09-10-2014 02:58 AM - edited 02-21-2020 07:49 PM
Hi All,
I have a very simple scenario here for IPSEC over GRE but unfortunately things are not working as expected. Let me explain the connectivity.
DC-RTR----------FW1----------Public Network----------FW2-----Client-RTR
It is as simple as this one, both DC and client routers are behind firewalls. I have done the routers config on both routers and both are identical.
At Data Center i am using Static (identity) nat on firewall for DC-RTR (10.27.59.243) address. There are two routers at client site and they are configured with 192.168.112.210 and 211 respectively. I don't have access to Client Firewall and the engineer said he has configured the static translation from 192 addresses to 10.128.14.75 and 76 respectively.
When i check the ISAKMP sa i can see the following.
192.168.112.210 10.27.59.243 MM_NO_STATE 0 ACTIVE
192.168.112.210 10.27.59.243 MM_NO_STATE 0 ACTIVE (deleted)
192.168.112.211 10.27.59.243 MM_NO_STATE 0 ACTIVE
192.168.112.211 10.27.59.243 MM_NO_STATE 0 ACTIVE (deleted)
10.27.59.243 10.128.14.76 MM_NO_STATE 10050 ACTIVE (deleted)
10.27.59.243 10.128.14.75 QM_IDLE 10051 ACTIVE
If i use the show ip nhrp i get the following
192.168.213.21/32 via 192.168.213.21
Tunnel0 created 17:15:14, expire 00:05:49
Type: dynamic, Flags: registered used
NBMA address: 192.168.112.210
192.168.213.22/32 via 192.168.213.22
Tunnel0 created 17:15:52, expire 00:05:52
Type: dynamic, Flags: registered used
NBMA address: 192.168.112.211
IP addresses in red are the real IPs configured on router's interface and are supposed to get NATTed behind 10.128.14.75 and 76 respetively.but i don't see it happening.
UDP/4500 is allowed on both firewalls for NAT-T. The only this on client FW is that it is running 9.1 IOS and we are running 8.2.
I am not sure if it is client FW which is doing the trick.
Any help will be really appreciated.
Regards,
Amjad Hashim.
09-11-2014 09:29 AM
I have also noticed that on HUB router i am seeing NHRP registration messages with private IP addresses.
ep 11 16:26:27.211: NHRP: Receive Registration Request via Tunnel0 vrf 0, packet size: 107
*Sep 11 16:26:27.211: (F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1
*Sep 11 16:26:27.211: shtl: 4(NSAP), sstl: 0(NSAP)
*Sep 11 16:26:27.211: pktsz: 107 extoff: 52
*Sep 11 16:26:27.211: (M) flags: "unique nat ", reqid: 67754
*Sep 11 16:26:27.211: src NBMA: 192.168.112.211
*Sep 11 16:26:27.211: src protocol: 192.168.213.22, dst protocol: 192.168.213.1
*Sep 11 16:26:27.211: (C-1) code: no error(0)
*Sep 11 16:26:27.211: prefix: 32, mtu: 17854, hd_time: 360
*Sep 11 16:26:27.211: addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0
*Sep 11 16:26:27.211: NHRP: Tunnel0: Cache update for target 192.168.213.22/32 next-hop 192.168.213.22
*Sep 11 16:26:27.211: 192.168.112.211
*Sep 11 16:26:27.211: NHRP: Updating our cache with NBMA: 10.27.59.243, NBMA_ALT: 10.27.59.243
*Sep 11 16:26:27.211: NHRP: Setting 'used' flag on cache entry with nhop: 192.168.213.22
*Sep 11 16:26:27.211: NHRP: NHRP successfully mapped '192.168.213.22' to NBMA 192.168.112.211
Where as it is suppose to map it to 10.128.14.76 which is the translated address on Firewall.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide