Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1181
Views
5
Helpful
10
Replies

VPN using outside ip with NAT

Go to solution
Freddy Andersen
Level 1
Level 1

‎08-14-2012 11:39 AM

I'm trying to setup a tunnel from our Cisco 5520 to a 5550 using one of our external ips natted through this tunnel. For some reason traffic that should hit this tunnel goes through global nat. Here is the configs I have for this tunnel:

access-list policy-nat extended permit ip host 66.77.88.170 host 1.2.3.4

access-list Outside_cryptomap_60 extended permit ip inside-network 255.255.254.0 host 1.2.3.4

access-list Outside_cryptomap_60 extended permit ip host 66.85.99.170 host 1.2.3.4

global (outside) 1 66.77.88.135 netmask 255.255.255.192

static (inside,outside) 66.77.88.170  access-list policy-nat

crypto ipsec transform-set TRANSFORM_SET esp-3des esp-md5-hmac

crypto map Outside_map 60 match address Outside_cryptomap_60

crypto map Outside_map 60 set peer 200.200.200.200

crypto map Outside_map 60 set transform-set TRANSFORM_SET

tunnel-group 200.200.200.200 type ipsec-l2l

tunnel-group 200.200.200.200 general-attributes

default-group-policy site2site

tunnel-group 200.200.200.200 ipsec-attributes

pre-shared-key *****

If I ping 1.2.3.4 from a inside ip host I see in the logs that it uses 66.77.88.136 as the NAT and not 66.77.88.170. Do you see something wrong with this configuration?

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
abcdrohan
Level 1
Level 1

‎08-14-2012 02:20 PM

You basically have wrong acls in wrong places.

It should be as follows ---->


crypto map Outside_map 60 match address policy-nat

crypto map Outside_map 60 set peer 200.200.200.200

crypto map Outside_map 60 set transform-set TRANSFORM_SET

access-list policy-nat extended permit ip host 66.77.88.170 host 1.2.3.4


static (inside,outside)  66.77.88.170  access-list Outside_cryptomap_60

access-list Outside_cryptomap_60 extended permit ip inside-network 255.255.254.0 host 1.2.3.4 ---> this acl doesnt need the 2nd line you have
      

View solution in original post

Go to solution
Karsten Iwen
VIP
VIP
In response to Freddy Andersen

‎08-14-2012 04:25 PM

For that you should use dynamic policy-NAT. There you have the ACL in the "nat"-statement and reference the right natted IP in a global with the nat-id.

Sent from Cisco Technical Support iPad App

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Karsten Iwen
VIP
VIP

‎08-14-2012 01:36 PM

I see two possible problems:

1) The host already has an xlate and so your new config isn't used until the xlate times out or you clear the translation of that host.

2) There are other translation-rules in your config with higher priority.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
abcdrohan
Level 1
Level 1

‎08-14-2012 02:20 PM

You basically have wrong acls in wrong places.

It should be as follows ---->


crypto map Outside_map 60 match address policy-nat

crypto map Outside_map 60 set peer 200.200.200.200

crypto map Outside_map 60 set transform-set TRANSFORM_SET

access-list policy-nat extended permit ip host 66.77.88.170 host 1.2.3.4


static (inside,outside)  66.77.88.170  access-list Outside_cryptomap_60

access-list Outside_cryptomap_60 extended permit ip inside-network 255.255.254.0 host 1.2.3.4 ---> this acl doesnt need the 2nd line you have
      

Go to solution
Karsten Iwen
VIP
VIP
In response to abcdrohan

‎08-14-2012 02:35 PM

good find! (5 Stars!). I completely overlooked that. But I wouldn't use the same ACL for policy-NAT and the crypto-definition. It's likely that these will be different sometime in the future for a "living" network.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
Freddy Andersen
Level 1
Level 1
In response to abcdrohan

‎08-14-2012 02:57 PM

Great answer but the issue now is with the static since it will overlap my global nat...

fw(config#) static (inside,outside)  66.77.88.170  access-list Outside_cryptomap_60

global address overlaps with mask

0 Helpful

Go to solution
Freddy Andersen
Level 1
Level 1
In response to Freddy Andersen

‎08-14-2012 04:21 PM

I added a direct static to one of my hosts on the internal-network

static (inside,outside) 66.77.88.170 10.21.31.87 netmask 255.255.255.255

and that now works fine. Tunnel got created and traffic is flowing, so i guess we are close. But what I want is the ability to have multiple hosts on our internal-network talk to this host through this tunnel. We have multiple vpn tunnels to different locations and we need all of our internal-network hosts to talk to all of the different tunnels. Is this possible? are we using the wrong strategy?

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Freddy Andersen

‎08-14-2012 04:25 PM

For that you should use dynamic policy-NAT. There you have the ACL in the "nat"-statement and reference the right natted IP in a global with the nat-id.

Sent from Cisco Technical Support iPad App

0 Helpful

Go to solution
Freddy Andersen
Level 1
Level 1
In response to Karsten Iwen

‎08-14-2012 04:47 PM

I have this for nat now:

global (outside) 1 66.77.88.135 netmask 255.255.255.192

nat (inside) 0 access-list nonat10

nat (inside) 1 0.0.0.0 0.0.0.0

nat (mgmt) 0 access-list nonat10

nat (mgmt) 1 0.0.0.0 0.0.0.0

so will this be something like this:

nat (inside) 2 10.21.30.0 255.255.254.0

global (outside) 2 66.77.88.170

and then I just add nat (inside) 3 and 4 and 5 for each extra tunnel ? (with matching global)

0 Helpful

Go to solution
Freddy Andersen
Level 1
Level 1
In response to Freddy Andersen

‎08-14-2012 05:20 PM

after some testing this works!

access-list Outside_cryptomap_60 extended permit ip inside-network 255.255.254.0 host 1.2.3.4

access-list policy-nat extended permit ip inside-network 255.255.254.0 host 1.2.3.4

global (outside) 2 66.77.88.170 netmask 255.255.255.0

nat (inside) 2 access-list Outside_cryptomap_60

crypto map Outside_map 60 match address policy-nat

Are there any recommendations for why we should not do this?

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Freddy Andersen

‎08-14-2012 11:14 PM

I think there is something going wrong. First your config is a little bit confusing as you use an ACL with "policy-nat" in the name for crypto and an ACL with "crypto" in the name for policy-nat. Thats not a good naming-convention if you later start troubleshooting at 2:00am ...

But your policy-nat should work that way and your packets should get translated. But your crypto ACL ("policy-nat") matches on the traffic with the real IP and not with the translated IP. So the traffic should not be encrypted.

Your crypto-ACL has to be:

access-list policy-nat extended permit ip host 66.77.88.170 host 1.2.3.4

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
Freddy Andersen
Level 1
Level 1
In response to Karsten Iwen

‎08-15-2012 09:49 AM

Thanks! I flipped the two access-list so that the outside 66.77.88.170 address is now in my Cryptomap and the internal-network subnet is in my policy-nat. My configuration now looks cleaner and most importantly; it works I'm going to add one more of these on a seperate ip like 66.77.88.171 and see if that works but I'm sure that will work at this point.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents