Hello community :)!
I'm working on the setup of a VPN between environment A and F, the environment A is deployed on AWS, the F environment in on-premise, the VPN is working with this configuration:
crypto keyring F_ARG local-address GigabitEthernet1 pre-shared-key address 220.127.116.11 key PRESHARED_KEY ! crypto isakmp policy 5 encryption aes 256 hash sha256 authentication pre-share group 14 ! crypto isakmp profile F_ARG keyring F_ARG match identity address 18.104.22.168 255.255.255.255 local-address GigabitEthernet1 ! crypto ipsec transform-set AES256-SHA-TUNNEL esp-aes 256 esp-sha256-hmac mode tunnel ! crypto ipsec profile F_ARG set transform-set AES256-SHA-TUNNEL set pfs group2 ! interface Tunnel129 description GRE to F_ARG ip address 10.9.32.114 255.255.255.252 ip mtu 1400 ip tcp adjust-mss 1360 keepalive 30 3 tunnel source GigabitEthernet1 tunnel mode ipsec ipv4 tunnel destination 22.214.171.124 tunnel protection ipsec profile F_ARG ip virtual-reassembly
ip route 10.30.64.99 255.255.255.255 Tunnel129 name F_ROUTE
Now I need to add a NAT to this arrangement, I tried adding this:
ip nat inside source static 172.17.10.15 10.9.64.249 interface GigabitEthernet2 ip nat inside interface GigabitEthernet1 ip nat outside
But when I go to 172.17.10.15 and ping 10.30.64.99 I don't get any response
ip-172-17-11-90#show ip nat translations verbose Pro Inside global Inside local Outside local Outside global --- 10.9.64.248 172.17.10.15 --- --- create: 04/29/20 14:34:14, use: 04/29/20 14:34:14, timeout: 00:00:00 Map-Id(In): 3 Flags: static Appl type: none WLAN-Flags: unknown Mac-Address: 0000.0000.0000 Input-IDB: entry-id: 0x0, use_count:0 In_pkts: 0 In_bytes: 0, Out_pkts: 0 Out_bytes: 0 Output-IDB:
Doing a traceroute from 172.17.10.15 shows...
ubuntu@ip-172-17-10-15:~$ traceroute 10.30.64.99 traceroute to 10.30.64.99 (10.30.64.99), 30 hops max, 60 byte packets 1 ip-172-17-10-129.ec2.internal (172.17.10.129) 0.877 ms 0.875 ms 0.878 ms (the "inside" interface of the CSR) 2 * * * 3 * * * 4 * * * 5 * * * 6 * * * 7 * * * 8 * * * 9 * * * 10 * * * 11 * * * 12 * * * 13 * * * 14 * * * 15 * * * 16 * * * 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 * * * 24 * * * 25 * * * 26 * * * 27 * * * 28 * * * 29 * * * 30 * * *
I'm a little lost of where to go from here, any help is appreciated
your nat statement look fine. could you run command show ip nat statistics/debug ip nat/show log/show ip route and share the output
HI Sheraz, thanks for the help
show ip nat statistics
Total active translations: 1 (1 static, 0 dynamic; 0 extended) Outside interfaces: GigabitEthernet1 Inside interfaces: GigabitEthernet2, VirtualPortGroup0 Hits: 0 Misses: 0 Expired translations: 0 Dynamic mappings: -- Inside Source [Id: 1] access-list GS_NAT_ACL interface GigabitEthernet1 refcount 0 nat-limit statistics: max entry: max allowed 0, used 0, missed 0 In-to-out drops: 0 Out-to-in drops: 1711 Pool stats drop: 0 Mapping stats drop: 0 Port block alloc fail: 0 IP alias add fail: 0 Limit entry add fail: 0 Outside global interfaces count: 1
show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route H - NHRP, G - NHRP registered, g - NHRP registration summary o - ODR, P - periodic downloaded static route, l - LISP a - application route + - replicated route, % - next hop override, p - overrides from PfR Gateway of last resort is 172.17.11.1 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 172.17.11.1, GigabitEthernet1 10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks C 10.9.32.112/30 is directly connected, Tunnel129 L 10.9.32.114/32 is directly connected, Tunnel129 S 10.30.64.99/32 is directly connected, Tunnel129 172.17.0.0/16 is variably subnetted, 4 subnets, 2 masks C 172.17.10.0/24 is directly connected, GigabitEthernet2 L 172.17.10.129/32 is directly connected, GigabitEthernet2 C 172.17.11.0/24 is directly connected, GigabitEthernet1 L 172.17.11.90/32 is directly connected, GigabitEthernet1
*Apr 29 14:31:39.197: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ec2-user] [Source: 126.96.36.199] [localport: 22] at 14:31:39 UTC Wed Apr 29 2020 *Apr 29 14:34:12.324: NAT: Static entry id 0 add via config options 0x0 intra_vpn_support TRUE *Apr 29 14:34:12.324: INITIAL lookup with IPNAT_LOCAL *Apr 29 14:34:12.324: SECOND lookup attempt after INITIAL failure *Apr 29 14:34:12.324: NO NAT entry found for this mapping - creating an entry *Apr 29 14:34:12.324: NAT: Entry assigned id 3 *Apr 29 14:34:12.324: add_static_cfg - nat from ipnat_create_entry 0x7F3E257D4898 *Apr 29 14:34:12.324: ipnat_add_static_cfg: id 3, table_id 0, flag 0x6, inside local *Apr 29 14:34:12.324: id 3, flags 0, domain 0, lookup 0, from_addr AC110A0F, from_mask FFFFFFFF, from_port 0, to_addr A0940F8, to_port 0 to_mask FFFFFFFF, router_id 0, vrf_table_id 0, ipredundancy_name , router_proto 0 *Apr 29 14:34:15.321: %SYS-5-CONFIG_I: Configured from console by ec2-user on vty0 (188.8.131.52) *Apr 29 14:46:36.283: %SYS-6-TTY_EXPIRE_TIMER: (exec timer expired, tty 1 (184.108.40.206)), user ec2-user *Apr 29 14:46:36.283: %SYS-6-LOGOUT: User ec2-user has exited tty session 1(220.127.116.11) *Apr 29 14:54:17.945: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ec2-user] [Source: 18.104.22.168] [localport: 22] at 14:54:17 UTC Wed Apr 29 2020 *Apr 29 15:00:31.459: %SYS-6-LOGOUT: User ec2-user has exited tty session 1(22.214.171.124) *Apr 29 18:19:52.059: %SSH-3-NO_MATCH: No matching cipher found: client aes256-cbc,email@example.com,aes192-cbc,aes128-cbc,arcfour128,arcfour,3des-cbc,none server aes128-ctr,aes192-ctr,aes256-ctr *Apr 29 19:52:19.971: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ec2-user] [Source: 126.96.36.199] [localport: 22] at 19:52:19 UTC Wed Apr 29 2020
I couldn't run debug ip nat, it requires an access-list number or name but I don't have any setup, should I deploy one ?
ip-172-17-11-90#debug ip nat ? <1-99> Access list forced WORD Access list name ha High Availability debugging
you have configured a static default route on your router
Gateway of last resort is 172.17.11.1 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 172.17.11.1, GigabitEthernet1
mean you next hop is 172.17.11.1.where as you have static 1 to 1 configured as
ip nat inside source static 172.17.10.15 10.9.64.249
does you next hop router have route install in its routing table?
have a look into this document it will help you to figured out where you having issue here
could you also confirmed in your nat statement you configured 10.9.64.249 where as show ip nat transaltions showing your inside global 10.9.64.248.
ip-172-17-11-90#show ip nat translations verbose Pro Inside global Inside local Outside local Outside global --- 10.9.64.248 172.17.10.15 --- --- create: 04/29/20 14:34:14, use: 04/29/20 14:34:14, timeout: 00:00:00
As the hit counter in the command show ip nat statistics remains in 0 even after I try to ping from 172.17.10.15, that means the NAT is not being used at all, right ? from the default route I get that all the traffic is being send it to the GigabitEthernet 1 but without the NAT ?
I don't have another hop router, after the petition is received by GigabitEthernet 2 it should be NATed to GigabitEthernet 1 and from there go through the tunnel
The ip change of 10.9.64.249 for 10.9.64.248 it was a configuration I tested (I also updated the route), I messed the copy/paste the one used is 10.9.64.249
My knowledge in networking with CSR is really basic so I don't fully understand the problem, thanks a lot for all the help on this
As the hit counter in the command show ip nat statistics remains in 0 even after I try to ping from 172.17.10.15, that means the NAT is not being used at all, right ?
from the default route I get that all the traffic is being send it to the GigabitEthernet 1 but without the NAT ?
could you please share the configuration of this csrv. Am i right to understand that your natted static 1 to1 need to go out toward the gig1. (or in simple words you want natted traffic to go out from to your next hope.)