06-20-2013 01:10 AM
I have interfaces:
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address XXXXXXXXXXXX
!
interface Ethernet0/1
speed 100
nameif inside
security-level 100
ip address 10.10.11.254 255.255.252.0
!
I have two running IPSECs:
office# sh run | i SECURE 60
crypto map SECURE 60 match address 154
crypto map SECURE 60 set peer XXXXXXXXXXX
crypto map SECURE 60 set transform-set XXXXXX
crypto map SECURE 60 set security-association lifetime seconds 28800
office# sh run | i 154
access-list 154 extended permit ip 10.10.8.0 255.255.252.0 10.216.21.0 255.255.255.0
access-list 154 extended permit ip 10.10.8.0 255.255.252.0 10.213.21.0 255.255.255.0
office# sh run | i SECURE 7
crypto map SECURE 7 match address 174
crypto map SECURE 7 set peer XXXXXXXXX
crypto map SECURE 7 set transform-set cheloffice
office# sh access-list 174
access-list 174; 4 elements; name hash: 0x3c4d6b51
access-list 174 line 1 extended permit ip 10.216.21.0 255.255.255.0 10.10.74.0 255.255.255.0 (hitcnt=2) 0xd111355f
access-list 174 line 2 extended permit ip 10.213.21.0 255.255.255.0 10.10.74.0 255.255.255.0 (hitcnt=2649) 0x8a0e6120
access-list 174 line 3 extended permit ip 10.10.8.0 255.255.252.0 10.10.74.0 255.255.255.0 (hitcnt=2658) 0xd0cbe48f
access-list 174 line 4 extended permit ip 10.3.0.0 255.255.0.0 10.10.74.0 255.255.255.0 (hitcnt=215) 0xea945cf7
office#
10.213.21.0/24 don't know about 10.10.74.0/24. I want to make nat for 10.10.74.0/24.
I did:
global (outside) 74 10.10.10.128 netmask 255.255.255.248
nat (outside) 74 10.10.74.0 255.255.255.0
But I still can't access from 10.10.74.1 to 10.213.21.1.
I see nat works:
office# sh nat ou ou
match ip outside 10.10.74.0 255.255.255.0 outside any
dynamic translation to pool 74 (10.10.10.128)
translate_hits = 0, untranslate_hits = 0
office#
Packet tracer shows:
office# packet-tracer i o i 10.10.74.1 0 0 10.213.21.1
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE in interface outside
access-list OUTSIDE extended permit icmp any any echo-reply
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
description netflow
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: IDS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: NAT
Subtype:
Result: DROP
Config:
nat (outside) 74 10.10.74.0 255.255.255.0
match ip outside 10.10.74.0 255.255.255.0 outside any
dynamic translation to pool 74 (10.10.10.128)
translate_hits = 1, untranslate_hits = 0
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
So, what I'm missing?
06-24-2013 02:20 AM
06-24-2013 04:33 AM
Hi Sergey,
Pankaj is rigtht.
You should better use the nat extemption for the traffic between two peers connected via VPN, also if the traffic come from the outside intf and exits the same interface.
But, actually, the last two words I wrote, "same interface", are very important: by default firewalls (at least Cisco ones) don't let the same traffic enter an intf and exit the same intf. I said by default, yes, but you can change it applying the config command:
same-security-traffic permit intra-interface
If you haven't already enabled this, it's necessary you have to.
Also, I'd better put the "set reverse-route" line in the crypto map conf for both tunnels. Yes, from the packet tracer I can see you have a default route, but for VPN tunnels I always prefer to specify it, just to be sure.
Best regards,
Alessio
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: