05-23-2012 07:52 AM
Hello
I am trying to setup a VPN between a VLAN I have defined and another office. I have been using nat on the interface for internet access with a NAT pool.
I created the VPN with crypto map and the VPN registers successfully.
The problem I am encountering, is that with the NAT enabled, internet access works but I can't ping across the VPN.
If I disable NAT, the VPN works perfectly, but then the VLAN can't access the internet.
What should I be doing differently?
Here is the config:
Device: 2911 with security pack
Local Network: 10.10.104.0/24
Remote Network: 192.168.1.0/24
Public Range: 65.49.46.68/28
crypto isakmp policy 104
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key REDACTED address 75.76.102.50
crypto ipsec transform-set strongsha esp-3des esp-sha-hmac
crypto map OFFICE 104 ipsec-isakmp
set peer 75.76.102.50
set transform-set strongsha
match address 104
interface GigabitEthernet0/0
ip address 65.49.46.68 255.255.255.240
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex full
speed 100
standby 0 ip 65.49.46.70
standby 0 timers 2 6
standby 0 preempt
crypto map OFFICE redundancy WAN
interface GigabitEthernet0/2.104
encapsulation dot1Q 104
ip address 10.10.104.254 255.255.255.0
ip nat pool wan_access 65.49.46.70 65.49.46.70 prefix-length 28
ip nat inside source list 99 pool wan_access overload
access-list 99 permit 10.10.104.0 0.0.0.255
access-list 104 permit ip 10.10.104.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 104 permit ip 192.168.1.0 0.0.0.255 10.10.104.0 0.0.0.255
access-list 104 permit icmp 10.10.104.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 104 permit icmp 192.168.1.0 0.0.0.255 10.10.104.0 0.0.0.255
#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
65.49.46.70 75.76.102.50 QM_IDLE 1299 ACTIVE
Solved! Go to Solution.
05-23-2012 12:03 PM
Hi!
Please make these changes:
ip access-list extended Internet-NAT
deny ip 10.10.104.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 10.10.104.0 0.0.0.255 any
ip nat inside source list Internet-NAT pool access-wan overload
*please do not remove the old NAT instance until you add the one above.
Please keep me posted.
Thanks!
Sent from Cisco Technical Support Android App
05-23-2012 12:03 PM
Hi!
Please make these changes:
ip access-list extended Internet-NAT
deny ip 10.10.104.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 10.10.104.0 0.0.0.255 any
ip nat inside source list Internet-NAT pool access-wan overload
*please do not remove the old NAT instance until you add the one above.
Please keep me posted.
Thanks!
Sent from Cisco Technical Support Android App
05-23-2012 12:16 PM
Just to verify, this is replacing access-list 99?
Thanks for the response.
05-23-2012 12:39 PM
Correct.
Sent from Cisco Technical Support Android App
05-23-2012 12:56 PM
So I have the following:
interface GigabitEthernet0/2.104
encapsulation dot1Q 104
ip address 10.10.104.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip nat pool wan_access 65.49.46.70 65.49.46.70 prefix-length 28
ip nat inside source list Internet-NAT pool access_wan overload
ip access-list extended Internet-NAT
deny ip 10.10.104.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 10.10.104.0 0.0.0.255 any
I took off the ip nat statement that referred to access-list 99 after doing this
That makes the VPN work, but it doesn't have internet access. (This isn't live for a couple weeks, so not critical yet)
05-23-2012 01:29 PM
You should have Internet access, please run the "clear ip nat translations *" and send me the "show ip nat translations" output.
Thanks.
05-23-2012 07:00 PM
It only shows the static entries I have for other things:
edge-1#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 65.49.46.78:3391 10.10.1.101:3389 --- ---
tcp 65.49.46.78:3392 10.10.1.102:3389 --- ---
tcp 65.49.46.78:22 10.10.1.179:22 --- ---
tcp 65.49.46.77:6061 10.10.1.180:6061 --- ---
tcp 65.49.46.77:32004 10.10.1.180:32004 24.96.162.222:62938 24.96.162.222:62938
tcp 65.49.46.77:32004 10.10.1.180:32004 67.32.145.251:49162 67.32.145.251:49162
tcp 65.49.46.77:32004 10.10.1.180:32004 --- ---
tcp 65.49.46.77:32005 10.10.1.180:32005 --- ---
tcp 65.49.46.77:32006 10.10.1.180:32006 --- ---
tcp 65.49.46.77:32007 10.10.1.180:32007 --- ---
tcp 65.49.46.78:6061 10.10.1.185:6061 --- ---
tcp 65.49.46.78:32004 10.10.1.185:32004 24.214.205.186:20510 24.214.205.186:20510
tcp 65.49.46.78:32004 10.10.1.185:32004 24.214.205.186:31341 24.214.205.186:31341
tcp 65.49.46.78:32004 10.10.1.185:32004 24.214.205.186:46034 24.214.205.186:46034
tcp 65.49.46.78:32004 10.10.1.185:32004 24.214.205.186:46511 24.214.205.186:46511
tcp 65.49.46.78:32004 10.10.1.185:32004 74.168.66.250:41433 74.168.66.250:41433
tcp 65.49.46.78:32004 10.10.1.185:32004 --- ---
tcp 65.49.46.78:32005 10.10.1.185:32005 --- ---
tcp 65.49.46.78:32006 10.10.1.185:32006 --- ---
tcp 65.49.46.78:32007 10.10.1.185:32007 --- ---
tcp 65.49.46.78:3390 10.10.1.199:3389 174.56.200.85:49384 174.56.200.85:49384
tcp 65.49.46.78:3390 10.10.1.199:3389 --- ---
tcp 65.49.46.71:21 10.10.101.11:21 --- ---
tcp 65.49.46.71:3390 10.10.101.12:3389 --- ---
tcp 65.49.46.72:22 10.10.102.10:22 --- ---
Pro Inside global Inside local Outside local Outside global
tcp 65.49.46.72:443 10.10.102.10:443 --- ---
05-23-2012 07:21 PM
Not what what is different really, but I got it working like this:
ip access-list extended Internet
deny ip 10.10.104.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip any any
ip nat inside source list Internet pool wan_access overload
Thanks so much for your help!
05-23-2012 09:51 PM
I am glad to hear that, but the "ip any any" statement may cause issues later on.
Are you coming from a different network then the 104?
it is better to define the networks in question instead of any
Thanks for rating the posts.
Sent from Cisco Technical Support Android App
05-24-2012 05:01 AM
Yes - I have 6 other vlans and plan on adding much more. I only have 1 wan interface I'm using for NAT outside, and don't plan on doing any other NATting except for VPNs.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: