09-04-2012 02:44 PM
I have an issue where two rules get mixed and I'm not sure how/why or if I'm looking at the right place. We have 3 customers that connect to our firewall (5520) over VPN but they only want to use a external ip so we use NAT. This was working for one but when we added more it looks like the return allways picks the first customers rule and fails. here is our setup:
access-list Outside_cryptomap_50 extended permit ip host 6.8.99.139 host nc-smpp-gw
access-list Outside_cryptomap_40 extended permit ip host 6.8.99.139 host nb-smpp-gw
access-list n-policy-nat extended permit ip inside-network 255.255.254.0 host nb-smpp-gw
access-list n-policy-nat extended permit ip inside-network 255.255.254.0 host nc-smpp-gw
access-list Outside_cryptomap_60 extended permit ip host 6.8.99.170 host t-smpp-gw
access-list t-policy-nat extended permit ip inside-network 255.255.254.0 host t-smpp-gw
access-list v-policy-nat extended permit ip inside-network 255.255.254.0 host v-smpp-gw
access-list Outside_cryptomap_70 extended permit ip host 6.8.99.171 host v-smpp-gw
global (outside) 1 6.8.99.135 netmask 255.255.255.192
global (outside) 2 6.8.99.170 netmask 255.255.255.255
global (outside) 3 6.8.99.139 netmask 255.255.255.255
global (outside) 4 6.8.99.171 netmask 255.255.255.255
nat (inside) 0 access-list nonat10
nat (inside) 2 access-list t-policy-nat
nat (inside) 3 access-list n-policy-nat
nat (inside) 4 access-list v-policy-nat
nat (inside) 1 0.0.0.0 0.0.0.0
crypto map Outside_map 40 match address Outside_cryptomap_40
crypto map Outside_map 40 set peer nb-vpn-gw
crypto map Outside_map 40 set transform-set TRANSFORM_SET
crypto map Outside_map 50 match address Outside_cryptomap_50
crypto map Outside_map 50 set peer nc-vpn-gw
crypto map Outside_map 50 set transform-set TRANSFORM_SET
crypto map Outside_map 60 match address Outside_cryptomap_60
crypto map Outside_map 60 set peer t-vpn-gw
crypto map Outside_map 60 set transform-set TRANSFORM_SET
crypto map Outside_map 70 match address Outside_cryptomap_70
crypto map Outside_map 70 set peer v-vpn-gw
crypto map Outside_map 70 set transform-set TRANSFORM_SET
We would like for every host on our internal network to be able to talk to all three VPN sites but when they do they need to use the policy-nat ip. When I use the Cisco packet tracer I see that there are two NAT statement hits and the first is correct but the second is allways t-policy-nat.
|
|
What am I doing wrong?
09-04-2012 03:52 PM
Hi Freddy,
Could you please include the NAT configuration for one site working and one not working including ACLs (do not add the third site) and the complete packet-tracer output?
Thanks.
Portu.
09-05-2012 11:57 AM
I'm not sure I understand what else you need from the nat configuration. That is all I have for the nat part.
tpfw01# packet-tracer input inside tcp 10.21.30.1 1065 9.47.64.114 80
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 4 access-list v-policy-nat
match ip inside inside-network 255.255.254.0 outside host v-smpp-gw
dynamic translation to pool 4 (6.8.99.171)
translate_hits = 4, untranslate_hits = 0
Additional Information:
Dynamic translate 10.21.30.1/1065 to 6.8.99.171/21310 using netmask 255.255.255.255
Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 2 access-list t-policy-nat
match ip inside inside-network 255.255.254.0 outside host t-smpp-gw
dynamic translation to pool 2 (6.8.99.170)
translate_hits = 0, untranslate_hits = 0
Additional Information:
Phase: 7
Type: ACCESS-LIST
Subtype: vpn-user
Result: DROP
Config:
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
09-05-2012 06:35 PM
Hi Freddy,
Thanks for the output.
From the packet-tracer:
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 4 access-list v-policy-nat
match ip inside inside-network 255.255.254.0 outside host v-smpp-gw
dynamic translation to pool 4 (6.8.99.171)
translate_hits = 4, untranslate_hits = 0
Additional Information:
Dynamic translate 10.21.30.1/1065 to 6.8.99.171/21310 using netmask 255.255.255.255
Phase: 7
Type: ACCESS-LIST
Subtype: vpn-user
Result: DROP
Config:
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
-------------------------------------------------------------------------------------------------------------------------------------------------------------------
NAT seems to be ok, but I am more interested in the drop reason.
It looks like you have a VPN filter, if so, it is configured under the group-policy settings of the group-policy assigned to each specific tunnel.
Please send: "show run tunnel-group", "show run group-policy".
Thanks.
Portu
09-06-2012 10:11 AM
I tried removing the vpn-filter for one of the tunnels or changing to a different access-list but still the same. My question is, why are there two NATs in my packet-tracer? and Why is the second showing a different ip for the outside?
tpfw01# sh run tunnel-group
tunnel-group xx.xx.42.230 type ipsec-l2l
tunnel-group xx.xx.42.230 general-attributes
default-group-policy site2site
tunnel-group xx.xx.42.230 ipsec-attributes
pre-shared-key *****
tunnel-group xxx.xx.64.6 type ipsec-l2l
tunnel-group xxx.xx.64.6 general-attributes
default-group-policy VGrpPolicy
tunnel-group xxx.xx.64.6 ipsec-attributes
pre-shared-key *****
tunnel-group xx.xxx.76.81 type ipsec-l2l
tunnel-group xx.xxx.76.81 general-attributes
default-group-policy NGrpPolicy
tunnel-group xx.xxx.76.81 ipsec-attributes
pre-shared-key *****
tunnel-group xxx.xx.160.170 type ipsec-l2l
tunnel-group xxx.xx.160.170 general-attributes
default-group-policy TGrpPolicy
tunnel-group xxx.xx.160.170 ipsec-attributes
pre-shared-key *****
tunnel-group xx.xxx.57.33 type ipsec-l2l
tunnel-group xx.xxx.57.33 general-attributes
default-group-policy NGrpPolicy
tunnel-group xx.xxx.57.33 ipsec-attributes
pre-shared-key *****
tpfw01# sh run group-policy
group-policy DfltGrpPolicy attributes
vpn-filter value splitacl
vpn-tunnel-protocol IPSec svc
group-policy IGrpPolicy internal
group-policy IGrpPolicy attributes
vpn-idle-timeout none
vpn-filter value Outside_cryptomap_30
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy site2site internal
group-policy site2site attributes
vpn-idle-timeout none
vpn-filter value splitacl
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy NGrpPolicy internal
group-policy NGrpPolicy attributes
vpn-idle-timeout none
vpn-filter value splitacl
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy TGrpPolicy internal
group-policy TGrpPolicy attributes
vpn-idle-timeout none
vpn-filter value splitacl
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy VGrpPolicy internal
group-policy VGrpPolicy attributes
vpn-idle-timeout none
vpn-filter value splitacl
vpn-tunnel-protocol IPSec l2tp-ipsec
09-10-2012 10:19 AM
Anyone? All are set to splitacl but even when I remove that and use no acl I still get the wrong route. Too me it looks like I'm leaving my fw with the correct NAT but it allways hits
global (outside) 2 6.8.99.170 netmask 255.255.255.255 coming home... Interesting part is that the NAT/VPN combo that uses the 2 global NAT works... I'm thinking that this guy just eats up everything coming back...
09-10-2012 10:42 AM
I was reading this
http://www.mikespicer.net/wp/cisco/cisco-vpn-multiple-or-overlapping-l2l-tunnels-using-nat/ article and one thing is telling me that i'm doing my setup wrong. He said you should not have more than two inside/NAT lines. And that if you do only the second line will be read!
So that moves me to question my setup where I use PAT and each VPN tunnel has its own External NAT ip. Is this not the correct approch show I use a different way? Do I need to wrapp all of our VPN tunnels under one External NAT IP?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide