cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1323
Views
10
Helpful
9
Replies

VPN with Interface NAT

charlesjp88
Level 1
Level 1

Hello

I am trying to setup a VPN between a VLAN I have defined and another office. I have been using nat on the interface for internet access with a NAT pool.

I created the VPN with crypto map and the VPN registers successfully.

The problem I am encountering, is that with the NAT enabled, internet access works but I can't ping across the VPN.

If I disable NAT, the VPN works perfectly, but then the VLAN can't access the internet.

What should I be doing differently?

Here is the config:

Device: 2911 with security pack

Local Network: 10.10.104.0/24

Remote Network: 192.168.1.0/24

Public Range: 65.49.46.68/28

crypto isakmp policy 104

encr 3des

authentication pre-share

group 2

lifetime 28800

crypto isakmp key REDACTED address 75.76.102.50

crypto ipsec transform-set strongsha esp-3des esp-sha-hmac

crypto map OFFICE 104 ipsec-isakmp

set peer 75.76.102.50

set transform-set strongsha

match address 104

interface GigabitEthernet0/0

ip address 65.49.46.68 255.255.255.240

ip flow ingress

ip nat outside

ip virtual-reassembly

duplex full

speed 100

standby 0 ip 65.49.46.70

standby 0 timers 2 6

standby 0 preempt

crypto map OFFICE redundancy WAN

interface GigabitEthernet0/2.104

encapsulation dot1Q 104

ip address 10.10.104.254 255.255.255.0

ip nat pool wan_access 65.49.46.70 65.49.46.70 prefix-length 28

ip nat inside source list 99 pool wan_access overload

access-list 99 permit 10.10.104.0 0.0.0.255

access-list 104 permit ip 10.10.104.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 104 permit ip 192.168.1.0 0.0.0.255 10.10.104.0 0.0.0.255

access-list 104 permit icmp 10.10.104.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 104 permit icmp 192.168.1.0 0.0.0.255 10.10.104.0 0.0.0.255

#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

65.49.46.70     75.76.102.50    QM_IDLE           1299 ACTIVE

1 Accepted Solution

Accepted Solutions

Hi!

Please make these changes:

ip access-list extended Internet-NAT

deny ip 10.10.104.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip 10.10.104.0 0.0.0.255 any

ip nat inside source list Internet-NAT pool access-wan overload

*please do not remove the old NAT instance until you add the one above.

Please keep me posted.

Thanks!

Sent from Cisco Technical Support Android App

View solution in original post

9 Replies 9

Hi!

Please make these changes:

ip access-list extended Internet-NAT

deny ip 10.10.104.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip 10.10.104.0 0.0.0.255 any

ip nat inside source list Internet-NAT pool access-wan overload

*please do not remove the old NAT instance until you add the one above.

Please keep me posted.

Thanks!

Sent from Cisco Technical Support Android App

Just to verify, this is replacing access-list 99?

Thanks for the response.

Correct.

Sent from Cisco Technical Support Android App

So I have the following:

interface GigabitEthernet0/2.104

encapsulation dot1Q 104

ip address 10.10.104.254 255.255.255.0

ip nat inside

ip virtual-reassembly

ip nat pool wan_access 65.49.46.70 65.49.46.70 prefix-length 28

ip nat inside source list Internet-NAT pool access_wan overload

ip access-list extended Internet-NAT

deny   ip 10.10.104.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip 10.10.104.0 0.0.0.255 any

I took off the ip nat statement that referred to access-list 99 after doing this

That makes the VPN work, but it doesn't have internet access. (This isn't live for a couple weeks, so not critical yet)

You should have Internet access, please run the "clear ip nat translations *" and send me the "show ip nat translations" output.

Thanks.

It only shows the static entries I have for other things:

edge-1#sh ip nat translations

Pro Inside global      Inside local       Outside local      Outside global

tcp 65.49.46.78:3391   10.10.1.101:3389   ---                ---

tcp 65.49.46.78:3392   10.10.1.102:3389   ---                ---

tcp 65.49.46.78:22     10.10.1.179:22     ---                ---

tcp 65.49.46.77:6061   10.10.1.180:6061   ---                ---

tcp 65.49.46.77:32004  10.10.1.180:32004  24.96.162.222:62938 24.96.162.222:62938

tcp 65.49.46.77:32004  10.10.1.180:32004  67.32.145.251:49162 67.32.145.251:49162

tcp 65.49.46.77:32004  10.10.1.180:32004  ---                ---

tcp 65.49.46.77:32005  10.10.1.180:32005  ---                ---

tcp 65.49.46.77:32006  10.10.1.180:32006  ---                ---

tcp 65.49.46.77:32007  10.10.1.180:32007  ---                ---

tcp 65.49.46.78:6061   10.10.1.185:6061   ---                ---

tcp 65.49.46.78:32004  10.10.1.185:32004  24.214.205.186:20510 24.214.205.186:20510

tcp 65.49.46.78:32004  10.10.1.185:32004  24.214.205.186:31341 24.214.205.186:31341

tcp 65.49.46.78:32004  10.10.1.185:32004  24.214.205.186:46034 24.214.205.186:46034

tcp 65.49.46.78:32004  10.10.1.185:32004  24.214.205.186:46511 24.214.205.186:46511

tcp 65.49.46.78:32004  10.10.1.185:32004  74.168.66.250:41433 74.168.66.250:41433

tcp 65.49.46.78:32004  10.10.1.185:32004  ---                ---

tcp 65.49.46.78:32005  10.10.1.185:32005  ---                ---

tcp 65.49.46.78:32006  10.10.1.185:32006  ---                ---

tcp 65.49.46.78:32007  10.10.1.185:32007  ---                ---

tcp 65.49.46.78:3390   10.10.1.199:3389   174.56.200.85:49384 174.56.200.85:49384

tcp 65.49.46.78:3390   10.10.1.199:3389   ---                ---

tcp 65.49.46.71:21     10.10.101.11:21    ---                ---

tcp 65.49.46.71:3390   10.10.101.12:3389  ---                ---

tcp 65.49.46.72:22     10.10.102.10:22    ---                ---

Pro Inside global      Inside local       Outside local      Outside global

tcp 65.49.46.72:443    10.10.102.10:443   ---                ---

Not what what is different really, but I got it working like this:

ip access-list extended Internet

deny   ip 10.10.104.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip any any

ip nat inside source list Internet pool wan_access overload

Thanks so much for your help!

I am glad to hear that, but the "ip any any" statement may cause issues later on.

Are you coming from a different network then the 104?

it is better to define the networks in question instead of any

Thanks for rating the posts.

Sent from Cisco Technical Support Android App

Yes - I have 6 other vlans and plan on adding much more. I only have 1 wan interface I'm using for NAT outside, and don't plan on doing any other NATting except for VPNs.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: