cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

170
Views
0
Helpful
8
Replies
Beginner

Peer IP inside encryption domain - routers

Hello,

 

I have interesting question as i am fighting with this for past few days. 

Topology is as following

SITE1 - EDGE_SITE1 - ISP - EDGE_SITE2 - SITE2

Site 2 want all their traffic NAT'ed and send it over the Site-to-Site VPN (IKEv1)

So for Site 1 configuration of VPN will have peer IP of site 2 inside Interesting traffic access list. 

After configuration, i was able to establish VPN between sites and was able to reach SITE1 from SITE2.

But from SITE1 can not reach SITE2 as i am able to send traffic over VPN tunnel but i am reaching EDGE_SITE2 only... ?

My config is following:

SITE2#sh run int gi1
Building configuration...

Current configuration : 87 bytes
!
interface GigabitEthernet1
ip address 10.0.4.4 255.255.255.0
negotiation auto
end

ip route 0.0.0.0 0.0.0.0 GigabitEthernet1

 

EDGE_SITE2:

EDGE_SITE2#sh run int gi1
Building configuration...

Current configuration : 102 bytes
!
interface GigabitEthernet1
ip address 10.0.4.3 255.255.255.0
ip nat inside
negotiation auto
end

EDGE_SITE2#sh run int gi3
Building configuration...

Current configuration : 153 bytes
!
interface GigabitEthernet3
ip address 30.30.30.2 255.255.255.252
ip nat outside
negotiation auto
crypto map SDM_CMAP_1
ip virtual-reassembly
end

 

crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco123 address 20.20.20.2
!
!
crypto ipsec transform-set Router-IPSEC esp-des esp-sha-hmac
mode tunnel

 

crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to20.20.20.2
set peer 20.20.20.2
set transform-set Router-IPSEC
match address 100
reverse-route

 

router eigrp 100
network 30.0.0.0
eigrp stub receive-only
!
!
virtual-service csr_mgmt
!
ip nat pool INT 10.0.4.4 10.0.4.4 prefix-length 30
ip nat inside source list 180 interface GigabitEthernet3 
ip nat outside source list 170 pool INT
ip forward-protocol nd

 

access-list 100 permit ip host 30.30.30.2 10.0.1.0 0.0.0.255
access-list 170 permit ip host 10.0.1.1 host 30.30.30.2 log
access-list 180 permit ip host 10.0.4.4 host 10.0.1.1 log
access-list 199 deny eigrp any any
access-list 199 permit ip any any
!

 

EDGE_SITE1:

 

crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco123 address 30.30.30.2
!
!
crypto ipsec transform-set Router-IPSEC esp-des esp-sha-hmac
mode tunnel
!
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to30.30.30.2
set peer 30.30.30.2
set transform-set Router-IPSEC
match address 100
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet1
ip address 10.0.1.2 255.255.255.0
negotiation auto
!
interface GigabitEthernet2
ip address 20.20.20.2 255.255.255.252
negotiation auto
crypto map SDM_CMAP_1
!
interface GigabitEthernet3
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet4
no ip address
shutdown
negotiation auto
!
!
router eigrp 100
network 20.0.0.0
eigrp stub receive-only
!
!
virtual-service csr_mgmt
!
ip nat inside source route-map nonat interface GigabitEthernet2 overload
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
!
access-list 100 permit ip 10.0.1.0 0.0.0.255 host 30.30.30.2
access-list 110 deny ip 10.0.1.0 0.0.0.255 host 30.30.30.2
access-list 110 permit ip any any
!
route-map nonat permit 10
match ip address 110
!
!
!
control-plane
!
!
!
!
!
!
SITE1:

interface GigabitEthernet1
ip address 10.0.1.1 255.255.255.0
negotiation auto
!
interface GigabitEthernet2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet3
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet4
no ip address
shutdown
negotiation auto
!
!
virtual-service csr_mgmt
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 GigabitEthernet1
!
!
!
!
!
control-plane
!
!
!
!

 

 

Verification:

 

 

SITE2#telnet 10.0.1.1
Trying 10.0.1.1 ... Open


User Access Verification

Password:
Password:
SITE1>

 

 

SITE1#telnet 30.30.30.2 (EDGE_SITE2 - i have access-list to block telnet to this device for better verification)
Trying 30.30.30.2 ...
% Connection refused by remote host

SITE1#

 

EDGE_SITE2#
*Oct 10 11:53:06.731: %SEC-6-IPACCESSLOGS: list 1 denied 10.0.1.1 1 packet
EDGE_SITE2#

 

 

So question is can i put peer IP inside of access-list for encryption traffic and how i can NAT it so it will destine to my SITE2 router, after decryption? 

 

I really like the reads of the below engineers, maybe you would be able to help me with this question and confirm finally if this can be done or not? 

@Marcin Latosiewicz  and @Jouni Forss 

 

Everyone's tags (3)
8 REPLIES 8
VIP Advocate

Re: Peer IP inside encryption domain - routers

What are you trying to accomplish with the following commands at Site2?  If possible please remove this NAT statement.  I believe this NAT statement might be messing with the return traffic.

ip nat pool INT 10.0.4.4 10.0.4.4 prefix-length 30

ip nat outside source list 170 pool INT

access-list 170 permit ip host 10.0.1.1 host 30.30.30.2 log

 

I suppose you have applied the ACL to limit telnet traffic on 10.0.4.4 device?  Could you post the relevant config for this?

--
Please remember to rate and select a correct answer
Beginner

Re: Peer IP inside encryption domain - routers

Hello,

I am trying to set up VPN tunnel between two Cisco routers where one of
them using peer up as peering up for ikev1 as well I am trying to nat all
inside traffic to peer up and use it inside VPN encryption tunnel. So if
you look at the crypto map of site 1 I have there peer up inside access
list for crypto traffic. Question is can I set up VPN tunnel with passing
traffic inside using peer up on one site and inside up on other site.
VIP Advocate

Re: Peer IP inside encryption domain - routers

Since you are using dynamic NAT you will only be able to access site1 from site2 (you will NOT be able to access site 2 from site1).  If you want to access site2 from site1 you need to configure a static one to one NAT.

Site2 NAT configuration

access-list 180 permit ip host 10.0.4.4 host 10.0.1.1 log
ip nat pool INT 30.30.30.2 30.30.30.2 prefix-length 32
ip nat inside source list 180 pool INT

 

Configuration at Site1 looks OK.

 

 

--
Please remember to rate and select a correct answer
Beginner

Re: Peer IP inside encryption domain - routers

 

 

 

Hello,

 

Marius, thanks a lot i did change from dynamic nat to static and it worked but in a wired way. 

So when i have established VPN session and add that static nat it works.

 

My screen scraping:

 

EDGE_SITE2(config)#do sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
30.30.30.2 20.20.20.2 QM_IDLE 1003 ACTIVE
20.20.20.2 30.30.30.2 QM_IDLE 1002 ACTIVE

IPv6 Crypto ISAKMP SA

EDGE_SITE2(config)#
EDGE_SITE2(config)#do sh crypto ipse
EDGE_SITE2(config)#do sh crypto ipsec sa

interface: GigabitEthernet3
Crypto map tag: SDM_CMAP_1, local addr 30.30.30.2

protected vrf: (none)
local ident (addr/mask/prot/port): (30.30.30.2/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.0.1.0/255.255.255.0/0/0)
current_peer 20.20.20.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 30, #pkts encrypt: 30, #pkts digest: 30
#pkts decaps: 25, #pkts decrypt: 25, #pkts verify: 25
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 30.30.30.2, remote crypto endpt.: 20.20.20.2
plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEtherne
current outbound spi: 0xA34ED378(2739852152)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0x6EB8ABDB(1857596379)

EDGE_SITE2(config)

 

EDGE_SITE1#sh crypto session
Crypto session current status

Interface: GigabitEthernet2
Session status: UP-ACTIVE
Peer: 30.30.30.2 port 500
Session ID: 0
IKEv1 SA: local 20.20.20.2/500 remote 30.30.30.2/500 Active
Session ID: 0
IKEv1 SA: local 20.20.20.2/500 remote 30.30.30.2/500 Active
IPSEC FLOW: permit ip 10.0.1.0/255.255.255.0 host 30.30.30.2
Active SAs: 4, origin: crypto map

EDGE_SITE1#
EDGE_SITE1#

EDGE_SITE1#sh crypto ipsec sa

interface: GigabitEthernet2
Crypto map tag: SDM_CMAP_1, local addr 20.20.20.2

protected vrf: (none)
local ident (addr/mask/prot/port): (10.0.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (30.30.30.2/255.255.255.255/0/0)
current_peer 30.30.30.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 187, #pkts encrypt: 187, #pkts digest: 187
#pkts decaps: 194, #pkts decrypt: 194, #pkts verify: 194
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 20.20.20.2, remote crypto endpt.: 30.30.30.2
plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet2
current outbound spi: 0xCF1E0FD9(3474853849)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xFBD5AD4F(4225084751)

EDGE_SITE1#


SITE1#telnet 30.30.30.2
Trying 30.30.30.2 ... Open


User Access Verification

Password:
Password:
SITE2>
SITE2>


SITE2#traceroute 10.0.1.1
Type escape sequence to abort.
Tracing the route to 10.0.1.1
VRF info: (vrf in name/id, vrf out name/id)
1 10.0.4.1 3 msec 3 msec 2 msec
2 20.20.20.2 4 msec 15 msec 4 msec
3 10.0.1.1 6 msec 8 msec *
SITE2#

 

 

 

 

Now after i disconnect VPN and tried to make Site 2 or Site 1 initiate traffic so VPN will be established. 

 

 

 

EDGE_SITE2#sh crypto session
Crypto session current status

Interface: GigabitEthernet3
Session status: DOWN
Peer: 20.20.20.2 port 500
IPSEC FLOW: permit ip host 30.30.30.2 10.0.1.0/255.255.255.0
Active SAs: 0, origin: crypto map

EDGE_SITE2#
EDGE_SITE2#

EDGE_SITE1#sh crypto session
Crypto session current status

Interface: GigabitEthernet2
Session status: DOWN
Peer: 30.30.30.2 port 500
IPSEC FLOW: permit ip 10.0.1.0/255.255.255.0 host 30.30.30.2
Active SAs: 0, origin: crypto map

EDGE_SITE2#sh crypto session
Crypto session current status

Interface: GigabitEthernet3
Session status: DOWN-NEGOTIATING
Peer: 20.20.20.2 port 500
Session ID: 0
IKEv1 SA: local 30.30.30.2/500 remote 20.20.20.2/500 Inactive
IPSEC FLOW: permit ip host 30.30.30.2 10.0.1.0/255.255.255.0
Active SAs: 0, origin: crypto map

EDGE_SITE2#
EDGE_SITE2#sh ip nat translations
Pro Inside global Inside local Outside local Outside g
lobal
--- 30.30.30.2 10.0.4.4 --- ---
icmp 30.30.30.2:0 10.0.4.4:0 20.20.20.2:0 20.20.20.
2:0
udp 30.30.30.2:49236 10.0.4.4:49236 10.0.1.1:33442 10.0.1.1:
33442
udp 30.30.30.2:49237 10.0.4.4:49237 10.0.1.1:33443 10.0.1.1:
33443
udp 30.30.30.2:500 10.0.4.4:500 20.20.20.2:500 20.20.20.
2:500
udp 30.30.30.2:49233 10.0.4.4:49233 10.0.1.1:33439 10.0.1.1:
33439
udp 30.30.30.2:49235 10.0.4.4:49235 10.0.1.1:33441 10.0.1.1:
33441
udp 30.30.30.2:49234 10.0.4.4:49234 10.0.1.1:33440 10.0.1.1:
33440
udp 30.30.30.2:49232 10.0.4.4:49232 10.0.1.1:33438 10.0.1.1:
33438
udp 30.30.30.2:49231 10.0.4.4:49231 10.0.1.1:33437 10.0.1.1:
33437
Total number of translations: 10

EDGE_SITE2#
EDGE_SITE2#

 

EDGE_SITE1#sh ip nat translations
Total number of translations: 0

EDGE_SITE1#

EDGE_SITE1#sh crypto session
Crypto session current status

Interface: GigabitEthernet2
Session status: DOWN-NEGOTIATING
Peer: 30.30.30.2 port 500
Session ID: 0
IKEv1 SA: local 20.20.20.2/500 remote 30.30.30.2/500 Inactive
Session ID: 0
IKEv1 SA: local 20.20.20.2/500 remote 30.30.30.2/500 Inactive
IPSEC FLOW: permit ip 10.0.1.0/255.255.255.0 host 30.30.30.2
Active SAs: 0, origin: crypto map

EDGE_SITE1#
EDGE_SITE1#


SITE1#traceroute 30.30.30.2
Type escape sequence to abort.
Tracing the route to 30.30.30.2
VRF info: (vrf in name/id, vrf out name/id)
1 10.0.1.2 3 msec 4 msec 1 msec
2 * * *
3 * * *
4 * * *
5 *

 

 

 

After removing nat command on EDGE_SITE2

 

 

EDGE_SITE2#
*Oct 14 04:24:13.797: %SYS-5-CONFIG_I: Configured from console by consolesh
EDGE_SITE2#sh run | s nat
ip nat inside
ip nat outside
ip nat pool INT 30.30.30.2 30.30.30.2 prefix-length 30
ip nat inside source static 10.0.4.4 interface GigabitEthernet3
EDGE_SITE2#
EDGE_SITE2#no ip nat ins
EDGE_SITE2#no ip nat insd
EDGE_SITE2#conf
Configuring from terminal, memory, or network [terminal]?
Enter configuration commands, one per line. End with CNTL/Z.
EDGE_SITE2(config)#no ip nat ins
EDGE_SITE2(config)#no ip nat inside sou
EDGE_SITE2(config)#no ip nat inside source st
EDGE_SITE2(config)#no ip nat inside source static 10.0.4.4 int gi3
EDGE_SITE2(config)#
EDGE_SITE2(config)#

 

 


EDGE_SITE2#
*Oct 14 04:24:13.797: %SYS-5-CONFIG_I: Configured from console by consolesh
EDGE_SITE2#sh run | s nat
ip nat inside
ip nat outside
ip nat pool INT 30.30.30.2 30.30.30.2 prefix-length 30
ip nat inside source static 10.0.4.4 interface GigabitEthernet3
EDGE_SITE2#
EDGE_SITE2#no ip nat ins
EDGE_SITE2#no ip nat insd
EDGE_SITE2#conf
Configuring from terminal, memory, or network [terminal]?
Enter configuration commands, one per line. End with CNTL/Z.
EDGE_SITE2(config)#no ip nat ins
EDGE_SITE2(config)#no ip nat inside sou
EDGE_SITE2(config)#no ip nat inside source st
EDGE_SITE2(config)#no ip nat inside source static 10.0.4.4 int gi3
EDGE_SITE2(config)#
EDGE_SITE2(config)#


EDGE_SITE2#sh crypto session
Crypto session current status

Interface: GigabitEthernet3
Session status: UP-ACTIVE
Peer: 20.20.20.2 port 500
Session ID: 0
IKEv1 SA: local 30.30.30.2/500 remote 20.20.20.2/500 Active
IPSEC FLOW: permit ip host 30.30.30.2 10.0.1.0/255.255.255.0
Active SAs: 2, origin: crypto map

EDGE_SITE2#
EDGE_SITE2#

EDGE_SITE2#sh crypto ipsec sa

interface: GigabitEthernet3
Crypto map tag: SDM_CMAP_1, local addr 30.30.30.2

protected vrf: (none)
local ident (addr/mask/prot/port): (30.30.30.2/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.0.1.0/255.255.255.0/0/0)
current_peer 20.20.20.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 7, #pkts decrypt: 7, #pkts verify: 7
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 30.30.30.2, remote crypto endpt.: 20.20.20.2
plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet3
current outbound spi: 0xC0A6D97B(3232160123)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xD756F75A(3612800858)

EDGE_SITE2#


SITE2#traceroute 10.0.1.1
Type escape sequence to abort.
Tracing the route to 10.0.1.1
VRF info: (vrf in name/id, vrf out name/id)
1 10.0.4.1 10 msec 2 msec 1 msec
2 * * *
3 * * *
4 * * *
5 * *
SITE2#

 

EDGE_SITE1#sh crypto ipsec sa

interface: GigabitEthernet2
Crypto map tag: SDM_CMAP_1, local addr 20.20.20.2

protected vrf: (none)
local ident (addr/mask/prot/port): (10.0.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (30.30.30.2/255.255.255.255/0/0)
current_peer 30.30.30.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 7, #pkts encrypt: 7, #pkts digest: 7
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 20.20.20.2, remote crypto endpt.: 30.30.30.2
plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet2
current outbound spi: 0xD756F75A(3612800858)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xC0A6D97B(3232160123)

EDGE_SITE1#

 

SITE1#traceroute 30.30.30.2
Type escape sequence to abort.
Tracing the route to 30.30.30.2
VRF info: (vrf in name/id, vrf out name/id)
1 10.0.1.2 10 msec 12 msec 1 msec
2 30.30.30.2 5 msec 7 msec *
SITE1#telnet 30.30.30.2
Trying 30.30.30.2 ...
% Connection refused by remote host

 

 

Once my VPN is established i put back the NAT statement: 


EDGE_SITE2(config)#
EDGE_SITE2(config)# ip nat inside source static 10.0.4.4 int gi3
EDGE_SITE2(config)#
EDGE_SITE2(config)#exit


SITE2#traceroute 10.0.1.1
Type escape sequence to abort.
Tracing the route to 10.0.1.1
VRF info: (vrf in name/id, vrf out name/id)
1 10.0.4.1 6 msec 3 msec 2 msec
2 20.20.20.2 11 msec 11 msec 3 msec
3 10.0.1.1 7 msec 17 msec *
SITE2#

 

SITE1#telnet 30.30.30.2
Trying 30.30.30.2 ... Open

 

User Access Verification

Password:
Password:
SITE2>
SITE2>

 

 

 

Everything works....i feel i am still missing something, i will add config for EDGE_SITE2. 

 

 


version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
platform console serial
!
hostname EDGE_SITE2
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no process cpu autoprofile hog
!
!
!
!
!
!
!
!
!

 

!
!
!
!
!
!
!
!
!
!
subscriber templating
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!

!
spanning-tree extend system-id
!
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco123 address 20.20.20.2
!
!
crypto ipsec transform-set Router-IPSEC esp-des esp-sha-hmac
mode tunnel
!
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to20.20.20.2
set peer 20.20.20.2
set transform-set Router-IPSEC
match address 100
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet1
ip address 10.0.4.1 255.255.255.0
ip nat inside
negotiation auto
!
interface GigabitEthernet2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet3
ip address 30.30.30.2 255.255.255.252
ip nat outside
negotiation auto
crypto map SDM_CMAP_1
!
interface GigabitEthernet4
no ip address
shutdown
negotiation auto
!
!
router eigrp 100
network 30.0.0.0
eigrp stub receive-only
!
!
virtual-service csr_mgmt
!
ip nat pool INT 30.30.30.2 30.30.30.2 prefix-length 30
ip nat inside source static 10.0.4.4 interface GigabitEthernet3
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
!
access-list 1 deny any
access-list 100 permit ip host 30.30.30.2 10.0.1.0 0.0.0.255
access-list 170 permit ip host 10.0.1.1 host 30.30.30.2 log
access-list 180 permit ip host 10.0.4.4 host 10.0.1.1 log
access-list 199 deny eigrp any any
access-list 199 permit ip any any
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
stopbits 1
line vty 0
access-class 1 in
login
line vty 1
access-class 1 in
login
length 0
line vty 2 4
access-class 1 in
login
!
!
end

EDGE_SITE2#
EDGE_SITE2#

 

 

 

I am really appreciate all your help. 

 

VIP Advocate

Re: Peer IP inside encryption domain - routers

I am not sure I understand what you mean you are "missing".

When you remove the NAT statement you are no longer matching the source IP on your interesting traffic 

crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to20.20.20.2
 set peer 20.20.20.2
 set transform-set Router-IPSEC
 match address 100

 

access-list 100 permit ip host 30.30.30.2 10.0.1.0 0.0.0.255

--
Please remember to rate and select a correct answer
Beginner

Re: Peer IP inside encryption domain - routers

What i mean about missing something is regarding nat statement.

As i mention in my previous post the static nat that you suggested to set up for bi-directional traffic works as longest the VPN is established by other means (ex: Site 1 initiate traffic ) but when i bring down VPN tunnel, and still i will leave static nat configured VPN will not be able to be established from either site, and what is interesting i see ISAKMP packets (ESP 500 ) on nat table, as i show it in my previous post:

 

 EDGE_SITE2#sh ip nat translations
Pro Inside global Inside local Outside local Outside g
lobal
--- 30.30.30.2 10.0.4.4 --- ---
icmp 30.30.30.2:0 10.0.4.4:0 20.20.20.2:0 20.20.20.
2:0
udp 30.30.30.2:49236 10.0.4.4:49236 10.0.1.1:33442 10.0.1.1:
33442
udp 30.30.30.2:49237 10.0.4.4:49237 10.0.1.1:33443 10.0.1.1:
33443
udp 30.30.30.2:500 10.0.4.4:500 20.20.20.2:500 20.20.20.
2:500
udp 30.30.30.2:49233 10.0.4.4:49233 10.0.1.1:33439 10.0.1.1:
33439
udp 30.30.30.2:49235 10.0.4.4:49235 10.0.1.1:33441 10.0.1.1:
33441
udp 30.30.30.2:49234 10.0.4.4:49234 10.0.1.1:33440 10.0.1.1:
33440
udp 30.30.30.2:49232 10.0.4.4:49232 10.0.1.1:33438 10.0.1.1:
33438
udp 30.30.30.2:49231 10.0.4.4:49231 10.0.1.1:33437 10.0.1.1:
33437
Total number of translations: 10

 

So i am thinking either my nat statements are wrong and i am missing another nat statement  or this is Cisco Router Order of Operation and this is not possible to jump over and only work around is to set up static nat after bringing up the VPN tunnel. 

 

If you know working configuration can you post it i could try it on and let you know if that worked? 

Everyone's tags (2)
VIP Advocate

Re: Peer IP inside encryption domain - routers

Could you try changing the prefix in the nat pool to 32 or netmask 255.255.255.255

ip nat pool INT 30.30.30.2 30.30.30.2 netmask 255.255.255.255

and then test again

--
Please remember to rate and select a correct answer
Beginner

Re: Peer IP inside encryption domain - routers

I tried but i get the following message:

 

EDGE_SITE2(config)# ip nat pool INT 30.30.30.2 30.30.30.2 netmask 255.255.255.254
%Pool INT mask 255.255.255.254 too small; should be at least 255.255.255.252

 

Also interesting when i had static nat 

ip nat inside source static 10.0.4.4 interface GigabitEthernet3

 

My eigrp was not established with "ISP" router. 

 

NAT translation:

 

EDGE_SITE2#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 30.30.30.2 10.0.4.4 --- ---
icmp 30.30.30.2:0 10.0.4.4:0 30.30.30.1:0 30.30.30.1:0
--- 30.30.30.2 10.0.4.4 30.30.30.1 30.30.30.1
Total number of translations: 3

 

It seems that it is not possible to establish VPN between two cisco routers when one of the sites translates internal IP addresses to their