03-08-2021 12:46 AM
Hey there! We want to create an IPsec tunnel between our office
and one of our partners and here is the topology:
OurServer<---->OurRouter<---->Internet<---->TheirRouter<---->TheirServer
-------------------------------------
Partner_Router_public_IP: 1.1.1.1
Our_Router_Public_IP: 2.2.2.2
Partner_Server: 3.3.3.3
our_server: 192.168.1.10
tunnel_OurSide: 192.168.20.2
tunnel_TheirSide: 192.168.20.1
--------------------------------------
The problem is i cannot ping partner server from our server while I am connected to internet using this
nat:
ip nat inside source list 1 interface GigabitEthernet0/2 overload
Once I remove the above line I lose internet connection from ou server but i can ping
the partner server.
can you please tell me how to write my nat setting?
--------------------------------
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname office-router
!
boot-start-marker
boot-end-marker
!
!
enable secret 4 ******************
!
no aaa new-model
!
!
no ipv6 cef
ip source-route
ip cef
!
!
ip domain name office.com
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
!
username admin password 7 **************
!
redundancy
!
!
crypto isakmp policy 370
encr 3des
authentication pre-share
group 2
crypto isakmp key ******** address 1.1.1.1 (Partner public IP)
!
!
crypto ipsec transform-set office-TS esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile office-PF
set transform-set office-TS
!
!
!
interface Tunnel4170
description connect to post
ip address 192.168.20.2 255.255.255.0 (Tunnel IP Ourside)
ip nat outside
ip virtual-reassembly in
tunnel source 2.2.2.2 (Our public IP)
tunnel destination 1.1.1.1 (Partner public IP)
tunnel protection ipsec profile office-PF
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0 (Our Lan IP address)
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/2
ip address 2.2.2.2 255.255.255.0 (Our wan interface public ip address)
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/3/0
no ip address
!
interface GigabitEthernet0/3/1
no ip address
!
interface GigabitEthernet0/3/2
no ip address
!
interface GigabitEthernet0/3/3
no ip address
!
interface Vlan1
no ip address
!
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list PARTER-NAT interface Tunnel4170 overload
ip route 0.0.0.0 0.0.0.0 2.2.2.1 (Our ISP Router)
ip route 3.3.3.3 255.255.255.255 192.168.20.1 name POST (3.3.3.3 partner-server 192.168.20.1 tunnel ip partner side)
!
ip access-list extended PARTER-NAT
permit ip host 192.168.1.10 host 3.3.3.3 (192.168.1.10 our lan server 3.3.3.3 partnerserver)
permit ip any host 3.3.3.3 (partner-server)
permit ip 192.168.1.0 0.0.0.255 any (Our lan)
!
access-list 1 permit 192.168.1.0 0.0.0.255 (our lan)
!
control-plane
!
line con 0
logging synchronous
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password 7 ********
login local
transport input ssh
!
scheduler allocate 20000 1000
end
--------------------------------------
03-08-2021 01:09 AM
Hello,
make the changes/additions marked in bold:
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname office-router
!
boot-start-marker
boot-end-marker
!
enable secret 4 ******************
!
no aaa new-model
!
no ipv6 cef
ip source-route
ip cef
!
ip domain name office.com
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
username admin password 7 **************
!
redundancy
!
crypto isakmp policy 370
encr 3des
authentication pre-share
group 2
crypto isakmp key ******** address 1.1.1.1 (Partner public IP)
!
crypto ipsec transform-set office-TS esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile office-PF
set transform-set office-TS
!
interface Tunnel4170
description connect to post
ip address 192.168.20.2 255.255.255.0 (Tunnel IP Ourside)
--> no ip nat outside
ip virtual-reassembly in
tunnel source 2.2.2.2 (Our public IP)
tunnel destination 1.1.1.1 (Partner public IP)
tunnel protection ipsec profile office-PF
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0 (Our Lan IP address)
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/2
ip address 2.2.2.2 255.255.255.0 (Our wan interface public ip address)
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/3/0
no ip address
!
interface GigabitEthernet0/3/1
no ip address
!
interface GigabitEthernet0/3/2
no ip address
!
interface GigabitEthernet0/3/3
no ip address
!
interface Vlan1
no ip address
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
--> no ip nat inside source list PARTER-NAT interface Tunnel4170 overload
--> ip nat inside source list 1 interface GigabitEthernet0/2 overload
ip route 0.0.0.0 0.0.0.0 2.2.2.1 (Our ISP Router)
--> ip route 3.3.3.3 255.255.255.255 Tunnel4170
!
--> no ip access-list extended PARTER-NAT
permit ip host 192.168.1.10 host 3.3.3.3 (192.168.1.10 our lan server 3.3.3.3 partnerserver)
permit ip any host 3.3.3.3 (partner-server)
permit ip 192.168.1.0 0.0.0.255 any (Our lan)
!
access-list 1 permit 192.168.1.0 0.0.0.255 (our lan)
!
control-plane
!
line con 0
logging synchronous
login local
!
line aux 0
!
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
!
line vty 0 4
password 7 ********
login local
transport input ssh
!
scheduler allocate 20000 1000
end
04-05-2021 04:10 AM
Hi there. first, of all, I'm really sorry I was not available for days due to the covid-19 lockdown in my country. I have done your setup
but It didn't work as you can see my config after your setup below:
Building configuration...
Current configuration : 3021 bytes
!
! Last configuration change at 08:41:56 UTC Mon Apr 5 2021 by admin
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname axon-router
!
boot-start-marker
boot-end-marker
!
!
enable secret 4 *************
!
no aaa new-model
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
!
ip domain name office.com
ip name-server 8.8.8.8
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
!
username admin password 7 **********
!
redundancy
!
!
!
!
!
!
crypto isakmp policy 370
encr 3des
authentication pre-share
group 2
crypto isakmp key ****** address 1.1.1.1 (Partner public IP)
!
!
crypto ipsec transform-set office-TS esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile office-PF
set transform-set office-TS
!
!
!
!
!
!
interface Tunnel4170
description connect to post
ip address 192.168.20.2 255.255.255.0 (Tunnel IP Ourside)
ip virtual-reassembly in
tunnel source 2.2.2.2 (Our public IP)
tunnel destination 1.1.1.1 (Partner public IP)
tunnel protection ipsec profile office-PF
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/2
ip address 2.2.2.2 255.255.255.0 (Our wan interface public ip address)
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/3/0
no ip address
!
interface GigabitEthernet0/3/1
no ip address
!
interface GigabitEthernet0/3/2
no ip address
!
interface GigabitEthernet0/3/3
no ip address
!
interface Vlan1
no ip address
!
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/2 overload
ip route 0.0.0.0 0.0.0.0 2.2.2.1 (Our ISP Router)
ip route 3.3.3.3 255.255.255.255 Tunnel4170
!
access-list 1 permit 192.168.1.0 0.0.0.255 (our lan)
!
!
!
!
!
!
control-plane
!
!
!
line con 0
logging synchronous
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password 7 ************
login local
transport input ssh
!
scheduler allocate 20000 1000
end
04-05-2021 04:21 AM
Hello,
the configuration looks correct. What seems a bit odd is that you only want IP address 3.3.3.3/32 to be reachable through the tunnel. Usually, LAN to LAN traffic would be encrypted. What traffic is being matched n the other (the Partner) side, which source and destination traffic are they encrypting ?
03-08-2021 02:13 AM
You need to remove the NAT for the destination as exmaple :
ip access-list extended Test-NAT
deny ip 172.16.10.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 172.16.10.0 0.0.0.255 any
172.16.10.0/24 LAN IP address
10.10.10.0/.24 - remove IP address
i
03-08-2021 02:32 AM
Thanks For your help but It did not solve the problem, from my router I can ping 3.3.3.3
but from our LAN server: (192.168.1.10) I still cannot ping 3.3.3.3.
I am a Linux system administrator and my knowledge about cisco is very limited so sorry about that
03-08-2021 02:57 AM
Which post are you referring to, what did not solve the problem ? Post the configuration again with the changes I suggested...
03-08-2021 02:58 AM
Can post the complete config again after changing, so we know what is changed and this time i will amend the configuration for you. so it is easy to paste since you mentioned you have little knowledge of cisco.
03-08-2021 11:00 AM
I agree that it would be helpful to see a copy of the update/current running config. I would also ask for the output of show crypto ipsec sa from the router.
The original post tells us that they can ping the remote server from the router. I wonder if part of that is due to the fact that the remote server is shown with a public IP. If the router ping is sourced from its outside interface Public IP to a destination Public IP it is possible that the fact that it is successful may not really tell us anything about the state of the vpn tunnel. On the router if you attempt ping to the server and specify the ping source as 192.168.1.1 is the ping still successful?
03-08-2021 02:50 AM
Hello
Why NAT on the secure tunnel?
If you need to nat then I would say this would be applied on the wan interfaces for any traffic not requiring traversing the ipsec tunnel?
Example below - but obviously amend for both sites.
interface Tunnel4170
no ip nat outside
int x/x
description WAN
ip nat outside
no ip access-list extended PARTER-NAT
no access-list 1 permit
no ip nat inside source list PARTER-NAT interface Tunnel4170 overload
no ip route 3.3.3.3 255.255.255.255 192.168.20.1 name POST
ip route 3.3.3.3 255.255.255.255 tunnel 4170 192.168.20.1 name POST
ip access-list extended PARTER-NAT
permit ip 192.168.1.0 0.0.0.255 any
04-05-2021 04:12 AM
Thanks for the response but the problem still exists I am sorry.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide