cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1629
Views
0
Helpful
10
Replies

Problem with nat on ipsec tunnel

Hey there! We want to create an IPsec tunnel between our office
and one of our partners and here is the topology:


OurServer<---->OurRouter<---->Internet<---->TheirRouter<---->TheirServer

-------------------------------------
Partner_Router_public_IP: 1.1.1.1
Our_Router_Public_IP: 2.2.2.2
Partner_Server: 3.3.3.3
our_server: 192.168.1.10
tunnel_OurSide: 192.168.20.2
tunnel_TheirSide: 192.168.20.1
--------------------------------------
The problem is i cannot ping partner server from our server while I am connected to internet using this
nat:
ip nat inside source list 1 interface GigabitEthernet0/2 overload

Once I remove the above line I lose internet connection from ou server but i can ping
the partner server.

can you please tell me how to write my nat setting?


--------------------------------
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname office-router
!
boot-start-marker
boot-end-marker
!
!
enable secret 4 ******************
!
no aaa new-model
!
!
no ipv6 cef
ip source-route
ip cef
!
!
ip domain name office.com
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
!
username admin password 7 **************
!
redundancy
!
!
crypto isakmp policy 370
encr 3des
authentication pre-share
group 2
crypto isakmp key ******** address 1.1.1.1 (Partner public IP)
!
!
crypto ipsec transform-set office-TS esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile office-PF
set transform-set office-TS
!
!
!
interface Tunnel4170
description connect to post
ip address 192.168.20.2 255.255.255.0 (Tunnel IP Ourside)
ip nat outside
ip virtual-reassembly in
tunnel source 2.2.2.2 (Our public IP)
tunnel destination 1.1.1.1 (Partner public IP)
tunnel protection ipsec profile office-PF
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0 (Our Lan IP address)
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/2
ip address 2.2.2.2 255.255.255.0 (Our wan interface public ip address)
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/3/0
no ip address
!
interface GigabitEthernet0/3/1
no ip address
!
interface GigabitEthernet0/3/2
no ip address
!
interface GigabitEthernet0/3/3
no ip address
!
interface Vlan1
no ip address
!
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!

ip nat inside source list PARTER-NAT interface Tunnel4170 overload
ip route 0.0.0.0 0.0.0.0 2.2.2.1 (Our ISP Router)
ip route 3.3.3.3 255.255.255.255 192.168.20.1 name POST (3.3.3.3 partner-server 192.168.20.1 tunnel ip partner side)
!
ip access-list extended PARTER-NAT
permit ip host 192.168.1.10 host 3.3.3.3 (192.168.1.10 our lan server 3.3.3.3 partnerserver)
permit ip any host 3.3.3.3 (partner-server)
permit ip 192.168.1.0 0.0.0.255 any (Our lan)
!
access-list 1 permit 192.168.1.0 0.0.0.255 (our lan)
!
control-plane
!
line con 0
logging synchronous
login local

line aux 0

line 2
no activation-character
no exec
transport preferred none
transport input all
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1

line vty 0 4
password 7 ********
login local
transport input ssh
!
scheduler allocate 20000 1000
end
--------------------------------------

10 Replies 10

Hello,

 

make the changes/additions marked in bold:

 

version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname office-router
!
boot-start-marker
boot-end-marker
!
enable secret 4 ******************
!
no aaa new-model
!
no ipv6 cef
ip source-route
ip cef
!
ip domain name office.com
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
username admin password 7 **************
!
redundancy
!
crypto isakmp policy 370
encr 3des
authentication pre-share
group 2
crypto isakmp key ******** address 1.1.1.1 (Partner public IP)
!
crypto ipsec transform-set office-TS esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile office-PF
set transform-set office-TS
!
interface Tunnel4170
description connect to post
ip address 192.168.20.2 255.255.255.0 (Tunnel IP Ourside)
--> no ip nat outside
ip virtual-reassembly in
tunnel source 2.2.2.2 (Our public IP)
tunnel destination 1.1.1.1 (Partner public IP)
tunnel protection ipsec profile office-PF
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0 (Our Lan IP address)
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/2
ip address 2.2.2.2 255.255.255.0 (Our wan interface public ip address)
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/3/0
no ip address
!
interface GigabitEthernet0/3/1
no ip address
!
interface GigabitEthernet0/3/2
no ip address
!
interface GigabitEthernet0/3/3
no ip address
!
interface Vlan1
no ip address
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
--> no ip nat inside source list PARTER-NAT interface Tunnel4170 overload
--> ip nat inside source list 1 interface GigabitEthernet0/2 overload
ip route 0.0.0.0 0.0.0.0 2.2.2.1 (Our ISP Router)
--> ip route 3.3.3.3 255.255.255.255 Tunnel4170
!
--> no ip access-list extended PARTER-NAT
permit ip host 192.168.1.10 host 3.3.3.3 (192.168.1.10 our lan server 3.3.3.3 partnerserver)
permit ip any host 3.3.3.3 (partner-server)
permit ip 192.168.1.0 0.0.0.255 any (Our lan)
!
access-list 1 permit 192.168.1.0 0.0.0.255 (our lan)
!
control-plane
!
line con 0
logging synchronous
login local
!
line aux 0
!
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
!
line vty 0 4
password 7 ********
login local
transport input ssh
!
scheduler allocate 20000 1000
end

Hi there. first, of all, I'm really sorry I was not available for days due to the covid-19 lockdown in my country. I have done your setup 

but It didn't work as you can see my config after your setup below:

 

 

Building configuration...

Current configuration : 3021 bytes
!
! Last configuration change at 08:41:56 UTC Mon Apr 5 2021 by admin
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname axon-router
!
boot-start-marker
boot-end-marker
!
!
enable secret 4 *************
!
no aaa new-model
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
!
ip domain name office.com
ip name-server 8.8.8.8
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
!
username admin password 7 **********
!
redundancy
!
!
!
!
!
!
crypto isakmp policy 370
encr 3des
authentication pre-share
group 2
crypto isakmp key ****** address 1.1.1.1 (Partner public IP)
!
!
crypto ipsec transform-set office-TS esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile office-PF
set transform-set office-TS
!
!
!
!
!
!
interface Tunnel4170
description connect to post
ip address 192.168.20.2 255.255.255.0 (Tunnel IP Ourside)
ip virtual-reassembly in
tunnel source 2.2.2.2 (Our public IP)
tunnel destination 1.1.1.1 (Partner public IP)
tunnel protection ipsec profile office-PF
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/2
ip address 2.2.2.2 255.255.255.0 (Our wan interface public ip address)
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/3/0
no ip address
!
interface GigabitEthernet0/3/1
no ip address
!
interface GigabitEthernet0/3/2
no ip address
!
interface GigabitEthernet0/3/3
no ip address
!
interface Vlan1
no ip address
!
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/2 overload
ip route 0.0.0.0 0.0.0.0 2.2.2.1 (Our ISP Router)
ip route 3.3.3.3 255.255.255.255 Tunnel4170
!
access-list 1 permit 192.168.1.0 0.0.0.255 (our lan)
!
!
!
!
!
!
control-plane
!
!
!
line con 0
logging synchronous
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password 7 ************
login local
transport input ssh
!
scheduler allocate 20000 1000
end

Hello,

 

the configuration looks correct. What seems a bit odd is that you only want IP address 3.3.3.3/32 to be reachable through the tunnel. Usually, LAN to LAN traffic would be encrypted. What traffic is being matched n the other (the Partner) side, which source and destination traffic are they encrypting ?

balaji.bandi
Hall of Fame
Hall of Fame

You need to remove the NAT for the destination as exmaple :

 

ip access-list extended Test-NAT
deny ip 172.16.10.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 172.16.10.0 0.0.0.255 any

 

172.16.10.0/24 LAN IP address

10.10.10.0/.24 - remove IP address

 

i

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thanks For your help but It did not solve the problem, from my router I can ping 3.3.3.3

but from our LAN server: (192.168.1.10) I still cannot ping 3.3.3.3.

 

I am a Linux system administrator and my knowledge about cisco is very limited so sorry about that 

Which post are you referring to, what did not solve the problem ? Post the configuration again with the changes I suggested...

Can post the complete config again after changing, so we know what is changed and this time i will amend the configuration for you. so it is easy to paste since you mentioned you have little knowledge of cisco.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

I agree that it would be helpful to see a copy of the update/current running config. I would also ask for the output of show crypto ipsec sa from the router.

 

The original post tells us that they can ping the remote server from the router. I wonder if part of that is due to the fact that the remote server is shown with a public IP. If the router ping is sourced from its outside interface Public IP to a destination Public IP it is possible that the fact that it is successful may not really tell us anything about the state of the vpn tunnel. On the router if you attempt ping to the server and specify the ping source as 192.168.1.1 is the ping still successful?

HTH

Rick

Hello
Why NAT on the secure tunnel?
If you need to nat then I would say this would be applied on the wan interfaces for any traffic not requiring traversing the ipsec tunnel?
Example below - but obviously amend for both sites.

interface Tunnel4170
no ip nat outside

int x/x
description WAN
ip nat outside

no ip access-list extended PARTER-NAT
no access-list 1 permit
no ip nat inside source list PARTER-NAT interface Tunnel4170 overload
no ip route 3.3.3.3 255.255.255.255 192.168.20.1 name POST

ip route 3.3.3.3 255.255.255.255 tunnel 4170 192.168.20.1 name POST

ip access-list extended PARTER-NAT
permit ip 192.168.1.0 0.0.0.255 any


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Thanks for the response but the problem still exists I am sorry.

 

Review Cisco Networking for a $25 gift card