09-04-2024 05:09 AM - edited 09-04-2024 05:15 AM
Bonjour à tous,
Je suis actuellement en train de configurer un VPN IPSec entre un routeur Cisco et un routeur Bintec, et je rencontre un problème que je n'arrive pas à résoudre seul.
Le tunnel VPN semble fonctionner correctement, il est bien affiché comme "UP-Active" des deux côtés. Cependant, le trafic ne passe pas, et je ne parviens pas à effectuer de ping entre les deux sous-réseaux :
J'ai quelques soupçons que cela pourrait être lié à une configuration NAT, mais je n'en suis pas certain. Voici ce que j'ai vérifié jusqu'à présent :
Je sollicite l'avis de la communauté pour m'aider à diagnostiquer ce problème. Est-ce que quelqu'un pourrait m'apporter son expertise ou des pistes supplémentaires pour avancer vers une solution ?
Merci beaucoup pour votre aide !
Solved! Go to Solution.
09-06-2024 12:37 AM - edited 09-06-2024 12:43 AM
Everything stays up and running properly, and the 90 address is the public IP of the Cisco router with its ISP.
And as we can see, everything comes in, but nothing goes out...
09-06-2024 12:50 AM
friend VPN ACL have no match and also the ACL of NAT will have no match at all ??
can I see show ip route
MHM
09-06-2024 12:55 AM
No problem, here are the IP routes.
09-06-2024 01:44 AM
It can the router not show match for NAT and VPN ACL and show match only for security ACL
Can you do this
Remove ip nat outside from interface and check ping.
If there is encrypted decrypt in show ipsec sa then
Retrun ip nat outside under interface
And one by one remove the NAT command see which one effect Ipsec
MHM
09-06-2024 01:58 AM
By removing the ip nat outside command, encryption is happening (without finding the recipient, which is normal). Could you explain the next steps to follow?
09-06-2024 02:10 AM
ip nat inside source list NAT_EXCLUDE interface GigabitEthernet0/0/1 overload ip nat inside source list 2 interface GigabitEthernet0/0/1 overload ip nat inside source list 3 interface GigabitEthernet0/0/1 overload ip nat inside source list 4 interface GigabitEthernet0/0/1 overload ip nat inside source list 5 interface GigabitEthernet0/0/1 overload ip nat inside source list 6 interface GigabitEthernet0/0/1 overload ip nat inside source list 7 interface GigabitEthernet0/0/1 overload ip nat inside source list 30 interface GigabitEthernet0/0/1 overload
These NAT in your router'
Remove first check ping and show ipsec is it effect if not return it and the remove second..etc.
Do that until see which NAT effect the ipsec' I was help you but all prefix is 19e.168.x. so I dont know what is prefìx
It easy do by yourself after you get NAT effect the ipsec add
Deny local LAN remote LAN in acl of NAT and hop issue will solve
MHM
09-06-2024 02:23 AM
I have identified the rule causing the issue between the two sites. Once that is done, what should I apply in the ACL?
Since it's a standard ACL, what should I do next?
09-06-2024 02:30 AM
identified the rule <<- can you more elaborate about this point
Thanks
MHM
09-06-2024 02:36 AM - edited 09-06-2024 02:36 AM
ip nat inside source list 2 interface GigabitEthernet0/0/1 overload
ip nat inside source list 3 interface GigabitEthernet0/0/1 overload
ip nat inside source list 4 interface GigabitEthernet0/0/1 overload
ip nat inside source list 5 interface GigabitEthernet0/0/1 overload
ip nat inside source list 6 interface GigabitEthernet0/0/1 overload
ip nat inside source list 7 interface GigabitEthernet0/0/1 overload
ip nat inside source list NAT_EXCLUDE interface GigabitEthernet0/0/1 overload
ip route 0.0.0.0 0.0.0.0 90.X
!
!
ip access-list extended NAT_EXCLUDE
10 deny ip 192.168.12.0 0.0.0.255 192.168.1.0 0.0.0.255
20 deny ip 192.168.13.0 0.0.0.255 192.168.1.0 0.0.0.255
30 permit ip 192.168.12.0 0.0.0.255 any
40 permit ip 192.168.13.0 0.0.0.255 any
ip access-list extended VPN
10 permit ip 192.168.12.0 0.0.0.255 192.168.1.0 0.0.0.255
30 permit ip 192.168.13.0 0.0.0.255 192.168.1.0 0.0.0.255
!
ip access-list standard 2
10 permit 192.168.12.0 0.0.0.255
ip access-list standard 3
10 permit 192.168.13.0 0.0.0.255
ip access-list standard 4
10 permit 192.168.14.0 0.0.0.255
ip access-list standard 5
10 permit 192.168.15.0 0.0.0.255
ip access-list standard 6
10 permit 192.168.16.0 0.0.0.255
ip access-list standard 7
10 permit 192.168.17.0 0.0.0.255
ip access-list extended 100
10 deny tcp any any eq telnet
20 permit ip any any
I replaced the IPs with examples. The problematic one is the standard ACL 3; when I disable it, it at least allows me to encrypt the traffic.
09-06-2024 02:44 AM
This NAT of below ACL
ip access-list standard 3
10 permit 192.168.13.0 0.0.0.255
Not need at all
Why you use it?
Delete it
MHM
09-06-2024 02:57 AM
Good news: the VPN is now receiving and sending, but issues persist.
The first issue is that the ping still isn't working.
The second issue is that I'm unable to execute the command no ip nat inside source list 3 interface GigabitEthernet0/0/1 overload. I receive the error "%Dynamic mapping in use, cannot remove," even though the ACL no longer exists.
09-06-2024 03:24 AM
Update: The ping works from Bintec to Cisco, but not the other way around.
09-06-2024 04:11 AM
The ping should OK'
Did you sucess remove NAT?
MHM
09-06-2024 04:15 AM - edited 09-06-2024 04:16 AM
PC connect to bintec network to Cisco OK:
But PC Cisco Network to Bintec don't work:
And i din't sucess to remove NAT..
09-06-2024 04:18 AM
To remove dynamic NAT
1- remove Ip NAT outside from interface
2- clear NAt
3- remove NAT by no ip nat inside source list.....etc.
4- add again ip nat outside under interface
Do above and check ping from cisco side
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide