cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
193
Views
0
Helpful
1
Replies
Highlighted
Beginner

IPSec passthrough on Cisco 887 (multiple VLANs sharing one internet connection)

Hi,

I've got a Cisco 887 ISR that is sat behind another that provides internet connectivity.  I have 3 VLANs (via a Catalyst 3750E) and all share this one internet connection.  The Dialer interface on my 887 is unused, the WAN is accessed via FA0.  I have a block of /29 routed to me.

Two of the VLANs are for a tenant company - for their data and voice requirements.  In order for me to easily track their usage, I've set them up to NAT/PAT to a specific IP in the block.  This has been achieved via an "ip nat pool" with a single IP - which seems to be a bit of a funky way to do it but it works, the tenant's PCs and phones all go out on the specified public IP.

The problem I'm having is that the tenant has acquired a mobile phone "3G booster" box, which is a box which is designed to plug into uPnP routers and "just works".  When plugged into a consumer broadband modem it works, but it doesn't when connected to my Cisco network.

There is very little documentation available since it seems to be designed for very simple networks, but what documentation I could find tells me that in situations where uPnP is not available it needs the following ports forwarded to it:

50 (TCP/IP)
123 (UDP)
500 (UDP)
4500 (UDP)

Documentation on this unit is almost non-existant, but the port requirements above seem to suggest that it needs a remote device to be able to VPN to it, rather than initialising it from the inside out.

The problem I'm having is working out how to NAT'ify ESP to it, if that's what I should be doing.  The "ip nat inside source static esp host <LAN IP>" command only takes an interface as the global part.  If I use "ip nat inside source static esp host <LAN IP> interface vlan 1" then the NAT translations database show the global IP as the first IP of the block, which isn't the one the VLAN is going out on.. if that makes sense.

Here is the relevant parts of my config:


ip domain name mycompany.local
ip name-server 10.1.0.10
ip name-server 4.2.2.4
ip name-server 8.8.4.4
ip inspect log drop-pkt
ip inspect tcp reassembly queue length 1024
ip inspect tcp reassembly timeout 15
ip inspect tcp reassembly memory limit 4096
ip inspect name COMPANY-CBAC-INSPECT tcp router-traffic
ip inspect name COMPANY-CBAC-INSPECT udp router-traffic
ip inspect name COMPANY-CBAC-INSPECT icmp
ip inspect name COMPANY-CBAC-INSPECT ftp
ip inspect name COMPANY-CBAC-INSPECT http
ip inspect name COMPANY-CBAC-INSPECT https
ip cef
no ipv6 cef
!
parameter-map type inspect global
 log dropped-packets enable
 max-incomplete low 18000
 max-incomplete high 20000
!
multilink bundle-name authenticated
!
cts logging verbose
license udi pid C887VA-W-E-K9 sn XXXX
!
controller VDSL 0
 shutdown
!
interface ATM0
 no ip address
 shutdown
 no atm ilmi-keepalive
!
interface Ethernet0
 no ip address
 shutdown
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 switchport trunk allowed vlan 1,2,100,500,501,1002-1005
 switchport mode trunk
 no ip address
!
interface FastEthernet2
 no ip address
 shutdown
!
interface FastEthernet3
 no ip address
 shutdown
!
interface Wlan-GigabitEthernet0
 description Internal switch interface connecting to the embedded AP
 switchport access vlan 100
 no ip address
!
interface wlan-ap0
 description Embedded Service module interface to manage the embedded AP
 ip unnumbered Vlan100
!
interface Vlan1
 description BRANCH (C887-VAW) to ISP (C887-VAM)
 ip address 1.1.1.185 255.255.255.248
 ip access-group COMPANY-INBOUND in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip nat outside
 ip inspect COMPANY-CBAC-INSPECT out
 ip virtual-reassembly in
!
interface Vlan100
 description BRANCH (C887-VAW) to SWITCH C3750E
 ip address 10.1.0.1 255.255.255.0
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly in
!
interface Vlan500
 description TENANT DATA
 ip address 10.100.0.1 255.255.255.0
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly in
!
interface Vlan501
 description TENANT VOICE
 ip address 10.101.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip flow-top-talkers
 top 100
 sort-by bytes
!
no ip nat service sip udp port 5060
ip nat pool TENANT-WAN 1.1.1.189 1.1.1.189 prefix-length 30
ip nat inside source list TENANT-NAT-NET pool TENANT-WAN overload
ip nat inside source list COMPANY-NAT-NET interface Vlan1 overload
ip nat inside source static tcp 10.1.0.95 443 1.1.1.185 880 extendable
ip nat inside source static udp 10.1.0.20 5060 1.1.1.186 5060 extendable
ip nat inside source static tcp 10.1.0.20 35300 1.1.1.186 35300 extendable
ip nat inside source static 10.1.0.21 1.1.1.186 route-map ISP-SIP-DSP-RMAP
ip nat inside source static tcp 10.1.0.10 25 1.1.1.187 25 extendable
ip nat inside source static tcp 10.1.0.10 443 1.1.1.187 443 extendable
ip nat inside source static tcp 10.1.0.10 3389 1.1.1.187 3389 extendable
ip nat inside source static tcp 10.100.0.251 50 1.1.1.189 50 extendable
ip nat inside source static udp 10.100.0.251 123 1.1.1.189 123 extendable
ip nat inside source static udp 10.100.0.251 500 1.1.1.189 500 extendable
ip nat inside source static udp 10.100.0.251 4500 1.1.1.189 4500 extendable
ip route 0.0.0.0 0.0.0.0 1.1.1.190
ip ssh version 2
!
ip access-list extended TENANT-NAT-NET
 remark - TENANT NATified network infrastructure
 remark -- Block NAT traffic to RFC1918 addresses explicitly
 deny   ip any 10.0.0.0 0.255.255.255
 deny   ip any 172.16.0.0 0.15.255.255
 deny   ip any 192.168.0.0 0.0.255.255
 permit ip 10.100.0.0 0.0.0.255 any
 permit ip 10.101.0.0 0.0.0.255 any
ip access-list extended ISP-SIP-DSP-ACL
 remark -- ISP inbound NATified SIP connectivity to phone system
 permit udp host 10.1.0.21 range 6000 40000 host 2.2.2.2
ip access-list extended COMPANY-INBOUND
 remark -- Inbound traffic from Internet
 permit tcp any gt 1023 any eq 443
 permit tcp any host 5.144.159.189 eq 50
 permit udp any host 5.144.159.189 eq ntp isakmp non500-isakmp
 permit icmp any any echo-reply
 permit icmp any any unreachable
 permit icmp any any time-exceeded
 deny   ip any any log
ip access-list extended COMPANY-NAT-NET
 remark -- COMPANY NATified network infrastructure
 remark -- Block NAT traffic to RFC1918 addresses explicitly
 deny   ip any 10.0.0.0 0.255.255.255
 deny   ip any 172.16.0.0 0.15.255.255
 deny   ip any 192.168.0.0 0.0.255.255
 permit ip 10.1.0.0 0.0.0.255 any
!
!
route-map ISP-SIP-DSP-RMAP permit 10
 match ip address ISP-SIP-DSP-ACL
!
!
end 

Vlan 500 and 501 are the tenant VLANs, for data and voice respectively, the 3750 switch handles DHCP for both these networks.  As said the above config is working fine in the sense that "COMPANY" has a public IP of 1.1.1.185 (Vlan 1) and "TENANT" has a public IP of 1.1.1.189 - and both parties can access the internet freely.  The "3G box" has a static DHCP mapping on the 3750 switch to 10.100.0.251.

I also realise now that the ip nat inside source static tcp 10.100.0.251 50 1.1.1.189 50 extendable and permit tcp any host 5.144.159.189 eq 50 lines are wrong - since initially I was informed that it was TCP 50 that needed to be port-mapped, when I've subsequently found out that it's IP 50 (ESP).

Essentially what I'm doing to do - I think - is allow IPsec passthrough specifically on 1.1.1.189, but the only command I can enter that will do NAT translation for ESP is ip nat inside source static esp 10.100.0.251 interface vlan 1 - which doesn't work as stated because the translation appears as 1.1.1.185... so I guess this 3G box is going out on 1.1.1.189, and the remote host is trying to open a tunnel back to 1.1.1.189 but ESP is only translated on 1.1.1.185.

I hope I've explained it ok!  Thanks in advance for any help that can be provided.  Incidentally I cannot access or modify the configuration on the router connected to FA0 (the other side of Vlan 1, 1.1.1.90)

1 REPLY 1
Highlighted
Beginner

Can anyone help?

Content for Community-Ad