Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
737
Views
0
Helpful
0
Replies

ISR4331 NAT over VPN tunnel issues

freeman6351
Level 1
Level 1

‎02-28-2018 02:39 PM - edited ‎03-08-2019 02:04 PM

Hello Everyone!!

 

Please see attached network diagram. I have a working IOS configuration to NAT traffic from the Client PC over the VPN tunnel to the FTP server behind Router B, but the same configuration will not work on a new ISR4331 with IOS-XE. I have attached the working IOS configuration for reference.

 

Any input on how I can get the new IOS-XE configuration below to allow this simple NAT translation to work? I can not change the existing IPSec PBR VPN tunnel configurations.

 

The no ip route-cache on the WAN interface of the working configuration isn't an option on the ISR4331, but that is what lets the traffic NAT back inside before going back out the G0/0/2 interface.

I believe I need to change from the working loopback interface and no ip route-cache configuration to a VASI interface on the new ISR4331, but it still doesn't appear to NAT or route correctly with the non-working configuration below.

 

sh ip nat trans
Pro Inside global          Inside local                Outside local                   Outside global
tcp 192.168.101.1:21 10.253.0.129:60021 ---                                    ---
tcp 192.168.101.100:61951 10.253.0.129:61951 10.253.0.129:60021 10.253.0.129:60021
tcp 192.168.101.1:21 10.253.0.129:60021 192.168.101.100:61951 192.168.101.100:61951

 

version 15.5
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
service unsupported-transceiver
no platform punt-keepalive disable-kernel-core
!
hostname TESTBED-rtr
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
vrf definition NAT_VRF
rd 1:1
!
address-family ipv4
exit-address-family
!
security authentication failure rate 3 log
security passwords min-length 7
logging buffered 102400 informational
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login SSLVPN_AAA local
aaa authorization exec default local
aaa authorization network MYLOCAL local
!
!
!
!
!
!
aaa session-id common
no ip source-route
!
!
no ip bootp server
ip name-server 8.8.8.8 8.8.4.4

no ip domain lookup
ip domain name testbed.local
ip dhcp bootp ignore
!
!
!
login on-failure log
login on-success log
!
!
subscriber templating
!
multilink bundle-name authenticated
!
!
license udi pid ISR4331/K9 sn FDO********
!
spanning-tree extend system-id
!
username admin privilege 15 secret *********
!
redundancy
mode none
!
!
vlan internal allocation policy ascending
!
!
crypto isakmp policy 5
encr aes 256
authentication pre-share
group 14
lifetime 3600
crypto isakmp key ********* address 199.1.2.3 no-xauth
crypto isakmp keepalive 10 5 periodic
crypto isakmp nat keepalive 10
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set ESP-GCM256 esp-gcm 256
mode tunnel
crypto ipsec transform-set AES256_SHA_TUNNEL_MODE esp-aes 256 esp-sha-hmac
mode tunnel
!
!
!
crypto map CRYPTO_MAP 2 ipsec-isakmp
description TESTBED_TO_DC
set peer 199.1.2.3
set transform-set AES256_SHA_TUNNEL_MODE
set pfs group14
match address TO_DC
reverse-route
!
!
!
interface GigabitEthernet0/0/0
description WAN
ip address 65.1.2.3 255.255.255.240
no ip proxy-arp
ip nat outside
ip policy route-map NAT_CLIENT
negotiation auto
no cdp enable
no lldp transmit
no lldp receive
crypto map CRYPTO_MAP
ip virtual-reassembly
!
interface GigabitEthernet0/0/1
description INTERNAL_LAN
ip address 10.253.20.1 255.255.255.0
no ip proxy-arp
ip nat inside
ip tcp adjust-mss 1300
negotiation auto
ip virtual-reassembly
!
interface GigabitEthernet0/0/2
description CLIENT_LAN
ip address 192.168.101.1 255.255.255.0
no ip proxy-arp
ip nat outside
ip tcp adjust-mss 1300
negotiation auto
no cdp enable
ip virtual-reassembly
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
interface Vlan1
no ip address
shutdown
!
interface vasileft1
ip address 192.168.1.1 255.255.255.252
no keepalive
!
interface vasiright1
vrf forwarding NAT_VRF
ip address 192.168.1.2 255.255.255.252
ip nat inside
no keepalive
!
ip nat pool ClientVL 10.253.0.129 10.253.0.129 netmask 255.255.255.0 type rotary
ip nat inside source static tcp 10.253.0.129 60021 192.168.101.1 21 vrf NAT_VRF extendable
ip nat inside source list NAT_CLIENT_INT interface GigabitEthernet0/0/2 overload
ip nat inside source route-map NONAT_LAN interface GigabitEthernet0/0/0 overload
ip nat inside destination list 100 pool ClientVL
ip forward-protocol nd
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet0
ip tftp blocksize 8192
ip route 0.0.0.0 0.0.0.0 65.1.2.2
ip route 192.168.101.0 255.255.255.0 vasileft1
ip route vrf NAT_VRF 10.253.0.129 255.255.255.255 vasiright1
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
!
ip access-list extended CLIENT_ORIGINATED
permit ip 192.168.101.0 0.0.0.255 host 10.253.0.129
ip access-list extended CLIENT_DESTINED
permit ip host 10.253.0.129 host 192.168.101.100
ip access-list extended NAT
deny ip host 192.168.101.100 10.253.0.0 0.0.0.255
deny ip 10.253.20.0 0.0.0.255 10.253.0.0 0.0.0.255
deny ip 10.253.20.0 0.0.0.255 10.253.5.0 0.0.0.255
deny ip host 192.168.101.100 10.253.5.0 0.0.0.255
permit ip 192.168.101.0 0.0.0.255 any
permit ip 10.253.20.0 0.0.0.255 any
ip access-list extended NAT_CLIENT_INT
permit ip host 10.253.0.129 any
permit ip 192.168.101.0 0.0.0.255 any
ip access-list extended TO_DC
permit ip 10.253.20.0 0.0.0.255 10.253.0.0 0.0.0.255
permit ip host 192.168.101.100 10.253.0.0 0.0.0.255
permit ip 10.253.20.0 0.0.0.255 10.253.5.0 0.0.0.255
permit ip host 192.168.101.100 10.253.5.0 0.0.0.25
!
access-list 23 remark Remote Access
access-list 23 permit 65.1.2.4
access-list 23 permit 65.1.2.5
access-list 23 permit 65.1.2.6
access-list 23 permit 10.253.0.0 0.0.255.255
access-list 100 permit tcp any 192.168.101.0 0.0.0.255 range 49152 65535
!
route-map NONAT_LAN permit 1
match ip address NAT
!
route-map NAT_CLIENT permit 10
match ip address CLIENT_DESTINED
set interface vasileft1
!
snmp-server community public RO 70
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps hsrp
snmp-server enable traps ike tunnel start
snmp-server enable traps ike tunnel stop
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp ifmib ifindex persist
!
!
!
!
control-plane
!
no banner login
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
access-class 23 in
exec-timeout 30 0
privilege level 15
logging synchronous
transport input ssh
transport output ssh
!
ntp master
ntp server 129.6.15.30 source GigabitEthernet0/0/0
!
end

1 person had this problem
Labels:
Preview file
31 KB
Preview file
6 KB
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card