The tunnel is a basic EZVPN,

HQuest · ‎03-04-2017

I have a router running IOS 15 on the public Internet which I want to remotely manage using a point to point IPSec tunnel. This tunnel was created just fine, I can log on to the router, I can reach the devices behind this router, any access to behind this router works just fine. I can't, however, go back out on the public Internet while connected via this IPSec tunnel. My NAT configuration attempts so far got me a little frustrated, with three crashinfo files created recently...

The Internet facing interface is set as ip unnumbered, with the valid, public IP address on a VLAN interface. The VLAN is part of a ZBW zone labeled LAN. The Internet interface is on the WAN zone. My IPSec tunnel gives me a 192.168.1.x/24 IP address on a Virtual-Access interface, configured on a VPN zone. As far as I can tell, there are no blocks caused by the ZBW. All these interfaces have an ip nat enable on them.

The NAT is pretty straightforward: one NAT pool with a single, valid IP address, and one overload entry for the tunnel IP range list to the NAT pool. I can see nat translations on the NVI output, but the access don't really get out - or back to the virtual interface. According to the router, packets are looped.

gateway#sh int virtual-access 4
Virtual-Access4 is up, line protocol is up
 Hardware is Virtual Access interface
 Description: ** IPSec VPN **
 Interface is unnumbered. Using address of Loopback1 (192.168.1.1)
 MTU 17878 bytes, BW 100 Kbit/sec, DLY 50000 usec,
 reliability 255/255, txload 1/255, rxload 1/255
 Encapsulation TUNNEL
 Tunnel vaccess, cloned from Virtual-Template1
 Vaccess status 0x4, loopback not set
 Keepalive not set
 Tunnel linestate evaluation up
 Tunnel source 200.200.200.201, destination 199.199.199.199
 Tunnel protocol/transport IPSEC/IP
 Tunnel TTL 255
 Tunnel transport MTU 1430 bytes
 Tunnel transmit bandwidth 8000 (kbps)
 Tunnel receive bandwidth 8000 (kbps)
 Tunnel protection via IPSec (profile "vpn-ipsec-profile")
 Last input 00:00:03, output never, output hang never
 Last clearing of "show interface" counters 00:00:27
 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
 Queueing strategy: fifo
 Output queue: 0/0 (size/max)
 5 minute input rate 0 bits/sec, 0 packets/sec
 5 minute output rate 0 bits/sec, 0 packets/sec
 60 packets input, 3649 bytes, 0 no buffer
 Received 0 broadcasts (0 IP multicasts)
 0 runts, 0 giants, 0 throttles
 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
 0 packets output, 0 bytes, 0 underruns
 0 output errors, 0 collisions, 0 interface resets
 0 unknown protocol drops
 0 output buffer failures, 0 output buffers swapped out
gateway#show policy-map type inspect zone-pair VPN-WAN sessions detail-debug

policy exists on zp VPN-WAN
 Zone-pair: VPN-WAN

 Service-policy inspect : VPN-WAN-POLICY

 Class-map: allow-vpn-wan (match-all)
 Match: access-group name allow-vpn-wan_acl

 Inspect

 Number of Established Sessions = 6
 Established Sessions
 Session 8B53B520 (192.168.1.241:56194)=>(8.8.4.4:53) dns:udp SIS_OPEN
 Created 00:00:04, Last heard 00:00:03
 Bytes sent (initiator:responder) [492:0]
 Initiator->Responder Window size 0 Scale factor 0
 Responder->Initiator Window size 0 Scale factor 0
 Session 8B53FEA0 (192.168.1.241:61480)=>(8.8.4.4:53) dns:udp SIS_OPEN
 Created 00:00:03, Last heard 00:00:02
 Bytes sent (initiator:responder) [310:0]
 Initiator->Responder Window size 0 Scale factor 0
 Responder->Initiator Window size 0 Scale factor 0
 Session 8B540920 (192.168.1.241:51652)=>(8.8.4.4:53) dns:udp SIS_OPEN
 Created 00:00:02, Last heard 00:00:01
 Bytes sent (initiator:responder) [382:0]
 Initiator->Responder Window size 0 Scale factor 0
 Responder->Initiator Window size 0 Scale factor 0
 Session 8B544120 (192.168.1.241:64433)=>(8.8.4.4:53) dns:udp SIS_OPEN
 Created 00:00:01, Last heard 00:00:00
 Bytes sent (initiator:responder) [208:0]
 Initiator->Responder Window size 0 Scale factor 0
 Responder->Initiator Window size 0 Scale factor 0
 Session 8B541020 (192.168.1.241:56194)=>(8.8.8.8:53) dns:udp SIS_OPEN
 Created 00:00:01, Last heard 00:00:00
 Bytes sent (initiator:responder) [492:0]
 Initiator->Responder Window size 0 Scale factor 0
 Responder->Initiator Window size 0 Scale factor 0
 Session 8B53AE20 (192.168.1.241:61480)=>(8.8.8.8:53) dns:udp SIS_OPEN
 Created 00:00:00, Last heard 00:00:00
 Bytes sent (initiator:responder) [155:0]
 Initiator->Responder Window size 0 Scale factor 0
 Responder->Initiator Window size 0 Scale factor 0


 Class-map: INTERNAL_DOMAIN_FILTER (match-any)
 Match: protocol msnmsgr
 0 packets, 0 bytes
 30 second rate 0 bps
 Match: protocol ymsgr
 0 packets, 0 bytes
 30 second rate 0 bps

 Inspect

 Class-map: class-default (match-any)
 Match: any
 Drop
 0 packets, 0 bytes
gateway#show ip nat nvi translations
Pro Source global Source local Destin local Destin global
udp 200.200.200.200:51652 192.168.1.241:51652 8.8.4.4:53 8.8.4.4:53
udp 200.200.200.200:53474 192.168.1.241:53474 8.8.4.4:53 8.8.4.4:53
udp 200.200.200.200:53474 192.168.1.241:53474 8.8.8.8:53 8.8.8.8:53
udp 200.200.200.200:55029 192.168.1.241:55029 8.8.4.4:53 8.8.4.4:53
udp 200.200.200.200:55029 192.168.1.241:55029 8.8.8.8:53 8.8.8.8:53
udp 200.200.200.200:55503 192.168.1.241:55503 8.8.4.4:53 8.8.4.4:53
udp 200.200.200.200:55503 192.168.1.241:55503 8.8.8.8:53 8.8.8.8:53
udp 200.200.200.200:56194 192.168.1.241:56194 8.8.4.4:53 8.8.4.4:53
udp 200.200.200.200:56194 192.168.1.241:56194 8.8.8.8:53 8.8.8.8:53
udp 200.200.200.200:59885 192.168.1.241:59885 8.8.4.4:53 8.8.4.4:53
udp 200.200.200.200:59885 192.168.1.241:59885 8.8.8.8:53 8.8.8.8:53
udp 200.200.200.200:61480 192.168.1.241:61480 8.8.4.4:53 8.8.4.4:53
udp 200.200.200.200:61480 192.168.1.241:61480 8.8.8.8:53 8.8.8.8:53
udp 200.200.200.200:64433 192.168.1.241:64433 8.8.4.4:53 8.8.4.4:53
udp 200.200.200.200:64433 192.168.1.241:64433 8.8.8.8:53 8.8.8.8:53
udp 200.200.200.200:64603 192.168.1.241:64603 8.8.4.4:53 8.8.4.4:53
udp 200.200.200.200:64603 192.168.1.241:64603 8.8.8.8:53 8.8.8.8:53

Below are some of the output from the router console:

Mar 4 15:15:44: %CRYPTO-6-EZVPN_CONNECTION_UP: (Server) Mode=CLIENT_OR_NEM_PLUS Client_type=CISCO_SW_VPN_CLIENT User=XXX Group=XXX Client_public_addr=199.199.199.199 Server_public_addr=200.200.200.201 Assigned_client_addr=192.168.1.241
Mar 4 15:15:44: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access4, changed state to up
Mar 4 15:15:45: %IP-3-LOOPPAK: Looping packet detected and dropped -
src=8.8.4.4, dst=192.168.1.241, hl=20, tl=103, prot=17, sport=53, dport=51652
in=Virtual-Access4, nexthop=192.168.1.241, out=Virtual-Access4
options=none -Process= "IP Input", ipl= 0, pid= 144
-Traceback= 814D03DCz 81CA21B8z 81C7921Cz 81C79360z 81C79904z 81C7A260z 81C73514z 81C73934z 81C7A7D8z 81C72AE8z 81C72D68z 81C72FD4z 81C732F8z 8068B538z 80672834z

Configuration snippet following. Suggestions?

interface Loopback1
 ip address 192.168.1.1 255.255.255.0
 zone-member security VPN

interface Virtual-Template1 type tunnel
 ip unnumbered Loopback1
 ip nat enable
 zone-member security VPN
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile vpn-ipsec-profile

interface GigabitEthernet 0/0
 ip unnumbered Vlan999
 ip nat enable
 zone-member security WAN

interface Vlan999
 ip address 200.200.200.201 255.255.255.240
 ip nat enable
 zone-member security LAN

object-group network vpn_remote_subnets 
 192.168.1.0 255.255.255.0

ip access-list extended nat-list
 permit ip object-group vpn_remote_subnets any
 deny ip any any

ip nat pool wan-ip-pool 200.200.200.200 200.200.200.200 netmask 255.255.255.240 ! single address for the NAT, netmask of the WAN interface
ip nat source list nat-list pool wan-ip-pool overload

Georg Pauwen · ‎03-04-2017

Hello,

from the output:

src=8.8.4.4, dst=192.168.1.241, hl=20, tl=103, prot=17, sport=53, dport=51652
in=Virtual-Access4, nexthop=192.168.1.241, out=Virtual-Access4

it looks like the destination is the same as the next hop, which is probably what causes the loop. The source is the Google DNS server, which makes me wonder if you can access a public website through its IP address ?

Can you post the full config of your router ?

HQuest · ‎03-04-2017

Uhm, not really able to get the config in full. Any partition you are looking in particular?

Now, I have to mention that this used to work until the valid IP address was moved off the physical Gi0/0 interface to the VLAN interface. The NAT address was then tied to this interface as of

ip nat source list nat-list interface Gi0/0 overload

, however now that it should go out using its own static, public address, doesn't work anymore. But that made me think, "what if...", and I did change the NAT to

ip nat source list nat-list interface Vlan999 overload

and guess what, it "works". Leaves out to the wild with the router VLAN interface IP address and not with my desired IP address, but works.

So maybe my follow up question to my own questions are, can't NAT be assigned to an unnumbered interface?

Georg Pauwen · ‎03-05-2017

Hello,

without seeing the full configs of both sides of the SVTI tunnel, it remains guesswork why the NAT doesn't work on the unnumbered interface. Do you use static routing ?

HQuest · ‎03-05-2017

The tunnel is a basic EZVPN, with a pre-shared key on the router side, and a road warrior client on the other side - that can be a Cisco VPN client, an iOS device...

crypto isakmp policy 1
 encr aes 256
 hash sha512
 authentication pre-share
 group 14
crypto isakmp keepalive 90
crypto isakmp client configuration address-pool local vpn-ip-pool
!
crypto isakmp client configuration group XXX
 key 6 ...
 dns 200.200.200.201
 domain XXX
 pool vpn-ip-pool
 include-local-lan
 pfs
 max-users 5
 netmask 255.255.255.0
crypto isakmp profile vpn-isakmp-profile
 match identity group XXX
 client authentication list XXX
 isakmp authorization list XXX
 client configuration address initiate
 client configuration address respond
 keepalive 90 retry 2
 virtual-template 1
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
 mode tunnel
!
crypto ipsec profile vpn-ipsec-profile
 set security-association idle-time 900
 set transform-set ESP-3DES-SHA 
 set pfs group1
 set isakmp-profile vpn-isakmp-profile
!
ip local pool vpn-ip-pool 192.168.1.241 192.168.1.245

The only static route is for the upstream provider, internally all routes are provided via OSPF.

Georg Pauwen · ‎03-05-2017

Alexandre,

can you try and use 'traditional' NAT, with 'ip nat inside' and 'ip nat outside' commands instead of 'ip nat enable' ? I wonder if the 'ip unnumbered' problem is related to the NAT Virtual Interface...

HQuest · ‎03-05-2017

Well, yes, it works with traditional NAT, including the manual IP address assignment. Guess I did not researched long enough, but it explains why it worked on other scenarios (with VRFs) but not on this scenario (without VRFs):

http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/26704-nat-faq-00.html

Q. What is NAT NVI?

A. NVI stands for NAT Virtual Interface. It allows NAT to translate between two different VRFs. This solution should be used in lieu of Network Address Translation on a Stick.

Q. Should NAT NVI be used when NATting between an interface in global and an interface in a VRF?

A. Cisco recommends that you use legacy NAT for VRF to global NAT (ip nat inside/out) and between interfaces in the same VRF. NVI is used for NAT between different VRFs.

Anyway, back to the drawing board. Appreciated your time lending a fresh set of eyes.

Packet loop during NAT