05-23-2012 07:52 AM
Hello
I am trying to setup a VPN between a VLAN I have defined and another office. I have been using nat on the interface for internet access with a NAT pool.
I created the VPN with crypto map and the VPN registers successfully.
The problem I am encountering, is that with the NAT enabled, internet access works but I can't ping across the VPN.
If I disable NAT, the VPN works perfectly, but then the VLAN can't access the internet.
What should I be doing differently?
Here is the config:
Device: 2911 with security pack
Local Network: 10.10.104.0/24
Remote Network: 192.168.1.0/24
Public Range: 65.49.46.68/28
crypto isakmp policy 104
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key REDACTED address 75.76.102.50
crypto ipsec transform-set strongsha esp-3des esp-sha-hmac
crypto map OFFICE 104 ipsec-isakmp
set peer 75.76.102.50
set transform-set strongsha
match address 104
interface GigabitEthernet0/0
ip address 65.49.46.68 255.255.255.240
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex full
speed 100
standby 0 ip 65.49.46.70
standby 0 timers 2 6
standby 0 preempt
crypto map OFFICE redundancy WAN
interface GigabitEthernet0/2.104
encapsulation dot1Q 104
ip address 10.10.104.254 255.255.255.0
ip nat pool wan_access 65.49.46.70 65.49.46.70 prefix-length 28
ip nat inside source list 99 pool wan_access overload
access-list 99 permit 10.10.104.0 0.0.0.255
access-list 104 permit ip 10.10.104.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 104 permit ip 192.168.1.0 0.0.0.255 10.10.104.0 0.0.0.255
access-list 104 permit icmp 10.10.104.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 104 permit icmp 192.168.1.0 0.0.0.255 10.10.104.0 0.0.0.255
#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
65.49.46.70 75.76.102.50 QM_IDLE 1299 ACTIVE
Solved! Go to Solution.
05-23-2012 12:03 PM
Hi!
Please make these changes:
ip access-list extended Internet-NAT
deny ip 10.10.104.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 10.10.104.0 0.0.0.255 any
ip nat inside source list Internet-NAT pool access-wan overload
*please do not remove the old NAT instance until you add the one above.
Please keep me posted.
Thanks!
Sent from Cisco Technical Support Android App
05-23-2012 12:03 PM
Hi!
Please make these changes:
ip access-list extended Internet-NAT
deny ip 10.10.104.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 10.10.104.0 0.0.0.255 any
ip nat inside source list Internet-NAT pool access-wan overload
*please do not remove the old NAT instance until you add the one above.
Please keep me posted.
Thanks!
Sent from Cisco Technical Support Android App
05-23-2012 12:16 PM
Just to verify, this is replacing access-list 99?
Thanks for the response.
05-23-2012 12:39 PM
Correct.
Sent from Cisco Technical Support Android App
05-23-2012 12:56 PM
So I have the following:
interface GigabitEthernet0/2.104
encapsulation dot1Q 104
ip address 10.10.104.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip nat pool wan_access 65.49.46.70 65.49.46.70 prefix-length 28
ip nat inside source list Internet-NAT pool access_wan overload
ip access-list extended Internet-NAT
deny ip 10.10.104.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 10.10.104.0 0.0.0.255 any
I took off the ip nat statement that referred to access-list 99 after doing this
That makes the VPN work, but it doesn't have internet access. (This isn't live for a couple weeks, so not critical yet)
05-23-2012 01:29 PM
You should have Internet access, please run the "clear ip nat translations *" and send me the "show ip nat translations" output.
Thanks.
05-23-2012 07:00 PM
It only shows the static entries I have for other things:
edge-1#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 65.49.46.78:3391 10.10.1.101:3389 --- ---
tcp 65.49.46.78:3392 10.10.1.102:3389 --- ---
tcp 65.49.46.78:22 10.10.1.179:22 --- ---
tcp 65.49.46.77:6061 10.10.1.180:6061 --- ---
tcp 65.49.46.77:32004 10.10.1.180:32004 24.96.162.222:62938 24.96.162.222:62938
tcp 65.49.46.77:32004 10.10.1.180:32004 67.32.145.251:49162 67.32.145.251:49162
tcp 65.49.46.77:32004 10.10.1.180:32004 --- ---
tcp 65.49.46.77:32005 10.10.1.180:32005 --- ---
tcp 65.49.46.77:32006 10.10.1.180:32006 --- ---
tcp 65.49.46.77:32007 10.10.1.180:32007 --- ---
tcp 65.49.46.78:6061 10.10.1.185:6061 --- ---
tcp 65.49.46.78:32004 10.10.1.185:32004 24.214.205.186:20510 24.214.205.186:20510
tcp 65.49.46.78:32004 10.10.1.185:32004 24.214.205.186:31341 24.214.205.186:31341
tcp 65.49.46.78:32004 10.10.1.185:32004 24.214.205.186:46034 24.214.205.186:46034
tcp 65.49.46.78:32004 10.10.1.185:32004 24.214.205.186:46511 24.214.205.186:46511
tcp 65.49.46.78:32004 10.10.1.185:32004 74.168.66.250:41433 74.168.66.250:41433
tcp 65.49.46.78:32004 10.10.1.185:32004 --- ---
tcp 65.49.46.78:32005 10.10.1.185:32005 --- ---
tcp 65.49.46.78:32006 10.10.1.185:32006 --- ---
tcp 65.49.46.78:32007 10.10.1.185:32007 --- ---
tcp 65.49.46.78:3390 10.10.1.199:3389 174.56.200.85:49384 174.56.200.85:49384
tcp 65.49.46.78:3390 10.10.1.199:3389 --- ---
tcp 65.49.46.71:21 10.10.101.11:21 --- ---
tcp 65.49.46.71:3390 10.10.101.12:3389 --- ---
tcp 65.49.46.72:22 10.10.102.10:22 --- ---
Pro Inside global Inside local Outside local Outside global
tcp 65.49.46.72:443 10.10.102.10:443 --- ---
05-23-2012 07:21 PM
Not what what is different really, but I got it working like this:
ip access-list extended Internet
deny ip 10.10.104.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip any any
ip nat inside source list Internet pool wan_access overload
Thanks so much for your help!
05-23-2012 09:51 PM
I am glad to hear that, but the "ip any any" statement may cause issues later on.
Are you coming from a different network then the 104?
it is better to define the networks in question instead of any
Thanks for rating the posts.
Sent from Cisco Technical Support Android App
05-24-2012 05:01 AM
Yes - I have 6 other vlans and plan on adding much more. I only have 1 wan interface I'm using for NAT outside, and don't plan on doing any other NATting except for VPNs.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide