Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
502
Views
0
Helpful
3
Replies

PLEASE HELP I'm totally stuck - PAT interfers with L3 tunnel but not L2 tunnel - 2921

clyde.a.huffman.ctr@mail.mil
Level 3
Level 3

‎01-18-2019 10:51 AM - edited ‎03-05-2019 11:11 AM

On 2921s, PAT is used to map the outside address (port 8080)  to an inside Apache Web server (port 80).  Unfortunately, the PAT prevents access to Apache (port 80) using the inside address over an L3 tunnel.  The L3 remote endpt is the same outside address used by the PAT.

 

But the PAT does not interfere with an L2 tunnel.

 

Does anyone have a solution for preventing the PAT from interfering with the L3 tunnel?

L2_L3_PAT_cropped.png 

Here are the configurations:

------------============REMOTESW175=============------------------
remnotesw175#
!
hostname remnotesw175
!
interface FastEthernet0/1
description trunk_to_remotertr175
switchport trunk allowed vlan 1,77,175
switchport mode trunk
!
interface FastEthernet0/2
description PC_vlan175_WWW
switchport access vlan 175
switchport mode access
!
interface FastEthernet0/8
description L2TP_vlan77_WWW
switchport access vlan 77
switchport mode access
!
interface Vlan77
ip address 10.10.77.1 255.255.255.0
no ip route-cache
!
interface Vlan175
ip address 192.168.175.2 255.255.255.0
no ip route-cache
!
end
remnotesw175#
------------============REMOTERTR75=============------------------
remotertr175#
!
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.175.1 192.168.175.2
ip dhcp excluded-address 192.168.175.64 192.168.175.255
!
ip dhcp pool DHCPPOOL
network 192.168.175.0 255.255.255.0
dns-server 192.168.168.200 192.168.168.1
default-router 192.168.175.1
lease 0 2
!
l2tp-class TOM_2_REMOTERTR2_PW
digest secret 7 09414405170003 hash SHA1
!
pseudowire-class TOM_2_REMOTERTR
encapsulation l2tpv3
protocol l2tpv3 TOM_2_REMOTERTR2_PW
ip local interface GigabitEthernet0/0
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key firewallcx address 192.168.168.236
crypto isakmp key firewallcx address 192.168.168.237
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
!
crypto map CMAP 76 ipsec-isakmp
set peer 192.168.168.236
set transform-set TS
match address VPN_TRAFFIC_176
crypto map CMAP 77 ipsec-isakmp
set peer 192.168.168.237
set transform-set TS
match address VPN_TRAFFIC_177
!
interface GigabitEthernet0/0
description OUTSIDE
ip address 192.168.168.235 255.255.255.0
ip nat enable
ip virtual-reassembly in
crypto map CMAP
!
interface GigabitEthernet0/1
description INSIDE
no ip address
ip nat enable
ip virtual-reassembly in
!
interface GigabitEthernet0/1.77
description L2_to_RTR2
encapsulation dot1Q 77
xconnect 192.168.168.237 1001 encapsulation l2tpv3 pw-class TOM_2_REMOTERTR
!
interface GigabitEthernet0/1.175
description INSIDE_175
encapsulation dot1Q 175
ip address 192.168.175.1 255.255.255.0
ip nat enable
!
ip nat source list 175 interface GigabitEthernet0/0 overload
ip nat source static tcp 192.168.175.66 80 interface GigabitEthernet0/0 8080
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 192.168.168.1
ip route 10.10.77.0 255.255.255.0 192.168.168.237
ip route 192.168.176.0 255.255.255.0 192.168.168.236
ip route 192.168.177.0 255.255.255.0 192.168.168.237
!
ip access-list extended VPN_TRAFFIC_176
permit tcp 192.168.175.0 0.0.0.255 192.168.176.0 0.0.0.255
permit ip 192.168.175.0 0.0.0.255 192.168.176.0 0.0.0.255
ip access-list extended VPN_TRAFFIC_177
permit tcp 192.168.175.0 0.0.0.255 192.168.177.0 0.0.0.255
permit ip 192.168.175.0 0.0.0.255 192.168.177.0 0.0.0.255
!
access-list 175 remark -=[Define NAT Service]=-
access-list 175 deny ip 192.168.175.0 0.0.0.255 192.168.176.0 0.0.0.255
access-list 175 permit ip 192.168.175.0 0.0.0.255 any
!
end
remotertr175#
------------============REMOTESW177=============------------------
remotesw177#
!
hostname remotesw177
!
interface FastEthernet0/1
description trunk_to_remotertr177
switchport trunk allowed vlan 1,77,177
switchport mode trunk
!
interface FastEthernet0/2
description PC_vlan_177_WWW
switchport access vlan 177
switchport mode access
!
interface FastEthernet0/8
description L2TP_vlan77
switchport access vlan 77
switchport mode access
!
interface Vlan77
ip address 10.10.77.2 255.255.255.0
no ip route-cache
!
interface Vlan177
ip address 10.10.177.2 255.255.255.0
no ip route-cache
!
remotesw177#
------------============REMOTERTR177=============------------------
remotertr177#
!
hostname remotertr177
!
ip dhcp excluded-address 192.168.177.1 192.168.177.2
ip dhcp excluded-address 192.168.177.64 192.168.177.255
!
ip dhcp pool DHCPPOOL
network 192.168.177.0 255.255.255.0
dns-server 192.168.168.200 192.168.168.1
default-router 192.168.177.1
lease 0 2
!
l2tp-class TOM_2_LOCALRTR_PW
digest secret 7 011E0C08550E12 hash SHA1
!
pseudowire-class TOM_2_LOCALRTR
encapsulation l2tpv3
protocol l2tpv3 TOM_2_LOCALRTR_PW
ip local interface GigabitEthernet0/0
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key firewallcx address 192.168.168.235
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
!
crypto map CMAP 10 ipsec-isakmp
set peer 192.168.168.235
set transform-set TS
match address VPN_TRAFFIC
!
interface GigabitEthernet0/0
description OUTSIDE
ip address 192.168.168.237 255.255.255.0
ip virtual-reassembly in
crypto map CMAP
!
interface GigabitEthernet0/1
description INSIDE
no ip address
ip virtual-reassembly in
!
interface GigabitEthernet0/1.77
description L2_to_RTR2
encapsulation dot1Q 77
xconnect 192.168.168.235 1001 encapsulation l2tpv3 pw-class TOM_2_LOCALRTR
!
interface GigabitEthernet0/1.177
description INSIDE_177
encapsulation dot1Q 177
ip address 192.168.177.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 192.168.168.1
ip route 10.10.77.0 255.255.255.0 192.168.168.235
ip route 192.168.175.0 255.255.255.0 192.168.168.235
!
ip access-list extended VPN_TRAFFIC
permit tcp 192.168.177.0 0.0.0.255 192.168.175.0 0.0.0.255
permit ip 192.168.177.0 0.0.0.255 192.168.175.0 0.0.0.255
!
end
remotertr177#

------------============REMOTESW176=============------------------
remotesw176#
!
hostname remotesw176
!
interface FastEthernet0/1
description trunk_to_remotertr176
switchport trunk allowed vlan 1,77,176
switchport mode trunk
!
interface FastEthernet0/2
description PC_vlan_176
switchport access vlan 176
switchport mode access
!
interface Vlan176
ip address 192.168.176.2 255.255.255.0
!
end
remotesw176#

------------============REMOTERTR176=============------------------
remotertr176#
!
hostname remotertr176
!
ip dhcp excluded-address 192.168.176.1 192.168.176.2
ip dhcp excluded-address 192.168.176.64 192.168.176.255
!
ip dhcp pool DHCPPOOL
network 192.168.176.0 255.255.255.0
dns-server 192.168.168.200 192.168.168.1
default-router 192.168.176.1
lease 0 2
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key firewallcx address 192.168.168.235
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
!
crypto map CMAP 10 ipsec-isakmp
set peer 192.168.168.235
set transform-set TS
match address VPN_TRAFFIC
!
interface GigabitEthernet0/0
description OUTSIDE
ip address 192.168.168.236 255.255.255.0
ip virtual-reassembly in
crypto map CMAP
!
interface GigabitEthernet0/1
description INSIDE
no ip address
ip virtual-reassembly in
!
interface GigabitEthernet0/1.176
description INSIDE_176
encapsulation dot1Q 176
ip address 192.168.176.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 192.168.168.1
ip route 192.168.175.0 255.255.255.0 192.168.168.235
!
ip access-list extended VPN_TRAFFIC
permit tcp 192.168.176.0 0.0.0.255 192.168.175.0 0.0.0.255
permit ip 192.168.176.0 0.0.0.255 192.168.175.0 0.0.0.255
!
end
remotertr176#
------------====================================------------------

Labels:
0 Helpful
3 Replies 3

clyde.a.huffman.ctr@mail.mil
Level 3
Level 3

‎01-18-2019 12:42 PM - edited ‎01-22-2019 08:56 AM

HTTP requests to normal port 80 get to the inside Web Server but can't get back.  On the inside web server packets for 192.168.175.66.HTTP -> 192.168.177.7.60319 don't get through until I remove ((( ip nat source static tcp 192.168.175.66 80 interface GigabitEthernet0/0 8080 ))) - ping works.  I'm trying to get route-map to work.

I had to add ip nat inside to get the route-map parameter to show up.  So I managed to get this command entered:

!
interface GigabitEthernet0/1.175
 encapsulation dot1Q 175
 ip address 192.168.175.1 255.255.255.0
 ip nat inside
 ip nat enable
 ip virtual-reassembly in
I

ip nat inside source static 192.168.175.66 192.168.177.7 route-map RMAP8080 extendable
route-map RMAP8080 permit 10
  match ip address ACLMAP8080

ip access-list extended ACLMAP8080
 permit tcp host 192.168.175.66 192.168.177.0 0.0.0.255 log
 permit ip any any log

 

Same Results?????????????????????

  ((( ip nat source static tcp 192.168.175.66 80 interface GigabitEthernet0/0 8080 ))) still works.

  Normal WWW port 80 to the Web Server over the L3 tunnel fails.

 

What can I do?  I know that this is garbage because:

remotertr175#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 192.168.168.235:8080 192.168.175.66:80 --- ---
--- 192.168.177.7 192.168.175.66 --- ---
remotertr175#

0 Helpful

clyde.a.huffman.ctr@mail.mil
Level 3
Level 3

‎01-22-2019 10:52 AM - edited ‎01-25-2019 04:43 AM

I've tried to get the L3 ipsec tunnel to access the web server on port 80 but the PAT 8080->80 interfered with it and I can't find a solution. I tried route-maps and ip access-list extended nonat-vpn - but to no avail
https://community.cisco.com/t5/networking-documents/vpn-and-static-nat-problem/ta-p/3371030

If anyone has an idea I would really appreciate it... --

    The remote end of the L2 tunnel can get to Apache from the external PAT address ((( http://192.168.175.66:8080 )))

This is the client side browser retrying to get the Apache web page.  Note that ping is good.

Client_Side_L2_tunnel.jpg

Here is a tcpdump from the Apache server side.  It is receiving http requests but the response is not getting back to the client.

[root@apache apacheuser]# tcpdump -i enp0s3 | grep 192.168.177
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes
13:21:20.485543 IP 192.168.177.7.49262 > apache.myco.com.http: Flags [S], seq 4019597232, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
13:21:20.485616 IP apache.myco.com.http > 192.168.177.7.49262: Flags [S.], seq 998174661, ack 4019597233, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
13:21:20.742844 IP 192.168.177.7.49263 > apache.myco.com.http: Flags [S], seq 4249830960, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
13:21:20.743000 IP apache.myco.com.http > 192.168.177.7.49263: Flags [S.], seq 190825917, ack 4249830961, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
13:21:21.893806 IP apache.myco.com.http > 192.168.177.7.49262: Flags [S.], seq 998174661, ack 4019597233, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
13:21:22.094141 IP apache.myco.com.http > 192.168.177.7.49263: Flags [S.], seq 190825917, ack 4249830961, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
13:21:23.487463 IP 192.168.177.7.49262 > apache.myco.com.http: Flags [S], seq 4019597232, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
13:21:23.487516 IP apache.myco.com.http > 192.168.177.7.49262: Flags [S.], seq 998174661, ack 4019597233, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
13:21:23.752791 IP 192.168.177.7.49263 > apache.myco.com.http: Flags [S], seq 4249830960, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
13:21:23.752910 IP apache.myco.com.http > 192.168.177.7.49263: Flags [S.], seq 190825917, ack 4249830961, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
13:21:25.904371 IP apache.myco.com.http > 192.168.177.7.49262: Flags [S.], seq 998174661, ack 4019597233, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
13:21:26.104386 IP apache.myco.com.http > 192.168.177.7.49263: Flags [S.], seq 190825917, ack 4249830961, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
13:21:29.493642 IP 192.168.177.7.49262 > apache.myco.com.http: Flags [S], seq 4019597232, win 8192, options [mss 1460,nop,nop,sackOK], length 0
13:21:29.493710 IP apache.myco.com.http > 192.168.177.7.49262: Flags [S.], seq 998174661, ack 4019597233, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
13:21:29.758842 IP 192.168.177.7.49263 > apache.myco.com.http: Flags [S], seq 4249830960, win 8192, options [mss 1460,nop,nop,sackOK], length 0
13:21:29.758993 IP apache.myco.com.http > 192.168.177.7.49263: Flags [S.], seq 190825917, ack 4249830961, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
13:21:33.795827 IP apache.myco.com.http > 192.168.177.7.49263: Flags [S.], seq 190825917, ack 4249830961, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
13:21:33.997519 IP apache.myco.com.http > 192.168.177.7.49262: Flags [S.], seq 998174661, ack 4019597233, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
13:21:41.894892 IP apache.myco.com.http > 192.168.177.7.49263: Flags [S.], seq 190825917, ack 4249830961, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0

 

0 Helpful

clyde.a.huffman.ctr@mail.mil
Level 3
Level 3
In response to clyde.a.huffman.ctr@mail.mil

‎01-25-2019 09:39 AM

Do two ASA 5520s have this same issue?  Does an outside,inside PAT interfere with L2 tunnels, accessing the same address and port number?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card