Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
572
Views
0
Helpful
3
Replies

Nat'd address coming out of IPSEC VPN

rkinnard5
Level 1
Level 1

‎05-10-2021 12:22 PM

I am replacing an old 1841 router with an 881 router.  When I don our ISAKMP-IPSEC VPN connection to a vendor is not functioning.  The VPN establishes between the sites and the crypto map is functioning as we see encrypted data flow between the sites.  The problem is we are using the Nat on stick config with a loopback interface to NAT our internal address to one that is ok for the vendor.  The outbound traffic is Nat'd correctly however when the traffic returns it does not revert back to our internal address it keeps the Nat'd address as its destination.  For example host with address 1.1.1.1 has it's address NAT'd to 2.2.2.2 before it is encrypted by the crypto map and sent through the VPN.  When the traffic returns to our router it has a destination of 2.2.2.2 when it leaves the router instead of 1.1.1.1 as is currently the case on the 1841.  The router only has 1 active interface so we use a policy route-map to send traffic to our loopback interface to NAT the traffic before the crypto map is applied and sent over the VPN.  How can this work on and 1841 and not work on our 881?

 

Thanks

Labels:
0 Helpful
3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

‎05-10-2021 01:18 PM

Can you post the show run to understand the issue? from both the routers /

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

rkinnard5
Level 1
Level 1

‎05-10-2021 01:34 PM

Here is the running from the working 1841.

 

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxxxxx address 199.198.225.7
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map cibc 1 ipsec-isakmp
set peer 199.198.225.7
set transform-set ESP-3DES-SHA
set pfs group2
match address toCIBCPROD
!
!
!
interface Loopback0
ip address 10.0.1.1 255.255.255.248
ip nat outside
ip virtual-reassembly
!
interface FastEthernet0/0
ip address 10.1.3.74 255.255.255.248
ip nat inside
ip virtual-reassembly
ip policy route-map Nat-loop
duplex auto
speed auto
crypto map cibc
!

ip route 0.0.0.0 0.0.0.0 10.1.3.73
!
!
no ip http server
no ip http secure-server
ip nat inside source static 192.168.50.10 10.126.61.65
ip nat inside source static 192.168.9.10 98.103.50.11
ip nat inside source static 192.168.10.10 98.103.50.12
!
ip access-list extended natted-hosts
permit ip host 192.168.10.10 any
permit ip host 192.168.9.10 any
permit ip host 192.168.50.10 any
permit ip any host 98.103.50.12
permit ip any host 98.103.50.11
permit ip any host 10.126.61.65
ip access-list extended toCIBCPROD
permit ip host 98.103.50.11 host 199.198.229.35
permit ip host 98.103.50.11 host 199.198.229.36
permit ip host 98.103.50.12 host 199.198.229.35
permit ip host 98.103.50.12 host 199.198.229.36
permit ip host 10.126.61.65 host 199.198.229.31
permit ip host 10.126.61.65 host 199.198.229.34

route-map Test permit 1
!
route-map Nat-loop permit 10
match ip address natted-hosts
set ip next-hop 10.0.1.2
!
!

 

0 Helpful

rkinnard5
Level 1
Level 1

‎05-10-2021 01:44 PM - edited ‎05-10-2021 01:45 PM

New 881 not working.

 

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxxxxx address 199.198.225.7
--More-- !
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
!
!
!
crypto map cibc 1 ipsec-isakmp
set peer 199.198.225.7
set transform-set ESP-3DES-SHA
set pfs group2
match address toCIBCPROD
!
!
!
!
!
!
interface Loopback0
ip address 10.0.1.1 255.255.255.248
ip nat outside
ip virtual-reassembly in

interface FastEthernet4
ip address 10.1.3.74 255.255.255.248
ip nat inside
ip virtual-reassembly in
ip policy route-map Nat-loop
duplex auto
speed auto
crypto map cibc
!
interface Vlan1
no ip address

ip nat inside source static 192.168.50.10 10.126.61.65
ip nat inside source static 192.168.9.10 98.103.50.11
ip nat inside source static 192.168.10.10 98.103.50.12
ip route 0.0.0.0 0.0.0.0 10.1.3.73

ip access-list extended natted-hosts
permit ip host 192.168.10.10 any
permit ip host 192.168.9.10 any
permit ip host 192.168.50.10 any
permit ip any host 98.103.50.12
permit ip any host 98.103.50.11
permit ip any host 10.126.61.65
ip access-list extended toCIBCPROD
permit ip host 98.103.50.11 host 199.198.229.35
permit ip host 98.103.50.11 host 199.198.229.36
permit ip host 98.103.50.12 host 199.198.229.35
permit ip host 98.103.50.12 host 199.198.229.36
permit ip host 10.126.61.65 host 199.198.229.31
permit ip host 10.126.61.65 host 199.198.229.34

route-map Test permit 1
!
route-map Nat-loop permit 10
match ip address natted-hosts
set ip next-hop 10.0.1.2

0 Helpful
Customers Also Viewed These Support Documents