Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
613
Views
0
Helpful
0
Replies

NAT ESP on ISR 4331

lotfi.bouhaddad
Level 1
Level 1

‎12-06-2017 02:17 AM - edited ‎03-12-2019 04:48 AM

Hi,

I have a setup with a Cisco 2960 doing NAT ESP between two VPN  gateways, the C2811is doing static source NAT and static dest NAT for both gateway.

 

The firewalls are attached this way :   FIREWALL01 --(ESP TUNNEL)--> NAT routeur  -->(ESP TUNNEL)--> FIREWALL02

 

I planned to replace the NAT router with a Cisco ISR4331 but there is no way to have the NAT working.

Here is the output of the show ip nat translation on C2811, we can see that SPI are natted correctly :

 

OLD ROUTER C2960# show ip nat translations
Pro Inside global Inside local Outside local Outside global
--- --- --- 172.17.69.1 10.20.176.129
--- --- --- 172.17.69.2 10.20.176.130
--- --- --- 172.17.69.3 10.20.176.131
--- --- --- 172.17.69.17 10.20.117.33
--- --- --- 172.17.69.18 10.20.117.34
--- --- --- 172.17.69.19 10.20.117.35
--- --- --- 172.17.69.81 10.20.176.132
--- --- --- 172.17.69.82 10.20.176.133
--- --- --- 172.17.69.83 10.20.176.134
--- --- --- 172.17.69.97 10.20.117.36
--- --- --- 172.17.69.98 10.20.117.37
--- --- --- 172.17.69.99 10.20.117.38
--- 172.17.69.65 192.84.160.14 --- ---
esp 172.17.69.73:0 192.84.176.14:0 172.17.69.1:3664917067 10.20.176.129:DA72324B
esp 172.17.69.73:0 192.84.176.14:0 172.17.69.81:3664917064 10.20.176.132:DA723248
esp 172.17.69.73:0 192.84.176.14:0 172.17.69.81:3664917066 10.20.176.132:DA72324A
esp 172.17.69.73:2366660292 192.84.176.14:8D105EC4 172.17.69.81:0 10.20.176.132:0
esp 172.17.69.73:3020312921 192.84.176.14:B4065159 172.17.69.81:0 10.20.176.132:0
esp 172.17.69.73:3672915180 192.84.176.14:DAEC3CEC 172.17.69.1:0 10.20.176.129:0
 

 

On the new router I have a diffrent behavior, as it does not shows the SPI part, and no traffic is passed over the link 

NEWROUTER C4331#show ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 172.17.69.65 192.84.160.14 --- ---
--- --- --- 172.17.69.1 10.20.176.129
--- --- --- 172.17.69.2 10.20.176.130
--- --- --- 172.17.69.83 10.20.176.134
--- --- --- 172.17.69.19 10.20.117.35
--- --- --- 172.17.69.81 10.20.176.132
--- --- --- 172.17.69.82 10.20.176.133
--- --- --- 172.17.69.18 10.20.117.34
--- --- --- 172.17.69.17 10.20.117.33
--- 172.17.69.73 192.84.176.14 --- ---
--- --- --- 172.17.69.3 10.20.176.131
--- --- --- 172.17.69.98 10.20.117.37
--- --- --- 172.17.69.97 10.20.117.36
--- --- --- 172.17.69.99 10.20.117.38
esp 172.17.69.73 192.84.176.14: 172.17.69.81 10.20.176.132
esp 172.17.69.73 192.84.176.14: 172.17.69.81 10.20.176.132
esp 172.17.69.73 192.84.176.14: 172.17.69.1 10.20.176.129

 

I've  changed IP for confidentiality reason.

 

Thanks for your help


Regards.

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents