I already solved this by moving the loopback 26 to the HQ router and including the 10.226.26.0/24 network in the routing by EIGRP. In this way the nat outside 10.220.202.24 -> 10.226.27.1 worked. Something not very eclectic but effective.
Thanks for your time
... View more
This is the routing table:
show ip route Gateway of last resort is not set
188.8.131.52/8 is variably subnetted, 5 subnets, 2 masks C 184.108.40.206/24 is directly connected, Loopback0 L 220.127.116.11/32 is directly connected, Loopback0 L 18.104.22.168/32 is directly connected, Loopback0 L 22.214.171.124/32 is directly connected, Loopback0 10.0.0.0/8 is variably subnetted, 18 subnets, 3 masks C 10.1.3.0/24 is directly connected, Vlan140 L 10.1.3.1/32 is directly connected, Vlan140 C 10.210.1.0/24 is directly connected, GigabitEthernet0/0/1 L 10.210.1.140/32 is directly connected, GigabitEthernet0/0/1 S 10.211.1.0/30 [1/0] via 10.212.140.1 C 10.212.140.0/30 is directly connected, GigabitEthernet0/0/0 L 10.212.140.2/32 is directly connected, GigabitEthernet0/0/0 C 10.215.140.1/32 is directly connected, Loopback10 D EX 10.220.202.0/24 [170/1762048] via 10.221.140.1, 1d00h, Tunnel1 C 10.221.140.0/30 is directly connected, Tunnel1 L 10.221.140.2/32 is directly connected, Tunnel1 D 10.224.30.210/32 [90/1889792] via 10.221.140.1, 1d00h, Tunnel1 D 10.224.30.220/32 [90/1889792] via 10.221.140.1, 1d00h, Tunnel1 C 10.226.26.0/24 is directly connected, Loopback26 L 10.226.26.1/32 is directly connected, Loopback26 L 10.226.26.2/32 is directly connected, Loopback26
If the vpn client with ip 10.1.3.6 tries to connect to 10.226.26.1, the nat outside should translate 10.226.26.1 to 10.220.202.24 and the nat inside translate 10.1.3.6 to 126.96.36.199. But it didn't happen.
When the vpn client tries to connect to 10.220.202.24 (without ACL in) the nat inside translation works and connect.
This seems like the nat outside is not working.
... View more
I tried with that command for nat outside but the result was the same.
The IOS-XE version is Cisco IOS Software, ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.5(3)S6. Image isr4300-universalk9.03.16.06.S.155-3.S6-ext.SPA.bin.
... View more
I have a NAT issue with a ISR 4331 with a working configuration from a 2911 router. When a VPN client tries to connect to 10.226.26.1 port 443 there is not translation to 10.220.202.24. There are matches in VPN_ACL but the VPN client not connect. NAT table isn't registering anything. This is the configuration:
no service pad service tcp-keepalives-in service timestamps debug datetime msec localtime service timestamps log datetime msec localtime service password-encryption no service dhcp no platform punt-keepalive disable-kernel-core ! hostname Office_Router_4520 ! boot-start-marker boot system bootflash:isr4300-universalk9.03.16.06.S.155-3.S6-ext.SPA.bin boot-end-marker ! ! vrf definition Mgmt-intf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! logging buffered 40960 ! aaa new-model ! ! aaa authentication login default group tacacs+ local aaa authentication ppp default local aaa authorization exec default group tacacs+ none aaa authorization commands 0 default group tacacs+ none aaa authorization commands 15 default group tacacs+ none aaa accounting nested aaa accounting exec default action-type start-stop group tacacs+ ! aaa accounting commands 0 default action-type start-stop group tacacs+ ! aaa accounting commands 15 default action-type start-stop group tacacs+ ! aaa accounting network default action-type start-stop group tacacs+ ! aaa accounting system default action-type start-stop group tacacs+ ! aaa session-id common clock timezone CRC -6 0 no ip source-route ! no ip bootp server ! no ip domain lookup ! ! ntp max-associations 2 ! ! subscriber templating ! multilink bundle-name authenticated ! ! key chain EIGRP-key-757 key 757 key-string !! SUPPRESSED !! ! ! ! license boot level securityk9 ! spanning-tree extend system-id ! ! redundancy mode none ! ! vlan internal allocation policy ascending ! ! interface Loopback0 description For NAT of VPN clients ip address 188.8.131.52 255.255.255.0 no ip redirects no ip unreachables ip nat outside ip virtual-reassembly ! interface Loopback10 description Remote administration of router ip address 10.215.140.1 255.255.255.255 no ip redirects no ip unreachables ! interface Loopback26 description For VPN Nat ip address 10.226.26.2 255.255.255.0 no ip redirects no ip unreachables ip nat outside ! interface Tunnel1 description Tunnel to HQ via service provider bandwidth 2048 ip address 10.221.140.2 255.255.255.252 no ip redirects no ip unreachables ip nat outside ip authentication mode eigrp 757 md5 ip authentication key-chain eigrp 757 EIGRP-key-757 delay 2000 tunnel source GigabitEthernet0/0/1 tunnel destination 10.210.1.1 tunnel key !! SUPPRESSED !! ! ! interface GigabitEthernet0/0/0 shutdown ! ! interface GigabitEthernet0/0/1 description Link to Service Provider ip address 10.210.1.140 255.255.255.0 no ip redirects no ip unreachables load-interval 30 negotiation auto no cdp enable ! interface GigabitEthernet0/0/2 shutdown ! interface GigabitEthernet0/1/0 description Connection to VPN Client 10.1.3.6 switchport access vlan 140 no cdp enable spanning-tree portfast ip virtual-reassembly ! interface GigabitEthernet0/1/1 description Connection to VPN Client 10.1.3.10 switchport access vlan 140 spanning-tree portfast ! interface GigabitEthernet0/1/2 shutdown ! interface GigabitEthernet0/1/3 shutdown ! interface GigabitEthernet0 vrf forwarding Mgmt-intf no ip address shutdown negotiation auto ! interface Vlan1 no ip address shutdown ! interface Vlan140 description SVI for VPN Clients ip address 10.1.3.1 255.255.255.0 no ip redirects no ip unreachables ip nat inside ip access-group VPN_ACL in ! ! router eigrp 757 distribute-list 33 in network 184.108.40.206 0.0.0.255 network 10.215.140.1 0.0.0.0 network 10.221.140.0 0.0.0.3 passive-interface Loopback0 passive-interface Loopback10 passive-interface Loopback26 passive-interface GigabitEthernet0/0/0 passive-interface GigabitEthernet0/0/1 eigrp stub connected ! ip nat inside source static 10.1.3.6 220.127.116.11 ip nat inside source static 10.1.3.10 18.104.22.168 ! ip nat outside source static 10.220.202.24 10.226.26.1 ! ip forward-protocol nd no ip http server no ip http secure-server ip tftp source-interface Loopback10 ! ! ip access-list extended VPN_ACL remark Access of VPN Clients remark VPN Client # 4525 permit tcp host 10.1.3.6 host 10.226.26.1 eq 443 remark VPN Client # 4526 permit tcp host 10.1.3.10 host 10.226.26.1 eq 443 remark Allow ICMP to gateway permit icmp 10.1.3.0 0.0.0.255 10.1.3.0 0.0.0.255 deny ip any any log ! access-list 9 permit 192.168.64.128 0.0.0.15 access-list 9 deny any log access-list 10 permit 10.210.1.1 access-list 10 permit 10.211.1.1 access-list 10 permit 192.168.64.128 0.0.0.15 access-list 10 deny any log access-list 20 permit 192.168.64.10 access-list 20 permit 192.168.64.11 access-list 20 permit any access-list 33 permit 10.224.30.0 0.0.0.255 access-list 33 permit 10.220.202.0 0.0.0.255 access-list 33 permit 192.168.64.0 0.0.0.255 access-list 33 permit 192.168.128.0 0.0.0.255 access-list 33 permit 192.168.160.0 0.0.0.255 ! ! control-plane ! ! line con 0 logging synchronous stopbits 1 line aux 0 no exec stopbits 1 line vty 0 3 access-class 10 in exec-timeout 5 0 privilege level 15 logging synchronous transport input telnet ssh line vty 4 access-class 9 in exec-timeout 2 0 privilege level 15 logging synchronous transport input telnet ssh ! no network-clock synchronization automatic ntp authentication-key 1 md5 !! SUPPRESSED !! ntp authenticate ntp trusted-key 1 ntp access-group peer 20 ntp server 192.168.64.10 key 1 prefer source Loopback10 ntp server 192.168.64.11 key 1 source Loopback10 ! end
show access-lists VPN_ACL Extended IP access list VPN_ACL 10 permit tcp host 10.1.3.6 host 10.226.26.1 eq 443 (3 matches) 20 permit tcp host 10.1.3.10 host 10.226.26.1 eq 443 (3 matches) 30 permit icmp 10.1.3.0 0.0.0.255 10.1.3.0 0.0.0.255 (4 matches) 40 deny ip any any log (2 matches)
show ip nat tra Pro Inside global Inside local Outside local Outside global --- --- --- 10.226.26.1 10.220.202.24 --- 22.214.171.124 10.1.3.10 --- --- --- 126.96.36.199 10.1.3.6 --- ---
I really appreciate your help,
... View more
This problem continues in ACS 5.6. I follow the recommendations but the message is never sent to remote Syslog server. I resolve this by CLI. I changed the "logging local" with "logging 10.200.75.20" where 10.200.75.20 is the IP address of my remote Syslog Server. Now I can see the MSGCATnnn, logger and ADE-Service syslog messages.
... View more
I had some problems with this upgrade. I followed all instructions but the files in \CSCOpx\objects\smarts\lib\ kept locked. Then I use the free utility OpenedFilesView to release them and the installation was successfully. My server is a Windows Server 2003 SP2 and Mcafee Viruscan Entrerprise 8.7.0.i.
... View more