10-21-2011 10:06 AM
I am running an IOS router as an L2L VPN device to connect my location to multiple different customer locations, some of whom utilize the same internal IP addresses. These VPN's have been working fine.
I recently added another customer to this system and I am now having a problem with the newest setup. With this setup, I have to NAT my internal addresses. NAT functions correctly, but it NATs my addresses to the wrong NAT pool and therefore wont generate the tunnel.
My internal ip 10.10.x.x
Incorrect NAT pool 10.129.x.x
Correct NAT pool 10.99.x.x
Help....:)
Thanks
Solved! Go to Solution.
10-27-2011 10:53 AM
The problem is simple. You have almost an identical ACLs for both customers. Since the first NAT rule was added earlier, it only triggered. To resolve this problem you need explicitly define destination host/subnet to be matched instead of 'any' keyword.
For example like this:
ip access-list extended ME-CRYPTO-ACL
permit ip 10.129.40.0 0.0.0.255 host 10.10.131.63
ip access-list extended ME-NAT-ACL
permit ip 10.10.10.0 0.0.0.255 host 10.10.131.63
ip access-list extended SA-CRYPTO-ACL
permit ip 10.96.21.0 0.0.0.255 host 10.99.2.95
ip access-list extended SA-NAT-ACL
permit ip 10.10.10.0 0.0.0.255 host 10.99.2.95
Another solution is more complicated and harder to understand (and explain), you can use Virtual-Templates with tunnel-protection for each customer, VRF and NAT for common services.
___
HTH. Please rate this post if it was helpful. If this solves your problem, please mark this post as "Correct Answer"
10-23-2011 01:21 AM
Please show your configuration here. It is hard to isolate the problem without it.
---
HTH. Please rate this post if it was helpful. If this solves your problem, please mark this post as "Correct Answer."
10-24-2011 09:07 AM
Hi Eugene,
I didnt post a sanitized config as I hoped someone might recognize the issue and I didnt want to sanitize out the potential problem.
I will work on posting the config, but the problem has changed somewhat and leads me to believe it is an ACL issue.
When I change the name of the ACL for the newest customer to a name that (alphabetically) appears before the ACL that ultimately assigns me an address from that customers pool, I am able to create the tunnel for the new customer and get to their hosts. However, this is at the cost of the other customers tunnel. I cannot get to both.
10-24-2011 10:18 AM
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 3
encr aes 256
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 4
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 5
encr aes 256
authentication pre-share
group 2
crypto isakmp key xxxxxxx address 216.xxxxxxx
crypto isakmp key xxxxxxx address 199.xxxxxxx
crypto isakmp key xxxxxxx address 99.xxxxxxx
crypto isakmp key xxxxxxx address 207.xxxxxxx
crypto isakmp key xxxxxxx address 170.xxxxxxx1
crypto isakmp keepalive 10
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ME esp-3des esp-sha-hmac
crypto ipsec transform-set CB esp-3des esp-md5-hmac
crypto ipsec transform-set CI esp-aes 256 esp-sha-hmac
crypto ipsec transform-set SE esp-3des esp-sha-hmac
crypto ipsec transform-set SA esp-aes 256 esp-sha-hmac
!
crypto map VPN 1 ipsec-isakmp
set peer 199.xxxxxxx
set transform-set ME
match address ME-CRYPTO-ACL
crypto map VPN 2 ipsec-isakmp
set peer 216.xxxxxxx
set transform-set CB
match address CB-CRYPTO-ACL
crypto map VPN 3 ipsec-isakmp
set peer 99.xxxxxxx
set security-association lifetime seconds 28800
set transform-set CI
match address CI-CRYPTO-ACL
crypto map VPN 4 ipsec-isakmp
set peer 207.xxxxxxx
set transform-set SE
match address SE-CRYPTO-ACL
crypto map VPN 5 ipsec-isakmp
set peer 170.xxxxxxx
set transform-set SA
match address SA-CRYPTO-ACL
!
!
interface FastEthernet0/0
description INSIDE LAN INTERFACE
ip address 10.10.xxx 255.xxxx
ip nat inside
ip virtual-reassembly
duplex full
speed 100
!
interface FastEthernet0/1
ip address 173.210.xxxx 255.xxxx
ip nat outside
ip virtual-reassembly
duplex full
speed 100
crypto map VPN
!
!
ip route 0.0.0.0 0.0.0.0 173.210.xxxxx
!
!
ip nat pool MED 10.129.x.x 10.129.x.x netmask xxxxxxx.255.0
ip nat pool PUBLIC 173.210.x.x 173.210.x.x netmask 255.255.x.x
ip nat pool STF 10.96.x.x 10.96.x.x netmask 255.255.x.x
ip nat inside source route-map ME pool MED
ip nat inside source route-map SA pool STF
ip nat inside source route-map nonat pool PUBLIC overload
!
ip access-list extended CB-CRYPTO-ACL
permit ip 10.10.xxxxxxx xxxxxxx.255 172.23.xxxxxxx xxxxxxx.63
ip access-list extended CB-NAT-ACL
deny ip 10.96.21.0 xxxxxxx.255 host 10.99.xxxxxxx
deny ip 10.10.xxxxxxx xxxxxxx.255 10.2.xxxxxxx xxxxxxx.3.255
deny ip 10.129.xxxxxxx xxxxxxx.255 host 10.10.13xxxxxxx
deny ip 10.10.xxxxxxx xxxxxxx.255 10.208.xxxxxxx xxxxxxx.255
deny ip 10.10.xxxxxxx xxxxxxx.255 10.208.xxxxxxx xxxxxxx.255
deny ip 10.10.xxxxxxx xxxxxxx.255 host 10.208.xxxxxxx
deny ip 10.10.xxxxxxx xxxxxxx.255 host 10.208.xxxxxxx
deny ip 10.10.xxxxxxx xxxxxxx.255 host 10.209.xxxxxxx
deny ip 10.10.xxxxxxx xxxxxxx.255 host 10.208.xxxxxxx
deny ip 10.10.xxxxxxx xxxxxxx.255 172.23.xxxxxxx xxxxxxx.0.63
deny ip 10.129.40.0 xxxxxxx.255 172.23.xxxxxxx xxxxxxx.0.63
permit ip 10.10.xxxxxxx xxxxxxx.255 any
ip access-list extended CI-CRYPTO-ACL
permit ip 10.10.xxxxxxx xxxxxxx.255 host 10.208.xxxxxxx
permit ip 10.10.xxxxxxx xxxxxxx.255 host 10.209.xxxxxxx
permit ip 10.10.xxxxxxx xxxxxxx.255 host 10.208.xxxxxxx
permit ip 10.10.xxxxxxx xxxxxxx.255 host 10.208.xxxxxxx
permit ip 10.10.xxxxxxx xxxxxxx.255 10.208.xxxxxxx xxxxxxx.255
permit ip 10.10.xxxxxxx xxxxxxx.255 10.208.xxxxxxx xxxxxxx.255
ip access-list extended CI-NAT-ACL
deny ip 10.10.xxxxxxx xxxxxxx255 10.2.xxxxxxx xxxxxxx.255
deny ip 10.129.xxxxxxx xxxxxxx.255 host 10.10.xxxxxxx
deny ip 10.10.xxxxxxx xxxxxxx.255 172.23.xxxxxxx xxxxxxx.63
deny ip 10.10.xxxxxxx xxxxxxx.255 host 10.208.xxxxxxx
deny ip 10.10.xxxxxxx xxxxxxx.255 host 10.209.xxxxxxx
deny ip 10.10.xxxxxxx xxxxxxx.255 host 10.208.xxxxxxx
deny ip 10.10.xxxxxxx xxxxxxx.255 host 10.208.xxxxxxx
deny ip 10.10.xxxxxxx xxxxxxx.255 10.208.xxxxxxx xxxxxxx.255
deny ip 10.10.xxxxxxx xxxxxxx.255 10.208.xxxxxxx xxxxxxx.255
permit ip 10.10.xxxxxxx xxxxxxx.255 any
ip access-list extended ME-CRYPTO-ACL
permit ip 10.129.xxxxxxx xxxxxxx.255 host 10.10.13xxxxxxx
ip access-list extended ME-NAT-ACL
deny ip 10.96.21.0 xxxxxxx.255 host 10.99.xxxxxxx
deny ip 10.10.xxxxxxx xxxxxxx.255 10.2.xxxxxxx xxxxxxx.3.255
deny ip 10.10.xxxxxxx xxxxxxx.255 172.23.xxxxxxx xxxxxxx.0.63
deny ip 10.10.xxxxxxx xxxxxxx.255 10.208.xxxxxxx xxxxxxx.255
deny ip 10.10.xxxxxxx xxxxxxx.255 10.208.xxxxxxx xxxxxxx.255
deny ip 10.10.xxxxxxx xxxxxxx.255 host 10.208.xxxxxxx
deny ip 10.10.xxxxxxx xxxxxxx.255 host 10.208.xxxxxxx
deny ip 10.10.xxxxxxx xxxxxxx.255 host 10.209.xxxxxxx
deny ip 10.10.xxxxxxx xxxxxxx.255 host 10.208.xxxxxxx
deny ip 10.129.xxxxxxx xxxxxxx.255 host 10.10.13xxxxxxx
permit ip 10.10.xxxxxxx xxxxxxx.255 any
ip access-list extended SA-CRYPTO-ACL
permit ip 10.96.21.0 xxxxxxx.255 host 10.99.2.95
ip access-list extended SA-NAT-ACL
deny ip 10.10.xxxxxxx xxxxxxx.255 10.2.xxxxxxx xxxxxxx.3.255
deny ip 10.10.xxxxxxx xxxxxxx.255 172.23.xxxxxxx xxxxxxx.0.63
deny ip 10.10.xxxxxxx xxxxxxx.255 10.208.xxxxxxx xxxxxxx.255
deny ip 10.10.xxxxxxx xxxxxxx.255 10.208.xxxxxxx xxxxxxx.255
deny ip 10.10.xxxxxxx xxxxxxx.255 host 10.208.xxxxxxx
deny ip 10.10.xxxxxxx xxxxxxx.255 host 10.208.xxxxxxx
deny ip 10.10.xxxxxxx xxxxxxx.255 host 10.209.xxxxxxx
deny ip 10.10.xxxxxxx xxxxxxx.255 host 10.208.xxxxxxx
deny ip 10.129.xxxxxxx xxxxxxx.255 host 10.10.13xxxxxxx
permit ip 10.10.xxxxxxx xxxxxxx.255 any
ip access-list extended SE-CRYPTO-ACL
permit ip 10.10.xxxxxxx xxxxxxx.255 10.2.xxxxxxx xxxxxxx.3.255
ip access-list extended SE-NAT-ACL
!
!
route-map SA permit 10
match ip address SA-NAT-ACL
!
route-map CI permit 10
match ip address CI-NAT-ACL
!
route-map ME permit 10
match ip address ME-NAT-ACL
!
route-map SE permit 10
match ip address SE-NAT-ACL
!
route-map nonat permit 10
match ip address CB-NAT-ACL
10-26-2011 02:31 AM
You sanitized your configs very well ) But I don't understand why do you need to do this since you have RFC1918 addresses. Can you please post your ACLs configuration without xxxxxx. It is very hard to check it.
Second question:
Why do you need this configuration:
route-map SE permit 10
match ip address SE-NAT-ACL
route-map CI permit 10
match ip address CI-NAT-ACL
ip access-list extended CI-NAT-ACL
deny ip 10.10.xxxxxxx xxxxxxx255 10.2.xxxxxxx xxxxxxx.255
deny ip 10.129.xxxxxxx xxxxxxx.255 host 10.10.xxxxxxx
deny ip 10.10.xxxxxxx xxxxxxx.255 172.23.xxxxxxx xxxxxxx.63
deny ip 10.10.xxxxxxx xxxxxxx.255 host 10.208.xxxxxxx
deny ip 10.10.xxxxxxx xxxxxxx.255 host 10.209.xxxxxxx
deny ip 10.10.xxxxxxx xxxxxxx.255 host 10.208.xxxxxxx
deny ip 10.10.xxxxxxx xxxxxxx.255 host 10.208.xxxxxxx
deny ip 10.10.xxxxxxx xxxxxxx.255 10.208.xxxxxxx xxxxxxx.255
deny ip 10.10.xxxxxxx xxxxxxx.255 10.208.xxxxxxx xxxxxxx.255
permit ip 10.10.xxxxxxx xxxxxxx.255 any
ip access-list extended SE-NAT-ACL
it is never used.
___
HTH. Please rate this post if it was helpful. If this solves your problem, please mark this post as "Correct Answer"
10-26-2011 07:28 AM
I sanitized the configs that well because these tunnels connect to customers. Thank you for the heads up on the route maps. They are ghosts from an earlier config.
ip access-list extended CB-CRYPTO-ACL
permit ip 10.10.10.0 0.0.0.255 172.23.1.0 0.0.0.63
ip access-list extended CB-NAT-ACL
deny ip 10.96.21.0 0.0.0.255 host 10.99.2.95
deny ip 10.10.10.0 0.0.0.255 10.2.0.0 0.0.3.255
deny ip 10.129.40.0 0.0.0.255 host 10.10.131.63
deny ip 10.10.10.0 0.0.0.255 10.208.5.0 0.0.0.255
deny ip 10.10.10.0 0.0.0.255 10.208.2.0 0.0.0.255
deny ip 10.10.10.0 0.0.0.255 host 10.208.4.160
deny ip 10.10.10.0 0.0.0.255 host 10.208.1.95
deny ip 10.10.10.0 0.0.0.255 host 10.209.1.3
deny ip 10.10.10.0 0.0.0.255 host 10.208.1.100
deny ip 10.10.10.0 0.0.0.255 172.23.1.0 0.0.0.63
deny ip 10.129.40.0 0.0.0.255 172.23.1.0 0.0.0.63
permit ip 10.10.10.0 0.0.0.255 any
ip access-list extended CIMC-CRYPTO-ACL
permit ip 10.10.10.0 0.0.0.255 host 10.208.1.100
permit ip 10.10.10.0 0.0.0.255 host 10.209.1.3
permit ip 10.10.10.0 0.0.0.255 host 10.208.1.95
permit ip 10.10.10.0 0.0.0.255 host 10.208.4.160
permit ip 10.10.10.0 0.0.0.255 10.208.2.0 0.0.0.255
permit ip 10.10.10.0 0.0.0.255 10.208.5.0 0.0.0.255
ip access-list extended CI-NAT-ACL
deny ip 10.10.10.0 0.0.0.255 10.2.0.0 0.0.3.255
deny ip 10.129.40.0 0.0.0.255 host 10.10.131.63
deny ip 10.10.10.0 0.0.0.255 172.23.1.0 0.0.0.63
deny ip 10.10.10.0 0.0.0.255 host 10.208.1.100
deny ip 10.10.10.0 0.0.0.255 host 10.209.1.3
deny ip 10.10.10.0 0.0.0.255 host 10.208.1.95
deny ip 10.10.10.0 0.0.0.255 host 10.208.4.160
deny ip 10.10.10.0 0.0.0.255 10.208.2.0 0.0.0.255
deny ip 10.10.10.0 0.0.0.255 10.208.5.0 0.0.0.255
permit ip 10.10.10.0 0.0.0.255 any
ip access-list extended ME-CRYPTO-ACL
permit ip 10.129.40.0 0.0.0.255 host 10.10.131.63
ip access-list extended ME-NAT-ACL
deny ip 10.96.21.0 0.0.0.255 host 10.99.2.95
deny ip 10.10.10.0 0.0.0.255 10.2.0.0 0.0.3.255
deny ip 10.10.10.0 0.0.0.255 172.23.1.0 0.0.0.63
deny ip 10.10.10.0 0.0.0.255 10.208.5.0 0.0.0.255
deny ip 10.10.10.0 0.0.0.255 10.208.2.0 0.0.0.255
deny ip 10.10.10.0 0.0.0.255 host 10.208.4.160
deny ip 10.10.10.0 0.0.0.255 host 10.208.1.95
deny ip 10.10.10.0 0.0.0.255 host 10.209.1.3
deny ip 10.10.10.0 0.0.0.255 host 10.208.1.100
deny ip 10.129.40.0 0.0.0.255 host 10.10.131.63
permit ip 10.10.10.0 0.0.0.255 any
ip access-list extended SA-CRYPTO-ACL
permit ip 10.96.21.0 0.0.0.255 host 10.99.2.95
ip access-list extended SA-NAT-ACL
deny ip 10.10.10.0 0.0.0.255 10.2.0.0 0.0.3.255
deny ip 10.10.10.0 0.0.0.255 172.23.1.0 0.0.0.63
deny ip 10.10.10.0 0.0.0.255 10.208.5.0 0.0.0.255
deny ip 10.10.10.0 0.0.0.255 10.208.2.0 0.0.0.255
deny ip 10.10.10.0 0.0.0.255 host 10.208.4.160
deny ip 10.10.10.0 0.0.0.255 host 10.208.1.95
deny ip 10.10.10.0 0.0.0.255 host 10.209.1.3
deny ip 10.10.10.0 0.0.0.255 host 10.208.1.100
deny ip 10.129.40.0 0.0.0.255 host 10.10.131.63
permit ip 10.10.10.0 0.0.0.255 any
ip access-list extended SE-CRYPTO-ACL
permit ip 10.10.10.0 0.0.0.255 10.2.0.0 0.0.3.255
ip access-list extended SE-NAT-ACL
!
!
route-map SA permit 10
match ip address SA-NAT-ACL
!
route-map ME permit 10
match ip address ME-NAT-ACL
!
route-map nonat permit 10
match ip address CB
10-27-2011 08:01 AM
Who is the "new customer"? ME, SA or SE? If it isME than correct nat pool is 10.129.x.x since you have in your configuration:
ip nat pool MED 10.129.x.x 10.129.x.x netmask xxxxxxx.255.0
ip nat inside source route-map ME pool MED
As I unerstand you right, you have two customers - ME and SA with two identical address spaces. How does you routing performed? Can you please provide me with:
"show ip route","sh run | sec route", "show ip nat translations | 10.129", "show ip nat translations | 10.99", "sh ip nat statistics"
Also full configuration can be also helpful.
___
HTH. Please rate this post if it was helpful. If this solves your problem, please mark this post as "Correct Answer"
10-27-2011 08:21 AM
SA is the new customer. ME functions correctly. The issue is that all NAT attempts for SA show the packets being NAT'd to the ME pool addresses.
The address spaces are not identical, but both from the same network class (10.96.x.x VS 10.129.x.x).
Routing is not an issue as all traffic from this router is sent to a border router to leave the network.
Here is sh run | sec route output:
ip route 0.0.0.0 0.0.0.0 173.210.58.193
ip nat inside source route-map MEDSOLUTIONS pool MEDSOL
ip nat inside source route-map nonat pool PUBLIC overload
route-map SAINTFRANCIS permit 10
match ip address SAINTFRANCIS-NAT-ACL
route-map MEDSOLUTIONS permit 10
match ip address MEDSOL-NAT-ACL
route-map nonat permit 10
match ip address CBTS-NAT-ACL
sh ip nat translations | begin 10.129
tcp 10.129.40.2:56088 10.10.10.68:56088 10.10.131.63:3389 10.10.131.63:3389
tcp 10.129.40.3:2552 10.10.10.71:2552 10.10.131.63:3389 10.10.131.63:3389
icmp 10.129.40.7:768 10.10.10.90:768 10.99.2.95:768 10.99.2.95:768 --this line is issue-needs to be 10.96.21.x:768
sh ip nat statistics
Total active translations: 3 (0 static, 3 dynamic; 3 extended)
Outside interfaces:
FastEthernet0/1
Inside interfaces:
FastEthernet0/0
Hits: 826204 Misses: 117
CEF Translated packets: 826320, CEF Punted packets: 0
Expired translations: 96
Dynamic mappings:
-- Inside Source
[Id: 1] route-map MEDSOLUTIONS pool MEDSOL refcount 3
pool MEDSOL: netmask 255.255.255.0
start 10.129.40.1 end 10.129.40.254
type generic, total addresses 254, allocated 3 (1%), misses 0
[Id: 2] route-map nonat pool PUBLIC refcount 0
pool PUBLIC: netmask 255.255.255.252
start 173.210.58.198 end 173.210.58.198
type generic, total addresses 1, allocated 0 (0%), misses 0
Queued Packets: 0
10-27-2011 08:33 AM
As I can see from "show ip nat statistics" output, there is no reference to STF pool at all. The same confirms
"sh run | sec route" output. Where is the commands?
p nat pool STF 10.96.x.x 10.96.x.x netmask 255.255.x.x
ip nat inside source route-map SAINTFRANCIS pool STF overload
Please add it and show me output of mentioned commands again. Thank you.
___
HTH. Please rate this post if it was helpful. If this solves your problem, please mark this post as "Correct Answer"
10-27-2011 08:42 AM
Total active translations: 5 (0 static, 5 dynamic; 5 extended)
Outside interfaces:
FastEthernet0/1
Inside interfaces:
FastEthernet0/0
Hits: 842573 Misses: 119
CEF Translated packets: 842691, CEF Punted packets: 0
Expired translations: 96
Dynamic mappings:
-- Inside Source
[Id: 1] route-map MEDSOLUTIONS pool MEDSOL refcount 5
pool MEDSOL: netmask 255.255.255.0
start 10.129.40.1 end 10.129.40.254
type generic, total addresses 254, allocated 5 (1%), misses 0
[Id: 7] route-map SAINTFRANCIS pool STFRANCIS refcount 0
pool STFRANCIS: netmask 255.255.255.0
start 10.96.21.1 end 10.96.21.254
type generic, total addresses 254, allocated 0 (0%), misses 0
[Id: 2] route-map nonat pool PUBLIC refcount 0
pool PUBLIC: netmask 255.255.255.252
start 173.210.58.198 end 173.210.58.198
type generic, total addresses 1, allocated 0 (0%), misses 0
Queued Packets: 0
tcp 10.129.40.2:56088 10.10.10.68:56088 10.10.131.63:3389 10.10.131.63:3389
tcp 10.129.40.7:3968 10.10.10.69:3968 10.10.131.63:3389 10.10.131.63:3389
tcp 10.129.40.3:2552 10.10.10.71:2552 10.10.131.63:3389 10.10.131.63:3389
icmp 10.129.40.6:768 10.10.10.90:768 10.99.2.95:768 10.99.2.95:768
tcp 10.129.40.1:2126 10.10.10.102:2126 10.10.131.63:3389 10.10.131.63:3389
ip route 0.0.0.0 0.0.0.0 173.210.58.193
ip nat inside source route-map MEDSOLUTIONS pool MEDSOL
ip nat inside source route-map SAINTFRANCIS pool STFRANCIS
ip nat inside source route-map nonat pool PUBLIC overload
route-map SAINTFRANCIS permit 10
match ip address SAINTFRANCIS-NAT-ACL
route-map MEDSOLUTIONS permit 10
match ip address MEDSOL-NAT-ACL
route-map nonat permit 10
match ip address CBTS-NAT-ACL
10-27-2011 10:53 AM
The problem is simple. You have almost an identical ACLs for both customers. Since the first NAT rule was added earlier, it only triggered. To resolve this problem you need explicitly define destination host/subnet to be matched instead of 'any' keyword.
For example like this:
ip access-list extended ME-CRYPTO-ACL
permit ip 10.129.40.0 0.0.0.255 host 10.10.131.63
ip access-list extended ME-NAT-ACL
permit ip 10.10.10.0 0.0.0.255 host 10.10.131.63
ip access-list extended SA-CRYPTO-ACL
permit ip 10.96.21.0 0.0.0.255 host 10.99.2.95
ip access-list extended SA-NAT-ACL
permit ip 10.10.10.0 0.0.0.255 host 10.99.2.95
Another solution is more complicated and harder to understand (and explain), you can use Virtual-Templates with tunnel-protection for each customer, VRF and NAT for common services.
___
HTH. Please rate this post if it was helpful. If this solves your problem, please mark this post as "Correct Answer"
10-27-2011 11:42 AM
I changed the NAT ACL's to the following:
ip access-list extended ME-CRYPTO-ACL
permit ip 10.129.40.0 0.0.0.255 host 10.10.131.63
ip access-list extended ME-NAT-ACL
deny ip 10.129.40.0 0.0.0.255 host 10.10.131.63
permit ip 10.10.10.0 0.0.0.255 host 10.10.131.63
ip access-list extended SA-CRYPTO-ACL
permit ip 10.96.21.0 0.0.0.255 host 10.99.2.95
ip access-list extended SA-NAT-ACL
deny ip 10.96.21.0 0.0.0.255 host 10.99.2.95
permit ip 10.10.10.0 0.0.0.255 host 10.99.2.95
I am now able to get the correct NAT address from the correct pool, however I am still not able to generate the tunnel.
10-27-2011 12:27 PM
Ok, that's better. What do you mean "I am still not able to generate the tunnel"?
BTW deny statements in NAT ACL is not required, except for CB-NAT-ACL. Here you can explicitly deny RFC1918 class A address space:
deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
deny ip 10.0.0.0 0.255.255.255 172.16.0.0 0.15.255.255
deny ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
permit ip 10.10.10.0 0.0.0.255 any
Also I think statement "ip nat inside source route-map nonat pool PUBLIC overload" will be added after all other stastements (delete it and apply again).
___
HTH. Please rate this post if it was helpful. If this solves your problem, please mark this post as "Correct Answer"
10-27-2011 12:35 PM
I am currently seeing MM_SA_Setup tunnel state when I ping the host. However, I just found out that my customer has the wrong peer address on his side, so that could be the reason. I have asked him to correct the peer address and I will re-test.
Sorry for the delay and thank you for the help.
10-27-2011 12:41 PM
You can also chech if crypto ACL is matched with "show ip access-list". If counters is incrementing, than it is ipsec related problem only.
toddmanger написал(а):
Sorry for the delay and thank you for the help.
No problem. You can rate my posts if it was helpful, that wll be the best thankfulness ;-)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide