Hello,
I have an 881W with configuration posted below along with IOS version. The site has a local Exchange server and also a LAN-to-LAN IPSec. Exchange's internal IP is statically NAT'd. Problem is that when that when a static NAT for Exchange is in place, Exchage is not accessible thru tunnel. Scenarios is as below:
- Exchange's internal IP: 10.50.80.21
- Exchange's NAT'd IP: 65.X.X.216
- IPSec interesting traffic: Local - 10.50.80.0/24, remote - 198.168.189.0/24
- Static NAT for Exchange in place: Excahgne server can be accessed over Internet. We can RDP in to the exchange's NAT's publuc IP, 65.X.X.216. But Exchange is no loger accessible thru tunnel. You cannot ping 198.168.189.1 from Excahnge server.
- Static NAT removed: Exchange server no longer is accessible over internet as expected. Ping from Exchagne to 192.168.189.1 are successful.
- Cisco 881 is running "c880data-universalk9-mz.152-1.T1.bin". The behavior was also seen on "c880data-universalk9-mz.150-1.M7.bin" IOS.
Please help.
Thanks,
Paresh
===================
boot-start-marker
boot system flash:c880data-universalk9-mz.152-1.T1.bin
boot-end-marker
!
!
logging buffered 50000 informational
!
no aaa new-model
memory-size iomem 10
clock timezone CT -6 0
clock summer-time CT recurring
crypto pki token default removal timeout 0
!
ip inspect max-incomplete high 20000000
ip inspect max-incomplete low 750
ip inspect one-minute low 750
ip inspect one-minute high 20000000
ip inspect tcp idle-time 14400
ip inspect tcp max-incomplete host 150 block-time 0
ip inspect name FIREWALL tcp timeout 7200
ip inspect name FIREWALL udp
ip inspect name FIREWALL ftp
ip inspect name FIREWALL icmp
ip inspect name FIREWALL smtp
ip cef
no ipv6 cef
!
!
track 10 ip sla 10 reachability
delay down 30 up 10
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key *********** address 68.X.X.36 no-xauth
crypto isakmp aggressive-mode disable
!
!
crypto ipsec transform-set rtpset esp-aes 256 esp-sha-hmac
!
!
!
crypto map rtpset 100 ipsec-isakmp
set peer 68.7X.X.36
set security-association lifetime seconds 28800
set transform-set rtpset
set pfs group5
match address IPSEC-LIST
!
!
!
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
switchport access vlan 2
no ip address
shutdown
!
interface FastEthernet4
description PRIMARY WAN - CONNECTS TO PRIMARY CABLE
ip address 65.X.X.6 255.255.255.0
ip nat outside
ip inspect FIREWALL out
ip virtual-reassembly in
duplex auto
speed auto
crypto map rtpset
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
no ip address
!
interface Vlan1
description CONNECTS LAN
ip address 10.50.80.250 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1360
!
interface Vlan2
description BACKUP WAN - CONNECTS TO BACKUP
ip address 166.X.X.168 255.255.255.0
ip nat outside
ip inspect FIREWALL out
ip virtual-reassembly in
shutdown
crypto map rtpset
!
ip local policy route-map BACKUP_RMAP_1
ip forward-protocol nd
!
ip nat inside source route-map BACKUP-NAT-MAP interface Vlan2 overload
ip nat inside static source 10.50.80.21 65.X.X.216
ip nat inside source route-map PRIMARY-NAT-MAP interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 65.X.X.1 track 10
ip route 0.0.0.0 0.0.0.0 166.X.X.254 250
!
ip access-list extended IPSEC-LIST
permit ip 10.50.80.0 0.0.0.255 192.168.189.0 0.0.0.255
ip access-list extended NAT-LIST
deny ip 10.50.80.0 0.0.0.255 192.168.189.0 0.0.0.255
permit ip 10.50.80.0 0.0.0.255 any
!
ip sla 10
icmp-echo 4.2.2.2 source-interface FastEthernet4
frequency 15
ip sla schedule 10 life forever start-time now
access-list 101 permit icmp any host 4.2.2.2 echo
no cdp run
!
!
!
!
route-map BACKUP-NAT-MAP permit 10
match ip address NAT-LIST
match interface Vlan2
!
route-map BACKUP_RMAP_1 permit 1
match ip address 101
set ip next-hop 65.X.X.1
set interface Null0
!
route-map PRIMARY-NAT-MAP permit 10
match ip address NAT-LIST
match interface FastEthernet4
!
!
line con 0
logging synchronous
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
privilege level 15
logging synchronous
login local
transport input telnet ssh
!
================
boot-start-marker
boot system flash:c880data-universalk9-mz.152-1.T1.bin
boot-end-marker
!
!
logging buffered 50000 informational
!
no aaa new-model
memory-size iomem 10
clock timezone CT -6 0
clock summer-time CT recurring
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-96086277
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-96086277
revocation-check none
rsakeypair TP-self-signed-96086277
!
!
crypto pki certificate chain TP-self-signed-96086277
certificate self-signed 01
3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 39363038 36323737 301E170D 31323032 30363231 30343430
5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53
2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D393630 38363237
3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100DCCC
083B1A97 28662E10 AF6FAA0E FD69D34D 56FBC5B2 FB28D6B7 5462821E A061D114
5C3D8D33 9F916002 9993C8E8 8D97003D DC7C820C 55A31B6E DA29BFF9 D70A29A9
5EBF35E1 7196B218 2902EF8A 50B43C37 780A6AAC 2DF95F60 F69692F7 21EDCE7C
30665912 635A2649 7BE89D93 7CA3172D 83B6A549 3EEA9F64 A053D013 23B10203
010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603 551D1104
1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D 301F0603
551D2304 18301680 14BB894B 966D5376 84DF75AA C1A6AE06 604D0762 33301D06
03551D0E 04160414 BB894B96 6D537684 DF75AAC1 A6AE0660 4D076233 300D0609
2A864886 F70D0101 04050003 8181003D 3B97AB2E 52EB3B7F 4EB3D2ED 2C8EF9C2
DBBABAE2 8610B41D 9F53BDD3 50262F76 E86BE550 62A0084B 60E28D3C 25537531
D9188777 1F593FE9 E2F89C30 0D3216E2 C2A34C19 12998147 1F7AFE7D C9FACD66
9D93F385 DBA187FF 92721F80 D9BFA754 6143A626 114D5782 9F937336 F13CC7A4
7BA39C6C 80D87586 82CA5C28 AD6ACF
quit
!
!
!
ip dhcp excluded-address 10.10.10.1
!
!
no ip domain lookup
ip domain name ipractice.com
ip inspect max-incomplete high 20000000
ip inspect max-incomplete low 750
ip inspect one-minute low 750
ip inspect one-minute high 20000000
ip inspect tcp idle-time 14400
ip inspect tcp max-incomplete host 150 block-time 0
ip inspect name FIREWALL tcp timeout 7200
ip inspect name FIREWALL udp
ip inspect name FIREWALL ftp
ip inspect name FIREWALL icmp
ip inspect name FIREWALL smtp
ip cef
no ipv6 cef
!
!
license udi pid CISCO881W-GN-A-K9 sn FTX15468444
!
!
username clay privilege 15 password 0 clay123
username ppatel privilege 15 secret 5 $1$UT5B$FzYxHwEDjiJ0Kjpucv1Pq.
!
!
!
!
!
!
track 10 ip sla 10 reachability
delay down 30 up 10
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key iPRAC001PeakTen address 68.71.106.36 no-xauth
crypto isakmp aggressive-mode disable
!
!
crypto ipsec transform-set rtpset esp-aes 256 esp-sha-hmac
!
!
!
crypto map rtpset 100 ipsec-isakmp
set peer 68.71.106.36
set security-association lifetime seconds 28800
set transform-set rtpset
set pfs group5
match address IPSEC-LIST
!
!
!
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
switchport access vlan 2
no ip address
shutdown
!
interface FastEthernet4
description PRIMARY WAN - CONNECTS TO PRIMARY CABLE
ip address 65.5.50.6 255.255.255.0
ip nat outside
ip inspect FIREWALL out
ip virtual-reassembly in
duplex auto
speed auto
crypto map rtpset
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
no ip address
!
interface Vlan1
description CONNECTS TO PRACTICE LAN
ip address 10.50.80.250 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1360
!
interface Vlan2
description BACKUP WAN - CONNECTS TO ACCEL WIRELESS MODEM
ip address 166.200.162.168 255.255.255.0
ip nat outside
ip inspect FIREWALL out
ip virtual-reassembly in
shutdown
crypto map rtpset
!
ip local policy route-map BACKUP_RMAP_1
ip forward-protocol nd
no ip http server
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map BACKUP-NAT-MAP interface Vlan2 overload
ip nat inside source route-map PRIMARY-NAT-MAP interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 65.5.50.1 track 10
ip route 0.0.0.0 0.0.0.0 166.200.162.254 250
!
ip access-list extended EXCHANGE-ACL
permit tcp any eq smtp host 10.50.80.21
permit tcp host 10.50.80.21 eq smtp any
ip access-list extended IPSEC-LIST
permit ip 10.50.80.0 0.0.0.255 192.168.189.0 0.0.0.255
ip access-list extended NAT-LIST
deny ip 10.50.80.0 0.0.0.255 192.168.189.0 0.0.0.255
deny ip host 10.50.80.21 any
permit ip 10.50.80.0 0.0.0.255 any
!
ip sla 10
icmp-echo 4.2.2.2 source-interface FastEthernet4
frequency 15
ip sla schedule 10 life forever start-time now
access-list 101 permit icmp any host 4.2.2.2 echo
no cdp run
!
!
!
!
route-map BACKUP-NAT-MAP permit 10
match ip address NAT-LIST
match interface Vlan2
!
route-map BACKUP_RMAP_1 permit 1
match ip address 101
set ip next-hop 65.5.50.1
set interface Null0
!
route-map PRIMARY-NAT-MAP permit 10
match ip address NAT-LIST
match interface FastEthernet4
!
route-map EXCHANGE-MAP permit 10
match ip address EXCHANGE-ACL
match interface FastEthernet4
!
!
line con 0
logging synchronous
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
privilege level 15
logging synchronous
login local
transport input telnet ssh
!
scheduler max-task-time 5000
ntp server 129.6.15.28
ntp server 129.6.15.29
event manager applet PRIMARY-DOWN
event track 10 state down
action 10 cli command "enable"
action 11 cli command "config t"
action 12 cli command "int fa 3"
action 13 cli command "no sh"
action 14 cli command "int vlan 2"
action 15 cli command "no sh"
action 16 cli command "end"
action 17 cli command "clear ip nat tr *"
action 18 cli command "clear cry isa"
action 19 cli command "clear ip nat tr *"
event manager applet PRIMARY-UP
event track 10 state up
action 10 cli command "enable"
action 11 cli command "config t"
action 12 cli command "int fa 3"
action 13 cli command "sh"
action 14 cli command "int vlan 2"
action 15 cli command "sh"
action 16 cli command "end"
action 17 cli command "clear ip nat tr *"
action 18 cli command "clear cry isa"
action 19 cli command "clear ip nat tr *"
!
end
