Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
347
Views
0
Helpful
3
Replies

Help Configure Router IPSec Tunnel P-to-P Network with NAT and a Static

rward
Level 1
Level 1

‎02-05-2003 10:24 AM - edited ‎02-21-2020 12:19 PM

I have a remote site that has an IPSec tunnel to a our home location. Both sites are using 2620s with the crypto AIM module installed. The remote site is also using NAT for other outbound internet traffic. I have been asked to add a static mapping to the NAT to allow Internet traffic to a server within the remote site. I followed the recommendations in TAC document http://www.cisco.com/warp/customer/707/static.html This seems to allow Internet traffic to the server but it kills any traffic from the server that is supposed to go through the IPSec tunnel to the home office.

Can anyone help me? Below is the config of the remote router

version 12.2

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

!

hostname Remote

!

logging buffered 4096 informational

no logging console

logging monitor notifications

enable secret 5 $1$WL2r$cTrzBqCn2$5iA0omkFBn/1

!

clock timezone CST -6

clock summer-time CDT recurring

ip subnet-zero

!

no ip domain-lookup

!

ip audit notify log

ip audit po max-events 100

!

crypto isakmp policy 1

encr 3des

authentication pre-share

lifetime 39600

crypto isakmp key Mycryptokey address 111.231.129.6

!

!

crypto ipsec transform-set transform1 ah-sha-hmac esp-3des

!

crypto map cryptomap 1 ipsec-isakmp

set peer 111.231.129.6

set transform-set transform1

match address 100

!

call rsvp-sync

!

interface Loopback0

ip address 1.1.1.1 255.255.255.0

!

interface FastEthernet0/0

ip address 10.1.2.1 255.255.255.0

ip nat inside

ip route-cache policy

no ip mroute-cache

ip policy route-map nonat

duplex auto

speed auto

no cdp enable

!

interface Serial0/0

ip address 112.81.92.242 255.255.255.252

no ip redirects

ip nat outside

no ip route-cache

no ip mroute-cache

service-module t1 remote-alarm-enable

no cdp enable

crypto map cryptomap1

!

ip nat pool natpool-1 111.163.213.225 111.163.213.225 netmask 255.255.255.248

ip nat inside source list 110 pool natpool-1 overload

ip nat inside source static 10.1.2.11 111.163.213.226 extendable

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0/0

no ip http server

!

logging trap warnings

logging source-interface FastEthernet0/0

access-list 15 permit 10.1.1.0 0.0.0.255

access-list 15 permit 10.1.2.0 0.0.0.255

access-list 15 deny any log

! access list for IPsec tunnel

access-list 100 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 100 deny ip 10.1.2.0 0.0.0.255 any

! access list for NAT

access-list 110 deny ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 110 deny ip host 10.1.2.11 any

access-list 110 permit ip 10.1.2.0 0.0.0.255 any

! access list for loopback

access-list 112 permit ip host 10.1.2.11 10.1.1.0 0.0.0.255

no cdp run

route-map nonat permit 10

match ip address 112

set ip next-hop 1.1.1.2

!

dial-peer cor custom

!

line con 0

exec-timeout 0 0

password 7 010112054F06055C

login

line aux 0

line vty 0 4

access-class 15 in

exec-timeout 15 0

password 7 131153131F010779

login

!

ntp server 10.1.2.11

end

Labels:
0 Helpful
3 Replies 3

7sboals
Level 1
Level 1

‎02-05-2003 12:29 PM

This is how I configure our remote sites:

ip nat pool GEN_NET xxx.xxx.xx.187 xxx.xxx.xxx.188 netmask 255.255.255.248

ip nat inside source route-map nonat pool GEN_NET overload

ip nat inside source static 10.6.1.6 xxx.xxx.xxx.189

ip nat inside source static 10.6.1.5 xxx.xxx.xxx.190

I use a route map in the nat statement to tell the router what traffic does not get NATed. This works for our remote sites, and both internet and home office users can get to the two static mapped servers.

0 Helpful

awaheed
Cisco Employee
Cisco Employee

‎02-05-2003 12:31 PM

Hi,

The first thing I see is the name of the Crypto map, the one applied on the interface should be "crypto map cryptomap". Do that and let us know if the issue goes away.

Thanks,

Aamir Waheed,

Cisco Systems, Inc.

CCIE#8933

-=-=-

0 Helpful

rward
Level 1
Level 1
In response to awaheed

‎02-05-2003 01:18 PM

Sorry, I moded the config a little to protect the innocent and made a typo. The cryptomap is configured correctly and VPN traffic works normally except for the one device that is statically nat'd.

So far I've determined that I can reach the statically nat'd server from the Internet with no problem. But the server cannot access any servers beyond it's own subnet. Packets with a source of 10.1.2.11 going to 10.1.1.x or the Internet get dropped.

Rob

0 Helpful
Customers Also Viewed These Support Documents