Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1064
Views
4
Helpful
9
Replies

Static TCP NAT rule causing issues when routing from internal VPN

Go to solution
Drew T
Level 1
Level 1

‎08-16-2017 04:41 PM - edited ‎03-05-2019 09:01 AM

A bit of a curly one.

I have a small network of routers that are all connected back to a single site via a crypto-map and matching subnets in ACL's.

In addition, I have an inbound static TCP NAT rule on the same inbound interface to a host on the internal LAN (on the main router that all sites VPN's terminate back to):

ip nat inside source static tcp 192.168.0.1 499 interface GigabitEthernet0/2 499

This works fine (ie. if I go to the IP of Gi0/2, on port 499 from the general internet, it works).

The problem comes from other sites. The other sites all use subnets in 192.168.x.x and are using IPSEC via a crypto-map on each interface back to this router. The destination is the IP address for Gi0/2 on the main router. The IPSEC has been up and running for some time, working fine. 

From a remote site, I can ping 192.168.0.1, I can connect to any other port but if I try to connect to port 499, it times out.

All other sites have NAT disabled when trying to access 192.168.0.0/24 (on the main router) so it should not be hitting the static NAT rule from Gi0/2 to the internal host. 

I have tried a few different ACL/route-map configs on the main router to attempt to force anything originating from another site to not NAT to TCP 499 on that host, but it hasn't worked.

Has anyone seen something like this before? Quite urgent to fix this. 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Drew T
Level 1
Level 1
In response to Jon Marshall

‎08-17-2017 03:04 PM

Thanks Jon :)

I must have it wrong. Here's the sanised config...

ip nat inside source static tcp 192.168.0.205 499 x.x.x.x 499 route-map no-nat-ipsec extendable

! It's added the 'extendable' by default; can't seem to remove that

ip access-list extended deny_nat_172_16

 permit ip 192.168.0.0 0.0.255.255 host 192.168.0.205

!

ip access-list extended permit_any

 permit ip any any

!

route-map no-nat-ipsec deny 10

 match ip address deny_nat_172_16

route-map no-nat-ipsec permit 20

 match ip address permit_any

!

With that in place, the outside world NAT to the inside 192.168.0.205 tcp 499 works fine, but still failing from anything on the IPSEC network. (trying from 192.168.48.254 to 192.168.0.205 on 499 and it fails, but if I try from 192.168.48.80 to 192.168.0.205 port 80, it's fine). 

should route-map counters increment for NAT translations? I'm not seeing any in a show route-map:

route-map no-nat-ipsec, deny, sequence 10

  Match clauses:

    ip address (access-lists): deny_nat_172_16 

  Set clauses:

  Policy routing matches: 0 packets, 0 bytes

route-map no-nat-ipsec, permit, sequence 20

  Match clauses:

    ip address (access-lists): permit_any 

  Set clauses:

  Policy routing matches: 0 packets, 0 bytes

 

Thanks again for your help.

View solution in original post

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Drew T

‎08-24-2017 01:53 AM - edited ‎08-24-2017 01:54 AM

Managed to lab this up today. 

 

Can you change  - 

 

"permit ip 192.168.0.0 0.0.255.255 host 192.168.0.205" 

 

to 

 

"permit ip host 192.168.0.205 192.168.0.0 0.0.255.255" 

 

and retest. 

 

Jon 

 

View solution in original post

9 Replies 9

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎08-16-2017 11:45 PM

You do need to use a route map for this. 

I am on phone so searching a bit limited but I found a previous thread where I answered

Just follow the links :)

Jon 

Go to solution
Drew T
Level 1
Level 1
In response to Jon Marshall

‎08-17-2017 04:27 AM

Thanks Jon, which thread was it? :)

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Drew T

‎08-17-2017 07:04 AM

Sorry, obviously answering on a phone is too complicated for me :) 

Here it is - 

https://supportforums.cisco.com/discussion/12547961/service-access-nat-and-vpn-conflict

Jon

Go to solution
Drew T
Level 1
Level 1
In response to Jon Marshall

‎08-17-2017 03:04 PM

Thanks Jon :)

I must have it wrong. Here's the sanised config...

ip nat inside source static tcp 192.168.0.205 499 x.x.x.x 499 route-map no-nat-ipsec extendable

! It's added the 'extendable' by default; can't seem to remove that

ip access-list extended deny_nat_172_16

 permit ip 192.168.0.0 0.0.255.255 host 192.168.0.205

!

ip access-list extended permit_any

 permit ip any any

!

route-map no-nat-ipsec deny 10

 match ip address deny_nat_172_16

route-map no-nat-ipsec permit 20

 match ip address permit_any

!

With that in place, the outside world NAT to the inside 192.168.0.205 tcp 499 works fine, but still failing from anything on the IPSEC network. (trying from 192.168.48.254 to 192.168.0.205 on 499 and it fails, but if I try from 192.168.48.80 to 192.168.0.205 port 80, it's fine). 

should route-map counters increment for NAT translations? I'm not seeing any in a show route-map:

route-map no-nat-ipsec, deny, sequence 10

  Match clauses:

    ip address (access-lists): deny_nat_172_16 

  Set clauses:

  Policy routing matches: 0 packets, 0 bytes

route-map no-nat-ipsec, permit, sequence 20

  Match clauses:

    ip address (access-lists): permit_any 

  Set clauses:

  Policy routing matches: 0 packets, 0 bytes

 

Thanks again for your help.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Drew T

‎08-24-2017 01:53 AM - edited ‎08-24-2017 01:54 AM

Managed to lab this up today. 

 

Can you change  - 

 

"permit ip 192.168.0.0 0.0.255.255 host 192.168.0.205" 

 

to 

 

"permit ip host 192.168.0.205 192.168.0.0 0.0.255.255" 

 

and retest. 

 

Jon 

 

Go to solution
Drew T
Level 1
Level 1
In response to Jon Marshall

‎08-24-2017 03:59 AM

 

Ahh that looks to have done the trick. Port 499 is now accessible from the outside world via the NAT to internal, and from other networks on the IPSEC mesh also appear to be working (At least telneting from source interfaces on the remote routers). Will have to get the customer to check locally but think you've saved the day :) Thanks a heap!

 

Just out of interest, i'm assuming the counters won't increment on the route-map when used in a nat capacity? sh route-map shows 0 packets/bytes on both. 

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Drew T

‎08-24-2017 08:59 AM

Didn't check the counters to be honest so would have to setup the lab again but they don't always increment if I remember correctly. 

 

Glad to hear it seems like it is working.

 

Jon

0 Helpful

Go to solution
Drew T
Level 1
Level 1
In response to Jon Marshall

‎08-22-2017 05:49 AM

Talk about rotten timing with the forum migration!

Did you have any suggestions Jon (or anyone else)? I figured the config posted should be working.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Drew T

‎08-23-2017 11:48 AM - edited ‎08-23-2017 11:49 AM

Yes, not the best timing :)

 

Looks to me like it should work so if I get the chance tomorrow I'll knock up a quick lab and have a look. 

 

I can't do the IPSEC part but that shouldn't matter, it is really the NAT from two different places that needs testing, hopefully get back to you tomorrow. 

 

Jon 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card