 minutes
System returned to ROM by reload at 22:54:46 EDT Wed May 25 2016
System restarted at 22:57:24 EDT Wed May 25 2016
System image file is "flash:c2800nm-adventerprisek9-mz.151-2.T5.bin"
Last reload type: Normal Reload
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
Cisco 2821 (revision 53.51) with 509952K/14336K bytes of memory.
Processor board ID FTX0945A1U5
2 Gigabit Ethernet interfaces
2 Serial interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
125440K bytes of ATA CompactFlash (Read/Write)
License Info:
License UDI:
-------------------------------------------------
Device# PID SN
-------------------------------------------------
*0 CISCO2821 FTX0945A1U5
Configuration register is 0x1
05-27-2016 12:28 PM
Excellent, do the simple option and change it to a 1:1 NAT. Especially if SIP is going to be involved.
I don't believe it will resolve the issue but it is good practice to run "gold star" software releases, and for this reason I would upgrade the 2821 to 15.1.4M10 as well.
05-27-2016 05:41 PM
i worked with another staff member and found that the route map / acl used at Router 1 was causing the issue. removed the IP any any and now inbound traffic is working.
I do not want to use 1:1 for i need several services across several servers tied to a single IP.
05-27-2016 12:29 PM
ps. Don't use NAT unless you have to. If you have to then use 1:1 as your first choice. Only if you can't do 1:1 then use PAT (port based NAT).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide