cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1937
Views
0
Helpful
6
Replies

One more l2l with external NAT

Freddy Andersen
Level 1
Level 1

I have an issue where two rules get mixed and I'm not sure how/why or if I'm looking at the right place. We have 3 customers that connect to our firewall (5520) over VPN but they only want to use a external ip so we use NAT. This was working for one but when we added more it looks like the return allways picks the first customers rule and fails. here is our setup:

access-list Outside_cryptomap_50 extended permit ip host 6.8.99.139 host nc-smpp-gw

access-list Outside_cryptomap_40 extended permit ip host 6.8.99.139 host nb-smpp-gw

access-list n-policy-nat extended permit ip inside-network 255.255.254.0 host nb-smpp-gw

access-list n-policy-nat extended permit ip inside-network 255.255.254.0 host nc-smpp-gw

access-list Outside_cryptomap_60 extended permit ip host 6.8.99.170 host t-smpp-gw

access-list t-policy-nat extended permit ip inside-network 255.255.254.0 host t-smpp-gw

access-list v-policy-nat extended permit ip inside-network 255.255.254.0 host v-smpp-gw

access-list Outside_cryptomap_70 extended permit ip host 6.8.99.171 host v-smpp-gw

global (outside) 1 6.8.99.135 netmask 255.255.255.192

global (outside) 2 6.8.99.170 netmask 255.255.255.255

global (outside) 3 6.8.99.139 netmask 255.255.255.255

global (outside) 4 6.8.99.171 netmask 255.255.255.255

nat (inside) 0 access-list nonat10

nat (inside) 2 access-list t-policy-nat

nat (inside) 3 access-list n-policy-nat

nat (inside) 4 access-list v-policy-nat

nat (inside) 1 0.0.0.0 0.0.0.0

crypto map Outside_map 40 match address Outside_cryptomap_40

crypto map Outside_map 40 set peer nb-vpn-gw

crypto map Outside_map 40 set transform-set TRANSFORM_SET

crypto map Outside_map 50 match address Outside_cryptomap_50

crypto map Outside_map 50 set peer nc-vpn-gw

crypto map Outside_map 50 set transform-set TRANSFORM_SET

crypto map Outside_map 60 match address Outside_cryptomap_60

crypto map Outside_map 60 set peer t-vpn-gw

crypto map Outside_map 60 set transform-set TRANSFORM_SET

crypto map Outside_map 70 match address Outside_cryptomap_70

crypto map Outside_map 70 set peer v-vpn-gw

crypto map Outside_map 70 set transform-set TRANSFORM_SET

We would like for every host on our internal network to be able to talk to all three VPN sites but when they do they need to use the policy-nat ip. When I use the Cisco packet tracer I see that there are two NAT statement hits and the first is correct but the second is allways t-policy-nat.

nat (inside) 3 access-list n-policy-nat
match ip                  inside inside-network 255.255.254.0 outside host nb-smpp-gw
dynamic                  translation to pool 3 (6.8.99.139)
translate_hits = 1,                  untranslate_hits = 0

Config
nat (inside) 2 access-list t-policy-nat
match ip inside inside-network 255.255.254.0 outside host                  t-smpp-gw
dynamic translation to pool 2 (6.8.99.170)
translate_hits                  = 0, untranslate_hits = 0

What am I doing wrong?

6 Replies 6

Hi Freddy,

Could you please include the NAT configuration for one site working and one not working including ACLs (do not add the third site) and the complete packet-tracer output?

Thanks.

Portu.

I'm not sure I understand what else you need from the nat configuration. That is all I have for the nat part.

tpfw01# packet-tracer input inside tcp 10.21.30.1 1065 9.47.64.114 80   

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: FOVER

Subtype: standby-update

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 4 access-list v-policy-nat

  match ip inside inside-network 255.255.254.0 outside host v-smpp-gw

    dynamic translation to pool 4 (6.8.99.171)

    translate_hits = 4, untranslate_hits = 0

Additional Information:

Dynamic translate 10.21.30.1/1065 to 6.8.99.171/21310 using netmask 255.255.255.255

Phase: 6

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 2 access-list t-policy-nat

  match ip inside inside-network 255.255.254.0 outside host t-smpp-gw

    dynamic translation to pool 2 (6.8.99.170)

    translate_hits = 0, untranslate_hits = 0

Additional Information:

Phase: 7

Type: ACCESS-LIST

Subtype: vpn-user

Result: DROP

Config:

Additional Information:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Hi Freddy,

Thanks for the output.

From the packet-tracer:

Phase: 5

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 4 access-list v-policy-nat

match ip inside inside-network 255.255.254.0 outside host v-smpp-gw

dynamic translation to pool 4 (6.8.99.171)

translate_hits = 4, untranslate_hits = 0

Additional Information:

Dynamic translate 10.21.30.1/1065 to 6.8.99.171/21310 using netmask 255.255.255.255

Phase: 7

Type: ACCESS-LIST

Subtype: vpn-user

Result: DROP

Config:

Additional Information:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

-------------------------------------------------------------------------------------------------------------------------------------------------------------------

NAT seems to be ok, but I am more interested in the drop reason.

It looks like you have a VPN filter, if so, it is configured under the group-policy settings of the group-policy assigned to each specific tunnel.

Please send: "show run tunnel-group", "show run group-policy".

Thanks.

Portu

I tried removing the vpn-filter for one of the tunnels or changing to a different access-list but still the same. My question is, why are there two NATs in my packet-tracer? and Why is the second showing a different ip for the outside?

tpfw01# sh run tunnel-group

tunnel-group xx.xx.42.230 type ipsec-l2l

tunnel-group xx.xx.42.230 general-attributes

default-group-policy site2site

tunnel-group xx.xx.42.230 ipsec-attributes

pre-shared-key *****

tunnel-group xxx.xx.64.6 type ipsec-l2l

tunnel-group xxx.xx.64.6 general-attributes

default-group-policy VGrpPolicy

tunnel-group xxx.xx.64.6 ipsec-attributes

pre-shared-key *****

tunnel-group xx.xxx.76.81 type ipsec-l2l

tunnel-group xx.xxx.76.81 general-attributes

default-group-policy NGrpPolicy

tunnel-group xx.xxx.76.81 ipsec-attributes

pre-shared-key *****

tunnel-group xxx.xx.160.170 type ipsec-l2l

tunnel-group xxx.xx.160.170 general-attributes

default-group-policy TGrpPolicy

tunnel-group xxx.xx.160.170 ipsec-attributes

pre-shared-key *****

tunnel-group xx.xxx.57.33 type ipsec-l2l

tunnel-group xx.xxx.57.33 general-attributes

default-group-policy NGrpPolicy

tunnel-group xx.xxx.57.33 ipsec-attributes

pre-shared-key *****

tpfw01# sh run group-policy

group-policy DfltGrpPolicy attributes

  vpn-filter value splitacl

  vpn-tunnel-protocol IPSec svc

group-policy IGrpPolicy internal

group-policy IGrpPolicy attributes

  vpn-idle-timeout none

  vpn-filter value Outside_cryptomap_30

  vpn-tunnel-protocol IPSec l2tp-ipsec

group-policy site2site internal

group-policy site2site attributes

  vpn-idle-timeout none

  vpn-filter value splitacl

  vpn-tunnel-protocol IPSec l2tp-ipsec

group-policy NGrpPolicy internal

group-policy NGrpPolicy attributes

  vpn-idle-timeout none

  vpn-filter value splitacl

  vpn-tunnel-protocol IPSec l2tp-ipsec

group-policy TGrpPolicy internal

group-policy TGrpPolicy attributes

  vpn-idle-timeout none

  vpn-filter value splitacl

  vpn-tunnel-protocol IPSec l2tp-ipsec

group-policy VGrpPolicy internal

group-policy VGrpPolicy attributes

  vpn-idle-timeout none

  vpn-filter value splitacl

  vpn-tunnel-protocol IPSec l2tp-ipsec

Anyone? All are set to splitacl but even when I remove that and use no acl I still get the wrong route. Too me it looks like I'm leaving my fw with the correct NAT but it allways hits

global (outside) 2 6.8.99.170 netmask 255.255.255.255 coming home... Interesting part is that the NAT/VPN combo that uses the 2 global NAT works... I'm thinking that this guy just eats up everything coming back...

I was reading this

http://www.mikespicer.net/wp/cisco/cisco-vpn-multiple-or-overlapping-l2l-tunnels-using-nat/ article and one thing is telling me that i'm doing my setup wrong. He said you should not have more than two inside/NAT lines. And that if you do only the second line will be read!

So that moves me to question my setup where I use PAT and each VPN tunnel has its own External NAT ip. Is this not the correct approch show I use a different way? Do I need to wrapp all of our VPN tunnels under one External NAT IP?