Solved: Re: Access LIST VPN ISSUE

soufiane.Max · ‎06-02-2022

hello everyone.

please can you check my code maybe i forget something , my VPN IS WORKING FINE when i remove this command but i can't access internet :

ip nat inside source list 105 pool POOL-NAT-LAN overload

my code

interface GigabitEthernet1

CONNECT TO OUTSIDE WAN

ip address 192.168.123.1 255.255.255.0

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

crypto map CRYPTOMAP

!
interface Vlan1

description $ETH_LAN$

ip address 192.168.117.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip default-gateway 192.168.123.254

ip nat pool POOL-NAT-LAN 192.168.123.110 192.168.123.200 netmask 255.255.255.0 ip nat inside source route-map nonat interface GigabitEthernet1 overload

ip route 0.0.0.0 0.0.0.0 192.168.123.254 ! !

route-map nonat permit 1

match ip address 105 !

access-list 101 permit ip 192.168.117.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 deny ip 192.168.117.0 0.0.0.255 any

access-list 105 permit ip 192.168.117.0 0.0.0.255 any

access-list 105 deny ip 192.168.117.0 0.0.0.255 192.168.1.0 0.0.0.255

when i try to ping my lan network 192.168.117.1 the ping is too long with HIGH ping Value see the screen in attachement .

and when i put back this command :

ip nat inside source list 105 pool POOL-NAT-LAN overload

i can ping internet 1.1.1.1 and my vpn traffic but too slow... and after some ping i lost completly connection my lan network ?

have you any idea ?

Thank you

soufiane.Max · ‎06-12-2022

I m sorry to be late. I reseted my router 3 times. And now he isw working fine with my first configuration. I dont know why the first time i setted the configuration the router was unable to connect to vpn and internet on the same time. acces list was setted correctly. I m using my first configuration without any change. Thank you for your assistance guy's maybe my router is faulty.. all your answer was helpful.

View solution in original post

Flavio Miranda · ‎06-02-2022

Hi

This command "ip nat inside source list 105 pool POOL-NAT-LAN overload " is actually wrong.

The right one is this:

" ip nat inside source route-map nonat interface GigabitEthernet1 overload "

This NAT statement look for this route-map:

route-map nonat permit 1

match ip address 105

Which look this ACL:

access-list 105 permit ip 192.168.117.0 0.0.0.255 any

access-list 105 deny ip 192.168.117.0 0.0.0.255 192.168.1.0 0.0.0.255

But, what I can honestly to say it that, this is messy!

If you want to do NAT, then, try to improve it.

First, define on traffic to be NATed with an ACL:

access-list 105 permit ip 192.168.117.0 255.255.255.0

Then, use the NAT statement like this:

ip nat inside source list 105 interface GigabitEthernet1 overload

Keep the "ip nat inside" on vlan 1

and "ip nat outside" on GigabitEthernet1

Delete everything else.

soufiane.Max · ‎06-03-2022

Thank you for your reply. Once i do that. I lose connectivity to my lan network. 192.168.117.1 that begin with a high latency ping. And after 5 minute i lose ping to my interface 192.168.117.1

Flavio Miranda · ‎06-03-2022

When you say you lose connectivity to your lan network, from where are you testing?

soufiane.Max · ‎06-03-2022

I have 2 router one isp : 192.168.123.254.

And cisco with two interface.

Inside : 192.168.117.1 and outside 192.168.123.1

I m connected with my computer : ip address 192.168.117.10 host.

Gateway : 192.168.117.1

Flavio Miranda · ‎06-03-2022

That´s your topology?

soufiane.Max · ‎06-03-2022

Yes the cloud-pt its my isp router diretcly connected to my cisco. On the same technical room. I have ftth fiber optic router f680 connected to my cisco with ethernet cable

Flavio Miranda · ‎06-03-2022

and you are testing from where exactly? from the f680 ? It is wifi router?

Can you draw the whole topology please?

It can be simple, dont need to use software. Can be a draft in a paper.

soufiane.Max · ‎06-03-2022

The same topology you sent me.

Check the picture.

Thank you

Flavio Miranda · ‎06-03-2022

Looking the topology and the configuration you shared above, the conclusion I get is that you dont need NAT.

The ISP route does NAT for you already. The only thing you need is this:

ip route 0.0.0.0 0.0.0.0 192.168.123.254

Just enter in the interface and run "no nat inside" and "no nat outside"

soufiane.Max · ‎06-03-2022

If i do that. Ho can i set the crypto map on which interface ? Because i dont say where is my internal interface and outside interface.

Flavio Miranda · ‎06-03-2022

You outside interface is this:

interface GigabitEthernet1
CONNECT TO OUTSIDE WAN
ip address 192.168.123.1 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map CRYPTOMAP

But, when you mention VPN, which kind of VPN is this? It is a Client VPN? Because, the only configuration you share it this command "crypto map CRYPTOMAP". This alone is not able to stablish a VPN.

But, even though you have a Site-to-Ste VPN on this router, the NAT does not make sense.

Can you share the whole "show running-config" ?

soufiane.Max · ‎06-03-2022

i reseted my router

ping to internet it's ok . VPN IS UP But can't ping this other side : 192.168.1.0 network

if i remove :

ip nat inside source list 120 pool POOL-NAT-LAN overload

VPN COME UP and i can't ping the other side network and i lost internet.

same topology .

that's my current issue

this is my current running config :

no service password-encryption
!
hostname r1
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
logging buffered 51200 warnings
enable secret 5 sksksjsj
!
no aaa new-model
wan mode dsl
!
!
!
!
!
!
ip dhcp pool CLIENT
 network 192.168.117.0 255.255.255.0
 dns-server 8.8.8.8
 domain-name domain.com
 default-router 192.168.117.1
 lease 0 2
!
!
!
no ip domain lookup
ip domain name yourdomain.com
ip name-server 208.67.222.222
ip cef
no ipv6 cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
controller VDSL 0
no cdp advertise-v2
no cdp run
!
!
crypto ctcp port 10000
!
!
!
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 15
crypto isakmp key password address x.X.X.X
crypto isakmp invalid-spi-recovery
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ftthset esp-des esp-md5-hmac
 mode tunnel
!
!
!
crypto map MAPVPN 10 ipsec-isakmp
 set peer x.x.x.x
 set transform-set ftthset
 set pfs group5
 match address 121
!
!
!
!
!
interface ATM0
 no ip address
 shutdown
 no atm ilmi-keepalive
!
interface Ethernet0
 no ip address
 shutdown
!
interface FastEthernet0
 description connected to wan
 switchport access vlan 200
 no ip address
 spanning-tree portfast
!
interface FastEthernet1
 switchport access vlan 100
 no ip address
 spanning-tree portfast
!
interface FastEthernet2
 switchport access vlan 100
 no ip address
 spanning-tree portfast
!
interface FastEthernet3
 switchport access vlan 100
 no ip address
 spanning-tree portfast
!
interface GigabitEthernet0
 no ip address
!
interface GigabitEthernet1
 no ip address
 shutdown
 duplex auto
 speed auto
!
!
interface Vlan1
 description $ETH_LAN$
 no ip address
 ip tcp adjust-mss 1452
 shutdown
!
interface Vlan100
 ip address 192.168.117.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Vlan200
 ip address 192.168.123.1 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 crypto map MAPVPN
!
interface Dialer1
 no ip address
 no cdp enable
!
ip forward-protocol nd
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat pool POOL-NAT-LAN 192.168.123.110 192.168.123.200 netmask 255.255.255.0
ip nat inside source list 120 pool POOL-NAT-LAN overload
ip route 0.0.0.0 0.0.0.0 192.168.123.254 permanent
!
!
route-map nonat permit 10
 match ip address 120
!

access-list 23 permit 192.168.117.0 0.0.0.255
access-list 120 permit ip 192.168.117.0 0.0.0.255 any
access-list 120 deny   ip 192.168.117.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 121 permit ip 192.168.117.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 121 deny   ip 192.168.117.0 0.0.0.255 any
!

thank you

MHM Cisco World · ‎06-02-2022

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/14132-ios-D.html

please check this example for config VPN with NAT overload

access-list 105 permit ip 192.168.117.0 0.0.0.255 any <- this must be push down

access-list 105 deny ip 192.168.117.0 0.0.0.255 192.168.1.0 0.0.0.255 <- this must be push up

MHM Cisco World · ‎06-03-2022

still this issue not solve ?

Anyway,

We have two isp

One vpn

One lan

1-

using route-map to match acl that

Deny Lan-> lan remote

Permit Lan-> 0.0.0.0

Match next-hop or interface for isp1 or isp2

2-Using nonat overload with route-map specify in point 1

Note:- here you need two nonat one for each isp

3-using defualt route and ip sla tracking,

4-config crypto map under both isp interface.

5- other side must config to allow established ipsec with both isp ip.