Re: How to set a NAT on ipsec tunnel?

Imed · ‎12-06-2022

i setup an ipsec between a ciso router and a fortigate firewall.Tunnel is up in both device while the two LAN subnets are unable to ping each other.

i saw lot of articles and tuto and sounds confused about the necessity of NAT on cisco side!!!!!!

please let me know how far is the NAT important on IPSEC tunnel?

Here is the cisco config summary

------------------------------------------------------------------

Router(config)#do sh run
Building configuration...

Current configuration : 1437 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
ip dhcp excluded-address 10.10.20.2 10.10.20.20
!
ip dhcp pool my_lan
network 10.10.20.0 255.255.255.0
default-router 10.10.20.1
dns-server 8.8.8.8
!
!
!
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key eve123 address 192.168.174.31
!
!
crypto ipsec transform-set fortigate esp-des esp-md5-hmac
mode tunnel
!
!
crypto ipsec profile phase2
set transform-set fortigate
set pfs group2
!
!
!
!
!
!
interface Tunnel10
ip unnumbered FastEthernet0/0
tunnel source 192.168.174.30
tunnel mode ipsec ipv4
tunnel destination 192.168.174.31
tunnel protection ipsec profile phase2
!
interface FastEthernet0/0
ip address 192.168.174.30 255.255.255.0
ip nat outside
duplex full
!
interface FastEthernet1/0
ip address 10.10.20.1 255.255.255.0
ip nat inside
duplex full
!
ip nat inside source list 99 interface FastEthernet0/0 overload
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.174.2
ip route 10.10.10.0 255.255.255.0 Tunnel10
!
access-list 99 permit 10.10.20.0 0.0.0.255
!
!
!
control-plane
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
!
end

-----------------------------------------------------------------------------

MHM Cisco World · ‎12-06-2022

SURE it not work, the remote Peer tunnel IP is same as tunnel destination ?
no that wrong.

tunnel source 192.168.174.30
tunnel mode ipsec ipv4
tunnel destination 192.168.174.31

Imed · ‎12-06-2022

Thank you for response,

But what's wrong with it since they ping each other ?

MHM Cisco World · ‎12-06-2022

ping with tunnel not meaning it work.
try ping ip tunnel with use source, it will failed.
what you need is using WAN interface as source in local peer and WAN interface of remote peer as destination.

Imed · ‎12-06-2022

that's what i am using:

source =cisco wan int
dest = fortigate wan int

I didn't get your point: tow device live in the same subnet may cause the prob.

MHM Cisco World · ‎12-06-2022

That ok if you use wan interface as source destination

Only think now change tunnel ip to be

10.0.0.1 local peer

10.0.0.2 remote peer

Imed · ‎12-06-2022

that did'nt work too

MHM Cisco World · ‎12-06-2022

share the last config

Imed · ‎12-06-2022

Router(config)#do show run
Building configuration...

Current configuration : 1601 bytes
!
! Last configuration change at 12:25:04 UTC Tue Dec 6 2022
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
ip dhcp excluded-address 10.10.20.2 10.10.20.20
!
ip dhcp pool my_lan
network 10.10.20.0 255.255.255.0
default-router 10.10.20.1
dns-server 8.8.8.8
!
!
!
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
group 5
crypto isakmp key eve123 address 192.168.174.31
!
!
crypto ipsec transform-set fortigate esp-des esp-md5-hmac
mode tunnel
!
!
crypto ipsec profile pahse2
set pfs group5
!
crypto ipsec profile phase2
set transform-set fortigate
set pfs group2
!
!
!
!
!
!
interface Tunnel10
ip address 172.16.0.1 255.255.255.252
tunnel source 192.168.174.30
tunnel mode ipsec ipv4
tunnel destination 192.168.174.31
tunnel protection ipsec profile phase2
!
interface FastEthernet0/0
ip address 192.168.174.30 255.255.255.0
ip nat outside
duplex half
!
interface FastEthernet1/0
ip address 10.10.20.1 255.255.255.0
ip nat inside
duplex full
!
interface FastEthernet2/0
no ip address
shutdown
duplex full
!
ip nat inside source list 10 interface FastEthernet0/0 overload
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.174.2
ip route 10.10.10.0 255.255.255.0 Tunnel10
!
access-list 10 permit 10.10.20.0 0.0.0.255

!
!
!
control-plane
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
!
end

MHM Cisco World · ‎12-06-2022

please see above comment

MHM Cisco World · ‎12-06-2022

friend I spent one hours see the config,
we talking about route-based VPN so the NAT will not effect,
there something elas

ip route 0.0.0.0 0.0.0.0 192.168.174.2 <<<- this is this IP ???

Imed · ‎12-10-2022

Welcome back friend,

It was a busy week, i ve just got the time to rebuild my lab. i think the cisco image i installed is corrupted i tried a different image.

And it works. i finally saw the traffic int both direction, i did not set any NAT setting on my tunnel int.

But the it keeps dropping.

Do ve any idea ?

Imed · ‎12-10-2022

Imed · ‎12-10-2022

i 've just unchecked the auto negociat option and it s fine now

MHM Cisco World · ‎12-10-2022

keep dropping ?
how you know the traffic is dropping ?