cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5429
Views
0
Helpful
15
Replies

IPSec tunnel and policy Nat

mistryj
Level 1
Level 1

Hi,

I have a Cisco IOS router and want to setup an IPSec tunnel between myself and client.  Unfortunately we both have overlapping 10 network IP addresses.

Is it possible for me to just Nat the IPs on my side or does the client need to Nat as well ?

I have configured NAT on inside interface for 10.134.206.1 to 192.168.156.6 so that Nat occurs before packets get encrypted on tunnel,  however tunnel is not coming up.    The client uses a sonic firewall and has allowed 192.168.156.0/24 to their 10.91.0.0/16 network.

See attached

regards,

1 Accepted Solution

Accepted Solutions

They have it setup wrong.  The remote LANS are not 10.134.206.0 and 10.134.206/42.  It is simply your public IP address.

View solution in original post

15 Replies 15

Philip D'Ath
VIP Alumni
VIP Alumni

I don't give you much chance of success of doing this on the SonicWall, so I would guess you will be going this on your side.

What sort of device do you have?  IOS Router? ASA?

Do you need access to everything, or just one IP address (one IP address is easier, and you could use a server as a jump host).

And to beg the question, any chance one of you could change your IP address range?  Much simpler.

Hi Philip,

I am using an IOS router.

Client can't do Nat they have other customers connecting to Sonic Forewall.   

There are two clients hosts we need to get to 10.91.1.40 and 10.91.1.60.  These addresses are not conflicting so I can route them as /32 on our network to VPN router.  

In this case guess I don't have to NaT but just use static host to host mapping.  But if I choose to NAT on just my router hosts from 10.134.206.1 to 192.168.156.6 is it not possible ?  

I want the configuration to be secure as possible.

i have attached config and diagram so would like to know best way to do this.  It would be nice to hide our 10 network from client.  

I am not sure if I have made a mistake in configuration I am not see traffic or tunnel coming up at all.  

My host 10.134.206.1 is a VM host in the Data Center.  I have added /32 route for 10.91.1.40 and .60 to go via 10.134.246.253 router.  

Does the client need to connect to your IP addresses at all?  It sounds like no.

In which case, NAT all of your internal traffic to your public IP address (which you will already be doing to access the Internet).  Your source of the VPN will then be this public IP address.  That solves the main problem.  You can then do destination NAT if you like on the customer IP addresses.

Hi Philip,

The traffic is only one way from us to them.  Mostly RDP and sharing drives.

Not done this before do you have sample config or point me to one please ?

Hi Philip,

Ok I will try again. Let you know.

Hi Philip,

If our 10 network is being Nated to external IP what networks should remote end be allowing on Sonic Firewall ?

Regards,

Hi Philip,

crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
 lifetime 28800

!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set SWIFT esp-aes esp-sha-hmac
 mode tunnel
!

crypto map crypto-map 10 ipsec-isakmp
 set peer 217.37.59.141
 set security-association lifetime seconds 28800
 set transform-set SWIFT
 match address crypto_map_SWIFT

037499: Jan 19 14:31:40.625 GMT: ISAKMP:(9027):deleting node 1413077582 error TRUE reason "QM rejected"
037500: Jan 19 14:31:40.625 GMT: ISAKMP:(9027):Node 1413077582, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
037501: Jan 19 14:31:40.625 GMT: ISAKMP:(9027):Old State = IKE_QM_READY  New State = IKE_QM_READY
037502: Jan 19 14:31:40.625 GMT: ISAKMP (9027): received packet from X.X.X.XSONIC_IP dport 500 sport 500 Global (R) QM_IDLE
037503: Jan 19 14:31:40.625 GMT: ISAKMP: set new node -206213584 to QM_IDLE
037504: Jan 19 14:31:40.625 GMT: ISAKMP:(9027): processing HASH payload. message ID = 4088753712
037505: Jan 19 14:31:40.625 GMT: ISAKMP:(9027): processing NOTIFY DPD/R_U_THERE protocol 1
        spi 0, message ID = 4088753712, sa = 0x16383A44
037506: Jan 19 14:31:40.625 GMT: ISAKMP:(9027):deleting node -206213584 error FALSE reason "Informational (in) state 1"
037507: Jan 19 14:31:40.625 GMT: ISAKMP:(9027):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
037508: Jan 19 14:31:40.625 GMT: ISAKMP:(9027):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

037509: Jan 19 14:31:40.625 GMT: ISAKMP (9027): received packet from X.X.X.XSONIC_IP dport 500 sport 500 Global (R) QM_IDLE
037510: Jan 19 14:31:40.625 GMT: ISAKMP: set new node -316431164 to QM_IDLE
037511: Jan 19 14:31:40.625 GMT: ISAKMP:(9027): processing HASH payload. message ID = 3978536132
037512: Jan 19 14:31:40.625 GMT: ISAKMP:(9027): processing SA payload. message ID = 3978536132
037513: Jan 19 14:31:40.625 GMT: ISAKMP:(9027):Checking IPSec proposal 1
037514: Jan 19 14:31:40.625 GMT: ISAKMP: transform 1, ESP_AES
037515: Jan 19 14:31:40.625 GMT: ISAKMP:   attributes in transform:
037516: Jan 19 14:31:40.625 GMT: ISAKMP:      SA life type in seconds
037517: Jan 19 14:31:40.625 GMT: ISAKMP:      SA life duration (basic) of 28800
037518: Jan 19 14:31:40.625 GMT: ISAKMP:      group is 2
037519: Jan 19 14:31:40.625 GMT: ISAKMP:      encaps is 1 (Tunnel)
037520: Jan 19 14:31:40.625 GMT: ISAKMP:      authenticator is HMAC-SHA
037521: Jan 19 14:31:40.625 GMT: ISAKMP:      key length is 128
037522: Jan 19 14:31:40.625 GMT: ISAKMP:(9027):atts are acceptable.
037523: Jan 19 14:31:40.625 GMT: IPSEC(validate_proposal_request): proposal part #1
037524: Jan 19 14:31:40.625 GMT: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= X.X.X.XCISCO_IP:0, remote= X.X.X.XSONIC_IP:0,
    local_proxy= 10.134.0.0/255.255.0.0/256/0,
    remote_proxy= 10.91.0.0/255.255.0.0/256/0,
    protocol= ESP, transform= esp-aes esp-sha-hmac  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
037525: Jan 19 14:31:40.625 GMT: IPSEC(ipsec_process_proposal): proxy identities not supported
037526: Jan 19 14:31:40.629 GMT: ISAKMP:(9027): IPSec policy invalidated proposal with error 32
037527: Jan 19 14:31:40.629 GMT: ISAKMP:(9027): phase 2 SA policy not acceptable! (local 31.221.0.183 remote 217.37.59.141)
037528: Jan 19 14:31:40.629 GMT: ISAKMP: set new node -385849214 to QM_IDLE
037529: Jan 19 14:31:40.629 GMT: ISAKMP:(9027):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 352979056, message ID = 3909118082
037530: Jan 19 14:31:40.629 GMT: ISAKMP:(9027): sending packet to X.X.X.XSONIC_IP my_port 500 peer_port 500 (R) QM_IDLE
037531: Jan 19 14:31:40.629 GMT: ISAKMP:(9027):Sending an IKE IPv4 Packet.
037532: Jan 19 14:31:40.629 GMT: ISAKMP:(9027):purging node -385849214
037533: Jan 19 14:31:40.629 GMT: ISAKMP:(9027):deleting node -316431164 error TRUE reason "QM rejected"
037534: Jan 19 14:31:40.629 GMT: ISAKMP:(9027):Node 3978536132, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
037535: Jan 19 14:31:40.629 GMT: ISAKMP:(9027):Old State = IKE_QM_READY  New State = IKE_QM_READY
037536: Jan 19 14:31:40.629 GMT: ISAKMP:(9027):DPD/R_U_THERE received from peer X.X.X.XSONIC_IP, sequence 0x55801499
037537: Jan 19 14:31:40.629 GMT: ISAKMP: set new node 615208875 to QM_IDLE
037538: Jan 19 14:31:40.629 GMT: ISAKMP:(9027):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
        spi 352979704, message ID = 615208875
037539: Jan 19 14:31:40.629 GMT: ISAKMP:(9027): seq. no 0x55801499
037540: Jan 19 14:31:40.629 GMT: ISAKMP:(9027): sending packet to X.X.X.XSONIC_IP my_port 500 peer_port 500 (R) QM_IDLE
037541: Jan 19 14:31:40.629 GMT: ISAKMP:(9027):Sending an IKE IPv4 Packet.
037542: Jan 19 14:31:40.629 GMT: ISAKMP:(9027):purging node 615208875

Hi Philip,

Yes I am confused as they said they have allowed on Sonic firewall :-

---------------------------------------------SONIC------------------------------------------------

VPN connection from; Cisco_GATEWAY  on remote LANS; 10.134.206.0 - 10.134.206.255 and 192.168.156.0 - 192.168.156.255 to local LAN; 10.91.0.0 – 10.91.255.255

 

And then the firewall rules state;

 

Allow VPN (remote lan) > LAN (local lan) Service; all

Allow LAN (local lan) > VPN (remote lan) service; all

------------------------------end -------------------------------------------------------------------------

 

Am I supposed to be nating to my gateway or my Cisco Interface IP on Gig 0/0 ?

Cisco config :-

-----------------------------------------------------------------------------------

interface GigabitEthernet0/0
 description Outside Interface External
 ip address CISCO_IP 255.255.255.240
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 duplex full
 speed 100
 crypto map crypto-map
!
interface GigabitEthernet0/1
 description inside interface to LAN
 ip address 10.134.246.235 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto

ip nat inside source list 1 interface GigabitEthernet0/0 overload

ip nat outside source static 10.0.0.0 10.91.1.0

ip route 0.0.0.0 0.0.0.0 CISCO_GATEWAY
ip route 10.0.0.0 255.0.0.0 10.134.246.253
ip route 10.91.1.40 255.255.255.255 CISCO_GATEWAY
ip route 10.91.1.60 255.255.255.255 CISCO_GATEWAY
!
ip access-list extended crypto_map_SONIC
 permit ip host CISCO_GATEWAY host 10.91.1.40
 permit ip host CISCO_GATEWAY host 10.91.1.60

ip access-list extended vpn_acl
 permit icmp any any
 deny   tcp any host CISCo_IP eq telnet
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip host 255.255.255.255 any
 deny   ip host 0.0.0.0 any
 deny   ip any any

They have it setup wrong.  The remote LANS are not 10.134.206.0 and 10.134.206/42.  It is simply your public IP address.

Hi Philip,

The tunnel is up but I still cant ping host 10.91.1.60.

interface GigabitEthernet0/0
 description Outside Interface External
 ip address CISCO_INTERFACE_IP 255.255.255.240
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 duplex full
 speed 100
 crypto map crypto-map
!
interface GigabitEthernet0/1
 description inside interface to LAN
 ip address 10.134.246.235 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!

!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat outside source static 10.0.0.0 10.91.1.0
ip route 0.0.0.0 0.0.0.0 CISCO_GATEWAY_IP
ip route 10.0.0.0 255.0.0.0 10.134.246.253
ip route 10.91.1.40 255.255.255.255 CISCO_GATEWAY_IP
ip route 10.91.1.60 255.255.255.255 CISCO_GATEWAY_IP
!
ip access-list extended crypto_map_SWIFT
 permit ip host CISCo_GATEWAY_IP 10.91.0.0 0.0.255.255

040207: Jan 20 12:05:51.063 GMT: IPSEC(validate_proposal_request): proposal part #1
040208: Jan 20 12:05:51.063 GMT: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= CISCO_INTERFACE_IP:0, remote= SONICFW_IP:0,
    local_proxy= CISCO_INTERFACE_IP/255.255.255.255/256/0,
    remote_proxy= 10.91.0.0/255.255.0.0/256/0,
    protocol= ESP, transform= esp-aes esp-sha-hmac  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
040209: Jan 20 12:05:51.063 GMT: Crypto mapdb : proxy_match
        src addr     : CISCO_INTERFACE_IP
        dst addr     : 10.91.0.0
        protocol     : 0
        src port     : 0
        dst port     : 0
040210: Jan 20 12:05:51.063 GMT: Crypto mapdb : proxy_match
        src addr     : CISCO_INTERFACE_IP
        dst addr     : 10.91.0.0
        protocol     : 0
        src port     : 0
        dst port     : 0
040211: Jan 20 12:05:51.063 GMT: map_db_find_best did not find matching map
040212: Jan 20 12:05:51.063 GMT: IPSEC(ipsec_process_proposal): proxy identities not supported
DC-MAB-01#
SO040213: Jan 20 12:05:51.063 GMT: %CRYPTO-5-IPSEC_SETUP_FAILURE: IPSEC SETUP FAILED for local:SONICFW_IP local_id:SONICFW_IP remote:CISCO_INTERFACE_IP remote_id:CISCO_INTERFACE_IP IKE profile:None fvrf:None fail_reason:IPSec Proposal failure fail_class_cnt:1

Check the phase 1 and phase 2 crypto settings.  There is a mismatch somewhere,

Otherwise post a log with both of the below turned on:

debug crypto isakmp
debug crypto ipsec

Your encryption domain is just your public IP address with a /32 prefix (255.255.255.255).

Their encryption domains is:

10.91.1.40/32
10.91.1.60/32

If they can't manage that, then get them to make their encryption domain 10.91.1.0/24 and the ASA will negotiate it down.

Hi Philip,

No still cant ping from 10.134.206.1 to 10.91.1.40 and tunnel wont come up.

interface Loopback0
 ip address 192.168.156.1 255.255.255.0
!

interface GigabitEthernet0/0
 description Outside Interface External
 ip address CISCO_GATEWAY 255.255.255.240
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 duplex full
 speed 100
 crypto map crypto-map
!
interface GigabitEthernet0/1
 description inside interface to LAN
 ip address 10.134.246.235 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat outside source static 10.0.0.0 10.91.1.0
ip route 0.0.0.0 0.0.0.0 CISCO_GATEWAY
ip route 10.0.0.0 255.0.0.0 10.134.246.253
!
ip access-list extended crypto_map_SONIC
 permit ip host 192.168.156.6 host 10.91.1.40
 permit ip host 192.168.156.6 host 10.91.1.60

Pro Inside global         Inside local          Outside local         Outside global
             --- ---                   ---                   10.91.1.0             10.0.0.0

Crypto Map IPv4 "crypto-map" 10 ipsec-isakmp
        Peer = SONIC_FIREWALL_IP
        Extended IP access list crypto_map_SONIC
            access-list crypto_map_SONIC permit ip host 192.168.156.6 host 10.91.1.40
            access-list crypto_map_SONIC permit ip host 192.168.156.6 host 10.91.1.60
        Current peer: SONIC_FIREWALL_IP
        Security association lifetime: 4608000 kilobytes/18000 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        Mixed-mode : Disabled
        Transform sets={
                SWIFT:  { esp-aes esp-sha-hmac  } ,
        }
        Interfaces using crypto map crypto-map:
                GigabitEthernet0/0

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: