09-28-2011 07:02 PM
I have two offices - see attached diagram. They use 192.168.0.0/16 for private IP addreses.
They're connected via site-to-site VPN. Mostly works well, except some traffic doesn't return and I think it's due to NAT?
When a workstation in remote office tries to access web servers in the local office which using private IP addresses (e.g. .64.40), traffic never returns. The web servers in question are also accessible publically - the Cisco 1801 in local office has a static route:
Local1801# ip nat inside source static tcp 192.168.64.40 80 111.111.111.2 80 extendable
The problem seems to be with the local 1801 router. tcpdump confirms that return traffic exits out of ods1's external interface and tcpdump confirms that traffic does not come into remote workstation's interface (neither with .64.40 as source IP nor 111.111.111.2 as source IP)
Remote887# show ip nat translations - none.
Local1801# show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 111.111.111.2:80 192.168.64.40:80 192.168.10.254:54990 192.168.10.254:54990
What I don't understand is why a nat translation entry is created. My understanding is that it should only happen when ip packets are sent to 111.111.111.2:80 I don't see that any packets would be sent to this IP address when accessing the site across the VPN - in fact the VPN peer address used is not this one.
Please help - I cannot figure out why on earth this website cannot be accessed via private IP. I have tried clear ip nat translation * on both routers with no luck.
Any help will be much appreciated!
Relevant Cisco config snippets included below:
Local1801 VPN and NAT config
------------------------------------------
crypto map VPN-MAP 1 ipsec-isakmp
description "Local-Remote VPN"
set peer 222.222.222.222
set transform-set VPN-TRAFFIC
match address 101
interface FastEthernet0
description "20Mbps_Fibre"
ip address 111.111.111.110 255.255.255.252
ip nat outside
ip virtual-reassembly
speed 100
full-duplex
crypto map VPN-MAP
interface Vlan1
ip address 192.168.67.129 255.255.255.128
ip nat inside
ip virtual-reassembly
ip route-cache flow
hold-queue 100 out
ip route 0.0.0.0 0.0.0.0 111.111.111.109
ip route 111.111.111.0 255.255.255.252 Null0 254 permanent
ip route 192.168.64.0 255.255.255.0 192.168.67.130
ip nat inside source route-map nat-list interface FastEthernet0 overload
ip nat inside source static tcp 192.168.64.40 80 111.111.111.2 80 extendable
access-list 101 remark "Local-Remote VPN Traffic"
access-list 101 permit ip 192.168.64.0 0.0.63.255 192.168.0.0 0.0.63.255
access-list 110 remark "NAT"
access-list 110 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 110 permit ip 192.168.64.0 0.0.63.255 any
route-map nat-list permit 10
description NAT match internal IP's allowed to use NAT
match ip address 110
Remote887 VPN and NAT config
---------------------------------------------
crypto map VPN-MAP 1 ipsec-isakmp
description "Remote-Local VPN"
set peer 111.111.111.110
set transform-set VPN-TRAFFIC
match address 101
interface Vlan1
ip address 192.168.10.10 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!
interface Dialer0
ip address negotiated ! 222.222.222.222
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname xxxx
ppp chap password 0 xxx
ppp pap sent-username xxxx password 0 xxx
crypto map VPN-MAP
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip nat inside source list 100 interface Dialer0 overload
!
access-list 100 remark "Traffic that will undergo NAT"
access-list 100 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 101 remark "Encrypted VPN Traffic"
access-list 101 permit ip 192.168.0.0 0.0.63.255 192.168.64.0 0.0.63.255
dialer-list 1 protocol ip permit
09-28-2011 08:32 PM
Solved the problem!
The problem and exact solution described here:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml
The solution here was:
access-list 150 remark "Preventing static NAT from NATing private traffic"
access-list 150 deny ip 192.168.64.0 0.0.63.255 192.168.0.0 0.0.255.255
access-list 150 permit ip 192.168.64.0 0.0.63.255 any
route-map no-nat permit 10
description "Prevent NAT for static-nat entries when traffic is private"
match ip address 150
no ip nat inside source static tcp 192.168.64.40 80 111.111.111.2 80 extendable
ip nat inside source static tcp 192.168.64.40 80 111.111.111.2 80 extendable route-map no-nat
09-28-2011 08:47 PM
Congratulations on finding the solution to your own problem
And thanks for posting back to the forum indicating how you fixed it.
Sometimes the best lessons that we learn are the ones when we find the answer to our own problems - and you have done it this time.
HTH
Rick
Sent from Cisco Technical Support iPhone App
10-28-2011 09:47 AM
What if your outside interface is configured as DHCP?
Route-map command does not exist for
ip nat inside source static tcp
How would solve the problem in this case?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide