Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
380
Views
0
Helpful
2
Replies

Make nat for one of IPSECs.

Mokeev.tel
Level 1
Level 1

‎06-20-2013 01:10 AM

I have interfaces:

interface Ethernet0/0

speed 100

duplex full

nameif outside

security-level 0

ip address XXXXXXXXXXXX

!

interface Ethernet0/1

speed 100

nameif inside

security-level 100

ip address 10.10.11.254 255.255.252.0

!

I have two running IPSECs:

office# sh run | i SECURE 60

crypto map SECURE 60 match address 154

crypto map SECURE 60 set peer XXXXXXXXXXX

crypto map SECURE 60 set transform-set XXXXXX

crypto map SECURE 60 set security-association lifetime seconds 28800

office# sh run | i 154

access-list 154 extended permit ip 10.10.8.0 255.255.252.0 10.216.21.0 255.255.255.0

access-list 154 extended permit ip 10.10.8.0 255.255.252.0 10.213.21.0 255.255.255.0

office# sh run | i SECURE 7

crypto map SECURE 7 match address 174

crypto map SECURE 7 set peer XXXXXXXXX

crypto map SECURE 7 set transform-set cheloffice

office# sh access-list 174

access-list 174; 4 elements; name hash: 0x3c4d6b51

access-list 174 line 1 extended permit ip 10.216.21.0 255.255.255.0 10.10.74.0 255.255.255.0 (hitcnt=2) 0xd111355f

access-list 174 line 2 extended permit ip 10.213.21.0 255.255.255.0 10.10.74.0 255.255.255.0 (hitcnt=2649) 0x8a0e6120

access-list 174 line 3 extended permit ip 10.10.8.0 255.255.252.0 10.10.74.0 255.255.255.0 (hitcnt=2658) 0xd0cbe48f

access-list 174 line 4 extended permit ip 10.3.0.0 255.255.0.0 10.10.74.0 255.255.255.0 (hitcnt=215) 0xea945cf7

office#

10.213.21.0/24 don't know about 10.10.74.0/24. I want to make nat for 10.10.74.0/24.

I did:

global (outside) 74 10.10.10.128 netmask 255.255.255.248

nat (outside) 74 10.10.74.0 255.255.255.0

But I still can't access from 10.10.74.1 to 10.213.21.1.

I see nat works:

office# sh nat ou ou

  match ip outside 10.10.74.0 255.255.255.0 outside any

    dynamic translation to pool 74 (10.10.10.128)

    translate_hits = 0, untranslate_hits = 0

office#

Packet tracer shows:

office# packet-tracer i o i 10.10.74.1 0 0 10.213.21.1

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

MAC Access list

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group OUTSIDE in interface outside

access-list OUTSIDE extended permit icmp any any echo-reply

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

description netflow

class inspection_default

  inspect icmp

service-policy global_policy global

Additional Information:

Phase: 7

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: IDS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 10

Type: DEBUG-ICMP

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 11

Type: NAT

Subtype:

Result: DROP

Config:

nat (outside) 74 10.10.74.0 255.255.255.0

  match ip outside 10.10.74.0 255.255.255.0 outside any

    dynamic translation to pool 74 (10.10.10.128)

    translate_hits = 1, untranslate_hits = 0

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

So, what I'm missing?

Labels:
0 Helpful
2 Replies 2

pankaj29in
Level 1
Level 1

‎06-24-2013 02:20 AM

Hi Sergey,

what exactly you want to achieve here, please share roughly network diagram.

Although for communication between two endpoints in IPSEC tunnel we use NO NAT or Nat Exemption.

access-list no-nat permit ip host host 

nat (inside) 0 access-list no-nat

.

do let me know if your any query.

Regards

Pankaj

0 Helpful

alexpara72
Level 1
Level 1

‎06-24-2013 04:33 AM

Hi Sergey,

Pankaj is rigtht.

You should better use the nat extemption for  the traffic between two peers connected via VPN, also if the traffic  come from the outside intf and exits the same interface.

But,  actually, the last two words I wrote, "same interface", are very  important: by default firewalls (at least Cisco ones) don't let the same  traffic enter an intf and exit the same intf. I said by default, yes, but you  can change it applying the config command:

same-security-traffic permit intra-interface

If you haven't already enabled this, it's necessary you have to.

Also, I'd better put the "set reverse-route" line in the  crypto map conf for both tunnels. Yes, from the packet tracer I can see  you have a default route, but for VPN tunnels I always prefer to specify  it, just to be sure.

Best regards,

Alessio

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents