ā01-18-2016 05:46 AM - edited ā02-21-2020 08:38 PM
Hi,
I have a Cisco IOS router and want to setup an IPSec tunnel between myself and client. Unfortunately we both have overlapping 10 network IP addresses.
Is it possible for me to just Nat the IPs on my side or does the client need to Nat as well ?
I have configured NAT on inside interface for 10.134.206.1 to 192.168.156.6 so that Nat occurs before packets get encrypted on tunnel, however tunnel is not coming up. The client uses a sonic firewall and has allowed 192.168.156.0/24 to their 10.91.0.0/16 network.
See attached
regards,
Solved! Go to Solution.
ā01-19-2016 02:04 PM
They have it setup wrong. The remote LANS are not 10.134.206.0 and 10.134.206/42. It is simply your public IP address.
ā01-18-2016 10:28 AM
I don't give you much chance of success of doing this on the SonicWall, so I would guess you will be going this on your side.
What sort of device do you have? IOS Router? ASA?
Do you need access to everything, or just one IP address (one IP address is easier, and you could use a server as a jump host).
And to beg the question, any chance one of you could change your IP address range? Much simpler.
ā01-18-2016 11:39 AM
Hi Philip,
I am using an IOS router.
Client can't do Nat they have other customers connecting to Sonic Forewall.
There are two clients hosts we need to get to 10.91.1.40 and 10.91.1.60. These addresses are not conflicting so I can route them as /32 on our network to VPN router.
In this case guess I don't have to NaT but just use static host to host mapping. But if I choose to NAT on just my router hosts from 10.134.206.1 to 192.168.156.6 is it not possible ?
I want the configuration to be secure as possible.
i have attached config and diagram so would like to know best way to do this. It would be nice to hide our 10 network from client.
I am not sure if I have made a mistake in configuration I am not see traffic or tunnel coming up at all.
My host 10.134.206.1 is a VM host in the Data Center. I have added /32 route for 10.91.1.40 and .60 to go via 10.134.246.253 router.
ā01-18-2016 12:00 PM
Does the client need to connect to your IP addresses at all? It sounds like no.
In which case, NAT all of your internal traffic to your public IP address (which you will already be doing to access the Internet). Your source of the VPN will then be this public IP address. That solves the main problem. You can then do destination NAT if you like on the customer IP addresses.
ā01-18-2016 12:29 PM
Hi Philip,
The traffic is only one way from us to them. Mostly RDP and sharing drives.
Not done this before do you have sample config or point me to one please ?
ā01-18-2016 12:35 PM
This is an example of using "ip nat outside".
http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13773-2.html
ā01-18-2016 01:45 PM
Hi Philip,
Ok I will try again. Let you know.
ā01-19-2016 04:46 AM
Hi Philip,
If our 10 network is being Nated to external IP what networks should remote end be allowing on Sonic Firewall ?
Regards,
ā01-19-2016 06:37 AM
Hi Philip,
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
lifetime 28800
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set SWIFT esp-aes esp-sha-hmac
mode tunnel
!
crypto map crypto-map 10 ipsec-isakmp
set peer 217.37.59.141
set security-association lifetime seconds 28800
set transform-set SWIFT
match address crypto_map_SWIFT
037499: Jan 19 14:31:40.625 GMT: ISAKMP:(9027):deleting node 1413077582 error TRUE reason "QM rejected"
037500: Jan 19 14:31:40.625 GMT: ISAKMP:(9027):Node 1413077582, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
037501: Jan 19 14:31:40.625 GMT: ISAKMP:(9027):Old State = IKE_QM_READY New State = IKE_QM_READY
037502: Jan 19 14:31:40.625 GMT: ISAKMP (9027): received packet from X.X.X.XSONIC_IP dport 500 sport 500 Global (R) QM_IDLE
037503: Jan 19 14:31:40.625 GMT: ISAKMP: set new node -206213584 to QM_IDLE
037504: Jan 19 14:31:40.625 GMT: ISAKMP:(9027): processing HASH payload. message ID = 4088753712
037505: Jan 19 14:31:40.625 GMT: ISAKMP:(9027): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 4088753712, sa = 0x16383A44
037506: Jan 19 14:31:40.625 GMT: ISAKMP:(9027):deleting node -206213584 error FALSE reason "Informational (in) state 1"
037507: Jan 19 14:31:40.625 GMT: ISAKMP:(9027):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
037508: Jan 19 14:31:40.625 GMT: ISAKMP:(9027):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
037509: Jan 19 14:31:40.625 GMT: ISAKMP (9027): received packet from X.X.X.XSONIC_IP dport 500 sport 500 Global (R) QM_IDLE
037510: Jan 19 14:31:40.625 GMT: ISAKMP: set new node -316431164 to QM_IDLE
037511: Jan 19 14:31:40.625 GMT: ISAKMP:(9027): processing HASH payload. message ID = 3978536132
037512: Jan 19 14:31:40.625 GMT: ISAKMP:(9027): processing SA payload. message ID = 3978536132
037513: Jan 19 14:31:40.625 GMT: ISAKMP:(9027):Checking IPSec proposal 1
037514: Jan 19 14:31:40.625 GMT: ISAKMP: transform 1, ESP_AES
037515: Jan 19 14:31:40.625 GMT: ISAKMP: attributes in transform:
037516: Jan 19 14:31:40.625 GMT: ISAKMP: SA life type in seconds
037517: Jan 19 14:31:40.625 GMT: ISAKMP: SA life duration (basic) of 28800
037518: Jan 19 14:31:40.625 GMT: ISAKMP: group is 2
037519: Jan 19 14:31:40.625 GMT: ISAKMP: encaps is 1 (Tunnel)
037520: Jan 19 14:31:40.625 GMT: ISAKMP: authenticator is HMAC-SHA
037521: Jan 19 14:31:40.625 GMT: ISAKMP: key length is 128
037522: Jan 19 14:31:40.625 GMT: ISAKMP:(9027):atts are acceptable.
037523: Jan 19 14:31:40.625 GMT: IPSEC(validate_proposal_request): proposal part #1
037524: Jan 19 14:31:40.625 GMT: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= X.X.X.XCISCO_IP:0, remote= X.X.X.XSONIC_IP:0,
local_proxy= 10.134.0.0/255.255.0.0/256/0,
remote_proxy= 10.91.0.0/255.255.0.0/256/0,
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
037525: Jan 19 14:31:40.625 GMT: IPSEC(ipsec_process_proposal): proxy identities not supported
037526: Jan 19 14:31:40.629 GMT: ISAKMP:(9027): IPSec policy invalidated proposal with error 32
037527: Jan 19 14:31:40.629 GMT: ISAKMP:(9027): phase 2 SA policy not acceptable! (local 31.221.0.183 remote 217.37.59.141)
037528: Jan 19 14:31:40.629 GMT: ISAKMP: set new node -385849214 to QM_IDLE
037529: Jan 19 14:31:40.629 GMT: ISAKMP:(9027):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 352979056, message ID = 3909118082
037530: Jan 19 14:31:40.629 GMT: ISAKMP:(9027): sending packet to X.X.X.XSONIC_IP my_port 500 peer_port 500 (R) QM_IDLE
037531: Jan 19 14:31:40.629 GMT: ISAKMP:(9027):Sending an IKE IPv4 Packet.
037532: Jan 19 14:31:40.629 GMT: ISAKMP:(9027):purging node -385849214
037533: Jan 19 14:31:40.629 GMT: ISAKMP:(9027):deleting node -316431164 error TRUE reason "QM rejected"
037534: Jan 19 14:31:40.629 GMT: ISAKMP:(9027):Node 3978536132, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
037535: Jan 19 14:31:40.629 GMT: ISAKMP:(9027):Old State = IKE_QM_READY New State = IKE_QM_READY
037536: Jan 19 14:31:40.629 GMT: ISAKMP:(9027):DPD/R_U_THERE received from peer X.X.X.XSONIC_IP, sequence 0x55801499
037537: Jan 19 14:31:40.629 GMT: ISAKMP: set new node 615208875 to QM_IDLE
037538: Jan 19 14:31:40.629 GMT: ISAKMP:(9027):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 352979704, message ID = 615208875
037539: Jan 19 14:31:40.629 GMT: ISAKMP:(9027): seq. no 0x55801499
037540: Jan 19 14:31:40.629 GMT: ISAKMP:(9027): sending packet to X.X.X.XSONIC_IP my_port 500 peer_port 500 (R) QM_IDLE
037541: Jan 19 14:31:40.629 GMT: ISAKMP:(9027):Sending an IKE IPv4 Packet.
037542: Jan 19 14:31:40.629 GMT: ISAKMP:(9027):purging node 615208875
ā01-19-2016 12:30 PM
Hi Philip,
Yes I am confused as they said they have allowed on Sonic firewall :-
---------------------------------------------SONIC------------------------------------------------
VPN connection from; Cisco_GATEWAY on remote LANS; 10.134.206.0 - 10.134.206.255 and 192.168.156.0 - 192.168.156.255 to local LAN; 10.91.0.0 ā 10.91.255.255
And then the firewall rules state;
Allow VPN (remote lan) > LAN (local lan) Service; all
Allow LAN (local lan) > VPN (remote lan) service; all
------------------------------end -------------------------------------------------------------------------
Am I supposed to be nating to my gateway or my Cisco Interface IP on Gig 0/0 ?
Cisco config :-
-----------------------------------------------------------------------------------
interface GigabitEthernet0/0
description Outside Interface External
ip address CISCO_IP 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
duplex full
speed 100
crypto map crypto-map
!
interface GigabitEthernet0/1
description inside interface to LAN
ip address 10.134.246.235 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat outside source static 10.0.0.0 10.91.1.0
ip route 0.0.0.0 0.0.0.0 CISCO_GATEWAY
ip route 10.0.0.0 255.0.0.0 10.134.246.253
ip route 10.91.1.40 255.255.255.255 CISCO_GATEWAY
ip route 10.91.1.60 255.255.255.255 CISCO_GATEWAY
!
ip access-list extended crypto_map_SONIC
permit ip host CISCO_GATEWAY host 10.91.1.40
permit ip host CISCO_GATEWAY host 10.91.1.60
ip access-list extended vpn_acl
permit icmp any any
deny tcp any host CISCo_IP eq telnet
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip host 255.255.255.255 any
deny ip host 0.0.0.0 any
deny ip any any
ā01-19-2016 02:04 PM
They have it setup wrong. The remote LANS are not 10.134.206.0 and 10.134.206/42. It is simply your public IP address.
ā01-20-2016 04:14 AM
Hi Philip,
The tunnel is up but I still cant ping host 10.91.1.60.
interface GigabitEthernet0/0
description Outside Interface External
ip address CISCO_INTERFACE_IP 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
duplex full
speed 100
crypto map crypto-map
!
interface GigabitEthernet0/1
description inside interface to LAN
ip address 10.134.246.235 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat outside source static 10.0.0.0 10.91.1.0
ip route 0.0.0.0 0.0.0.0 CISCO_GATEWAY_IP
ip route 10.0.0.0 255.0.0.0 10.134.246.253
ip route 10.91.1.40 255.255.255.255 CISCO_GATEWAY_IP
ip route 10.91.1.60 255.255.255.255 CISCO_GATEWAY_IP
!
ip access-list extended crypto_map_SWIFT
permit ip host CISCo_GATEWAY_IP 10.91.0.0 0.0.255.255
040207: Jan 20 12:05:51.063 GMT: IPSEC(validate_proposal_request): proposal part #1
040208: Jan 20 12:05:51.063 GMT: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= CISCO_INTERFACE_IP:0, remote= SONICFW_IP:0,
local_proxy= CISCO_INTERFACE_IP/255.255.255.255/256/0,
remote_proxy= 10.91.0.0/255.255.0.0/256/0,
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
040209: Jan 20 12:05:51.063 GMT: Crypto mapdb : proxy_match
src addr : CISCO_INTERFACE_IP
dst addr : 10.91.0.0
protocol : 0
src port : 0
dst port : 0
040210: Jan 20 12:05:51.063 GMT: Crypto mapdb : proxy_match
src addr : CISCO_INTERFACE_IP
dst addr : 10.91.0.0
protocol : 0
src port : 0
dst port : 0
040211: Jan 20 12:05:51.063 GMT: map_db_find_best did not find matching map
040212: Jan 20 12:05:51.063 GMT: IPSEC(ipsec_process_proposal): proxy identities not supported
DC-MAB-01#
SO040213: Jan 20 12:05:51.063 GMT: %CRYPTO-5-IPSEC_SETUP_FAILURE: IPSEC SETUP FAILED for local:SONICFW_IP local_id:SONICFW_IP remote:CISCO_INTERFACE_IP remote_id:CISCO_INTERFACE_IP IKE profile:None fvrf:None fail_reason:IPSec Proposal failure fail_class_cnt:1
ā01-20-2016 12:12 PM
Check the phase 1 and phase 2 crypto settings. There is a mismatch somewhere,
Otherwise post a log with both of the below turned on:
debug crypto isakmp
debug crypto ipsec
ā01-19-2016 11:15 AM
Your encryption domain is just your public IP address with a /32 prefix (255.255.255.255).
Their encryption domains is:
10.91.1.40/32
10.91.1.60/32
If they can't manage that, then get them to make their encryption domain 10.91.1.0/24 and the ASA will negotiate it down.
ā01-18-2016 01:54 PM
Hi Philip,
No still cant ping from 10.134.206.1 to 10.91.1.40 and tunnel wont come up.
interface Loopback0
ip address 192.168.156.1 255.255.255.0
!
interface GigabitEthernet0/0
description Outside Interface External
ip address CISCO_GATEWAY 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
duplex full
speed 100
crypto map crypto-map
!
interface GigabitEthernet0/1
description inside interface to LAN
ip address 10.134.246.235 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat outside source static 10.0.0.0 10.91.1.0
ip route 0.0.0.0 0.0.0.0 CISCO_GATEWAY
ip route 10.0.0.0 255.0.0.0 10.134.246.253
!
ip access-list extended crypto_map_SONIC
permit ip host 192.168.156.6 host 10.91.1.40
permit ip host 192.168.156.6 host 10.91.1.60
Pro Inside global Inside local Outside local Outside global
--- --- --- 10.91.1.0 10.0.0.0
Crypto Map IPv4 "crypto-map" 10 ipsec-isakmp
Peer = SONIC_FIREWALL_IP
Extended IP access list crypto_map_SONIC
access-list crypto_map_SONIC permit ip host 192.168.156.6 host 10.91.1.40
access-list crypto_map_SONIC permit ip host 192.168.156.6 host 10.91.1.60
Current peer: SONIC_FIREWALL_IP
Security association lifetime: 4608000 kilobytes/18000 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Mixed-mode : Disabled
Transform sets={
SWIFT: { esp-aes esp-sha-hmac } ,
}
Interfaces using crypto map crypto-map:
GigabitEthernet0/0
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide