Cisco IPSEC with NAT

Discussion in 'Cisco' started by bvlmv, Jan 30, 2005.

  1. bvlmv

    bvlmv Guest

    Hi,


    I've come to a stand still with my first simple IPSEC tunnel­ and I
    was
    looking for a 2 opinion. I have 2 bridged DSL circuits termi­nating on

    2610 with an ether module (System image file is
    "flash:c2600-ik9o3s3-mz.123-12a.bin"). I am able to surf on ­both ends

    but i can't seem kick start the IPSEC tunnel and connect to ­the
    private
    side of each network. This is my config and any help would b­e greatly

    appreciated.
    Router A config is the following:


    Remote#


    crypto isakmp policy 1
    hash md5
    authentication pre-share
    crypto isakmp key TEE address 209.42.X.X
    !
    !
    crypto ipsec transform-set rtpset esp-des esp-md5-hmac
    !
    crypto map unite 1 ipsec-isakmp
    set peer 209.42.X.X
    set transform-set rtpset
    match address 101
    !
    !
    interface Ethernet0/0
    ip address 192.168.1.1 255.255.255.0
    ip nat inside
    half-duplex
    !


    !
    interface Ethernet1/0
    ip address 209.42.Y.Y 255.255.255.0
    ip nat outside
    no ip route-cache cef
    no ip route-cache
    half-duplex
    crypto map unite
    !
    ip nat pool apool 209.42.Y.Y 209.42.Y.Y netmask 255.255.255­.0
    ip nat inside source route-map amap pool apool overload
    no ip http server
    no ip http secure-server
    ip classless
    ip route 0.0.0.0 0.0.0.0 209.42.Y.1
    !
    !
    access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 ­0.0.0.255

    access-list 101 deny ip 192.168.1.0 0.0.0.255 any
    access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 ­0.0.0.255

    access-list 102 permit ip 192.168.1.0 0.0.0.255 any
    !
    route-map amap permit 102
    match interface Ethernet1/0
    !


    Router 2 says:


    crypto isakmp policy 1
    hash md5
    authentication pre-share
    crypto isakmp key TEE address 209.42.y.y
    !
    !
    crypto ipsec transform-set rtpset esp-des esp-md5-hmac
    !
    crypto map unite 1 ipsec-isakmp
    set peer 209.42.y.y
    set transform-set rtpset
    match address 101
    !


    !
    interface Ethernet0/0
    ip address 192.168.2.1 255.255.255.0
    ip nat inside
    half-duplex


    !
    interface Ethernet1/0
    ip address 209.42.x.x 255.255.255.0
    ip nat outside
    no ip route-cache cef
    no ip route-cache
    half-duplex
    crypto map unite
    !
    ip nat pool hdata 209.42.x.x 209.42.x.x netmask 255.255.255.­0
    ip nat inside source route-map hmap pool hdata overload
    no ip http server
    no ip http secure-server
    ip classless
    ip route 0.0.0.0 0.0.0.0 209.42.x.1
    !
    !
    access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 ­0.0.0.255

    access-list 101 deny ip 192.168.2.0 0.0.0.255 any
    access-list 102 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 ­0.0.0.255

    access-list 102 permit ip 192.168.2.0 0.0.0.255 any
    !
    route-map hmap permit 102
    match interface Ethernet1/0
    !


    Debug shows the following:
    Remote#show crypto isakmp sa
    dst src state conn-id slot


    Remote#


    Remote2#show crypto isakmp sa
    dst src state conn-id slot
    Remote2#


    Thanks again,


    Reply





    Helmut Ulrich Jan 27, 2:52 am show options

    Newsgroups: comp.dcom.sys.cisco
    From: Helmut Ulrich <> - Find messages by this author

    Date: Thu, 27 Jan 2005 11:52:59 +0100
    Local: Thurs, Jan 27 2005 2:52 am
    Subject: Re: CISCO IPSEC TUNNELS WITH NAT
    Reply | Reply to Author | Forward | Print | Individual Message | Show
    original | Report Abuse



    > ip nat pool apool 209.42.Y.Y 209.42.Y.Y netmask 255.255.2­55.0
    > ip nat inside source route-map amap pool apool overload
    > !
    > !
    > access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.­0

    0.0.0.255
    > access-list 101 deny ip 192.168.1.0 0.0.0.255 any
    > access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.2.­0

    0.0.0.255
    > access-list 102 permit ip 192.168.1.0 0.0.0.255 any
    > !
    > route-map amap permit 102
    > match interface Ethernet1/0
    > !



    I think the route-map is not doing what you want. Your route­-map
    meens
    that any traffic which is bound for interface ethernet1/0 is­ matchted

    and according to this nat is done for this traffic.
    I thhink you only want that trffic which is machted in acces­s list
    102
    will be natted.

    Your route-map should look like this:


    route-map amap permit 10
    match ip address 102


    Don't forget to to the same on the ohter router.


    After this, traffich from 192.168.1.0 to 192.168.2.0 should ­no longer
    be
    nated and should be sent over the ipsec tunnel.


    Reply





    bvlmv Jan 29, 5:37 pm show options

    Newsgroups: comp.dcom.sys.cisco
    From: "bvlmv" <> - Find messages by this author
    Date: 29 Jan 2005 17:37:17 -0800
    Local: Sat, Jan 29 2005 5:37 pm
    Subject: Re: CISCO IPSEC TUNNELS WITH NAT
    Reply | Reply to Author | Forward | Print | Individual Message | Show
    original | Remove | Report Abuse

    Hi, Thanks for your reply but unfor it still doesn't create ­the SA.
    Any
    other suggestions?
    Thanks,



    - Hide quoted text -
    - Show quoted text -
     
    bvlmv, Jan 30, 2005
    #1
    1. Advertising

  2. bvlmv

    RobO Guest

    Hi,

    Make sure that you have changed the route-map settings removing the
    match-interface command like Helmut mentioned.

    Try using some different match acls for the crypto map like try a few
    combinations on both sides.

    for eg
    access-list 111 permit ip host (router_A_ext_ip) host (router_B_EXT_ip)

    access-list 112 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
    access-list 112 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

    Try the crypto map acls on both sides one by one together and run a
    debug against isakmp while trying to initiate connections.

    Some versions of IOS are funny with specific acls so its good to try as
    many combinations as possible to see.

    AS soon as you get some debug output you should see whats going on.

    On your ethernet0 on both sides you can also apply the policy route-map
    "ip policy route-map hmap"
    see if that helps

    Good luck

    Rob
     
    RobO, Jan 30, 2005
    #2
    1. Advertising

  3. bvlmv

    RobO Guest

    Me again!

    ALso make sure that your inbound access-list permit the specific
    traffic to allow the vpn to establish and traffic to pass ie
    "isakmp/ike/udp500" ,esp ip from both networks etc

    Rob
     
    RobO, Jan 30, 2005
    #3
  4. bvlmv

    bvlmv Guest

    GOT IT!
    Thanks for all the input, works like a charm!


    bvlmv wrote:
    > Hi,
    >
    >
    > I've come to a stand still with my first simple IPSEC tunnel­ and I
    > was
    > looking for a 2 opinion. I have 2 bridged DSL circuits termi­nating

    on
    >
    > 2610 with an ether module (System image file is
    > "flash:c2600-ik9o3s3-mz.123-12a.bin"). I am able to surf on ­both

    ends
    >
    > but i can't seem kick start the IPSEC tunnel and connect to ­the
    > private
    > side of each network. This is my config and any help would b­e

    greatly
    >
    > appreciated.
    > Router A config is the following:
    >
    >
    > Remote#
    >
    >
    > crypto isakmp policy 1
    > hash md5
    > authentication pre-share
    > crypto isakmp key TEE address 209.42.X.X
    > !
    > !
    > crypto ipsec transform-set rtpset esp-des esp-md5-hmac
    > !
    > crypto map unite 1 ipsec-isakmp
    > set peer 209.42.X.X
    > set transform-set rtpset
    > match address 101
    > !
    > !
    > interface Ethernet0/0
    > ip address 192.168.1.1 255.255.255.0
    > ip nat inside
    > half-duplex
    > !
    >
    >
    > !
    > interface Ethernet1/0
    > ip address 209.42.Y.Y 255.255.255.0
    > ip nat outside
    > no ip route-cache cef
    > no ip route-cache
    > half-duplex
    > crypto map unite
    > !
    > ip nat pool apool 209.42.Y.Y 209.42.Y.Y netmask 255.255.255­.0
    > ip nat inside source route-map amap pool apool overload
    > no ip http server
    > no ip http secure-server
    > ip classless
    > ip route 0.0.0.0 0.0.0.0 209.42.Y.1
    > !
    > !
    > access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0

    ­0.0.0.255
    >
    > access-list 101 deny ip 192.168.1.0 0.0.0.255 any
    > access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.2.0

    ­0.0.0.255
    >
    > access-list 102 permit ip 192.168.1.0 0.0.0.255 any
    > !
    > route-map amap permit 102
    > match interface Ethernet1/0
    > !
    >
    >
    > Router 2 says:
    >
    >
    > crypto isakmp policy 1
    > hash md5
    > authentication pre-share
    > crypto isakmp key TEE address 209.42.y.y
    > !
    > !
    > crypto ipsec transform-set rtpset esp-des esp-md5-hmac
    > !
    > crypto map unite 1 ipsec-isakmp
    > set peer 209.42.y.y
    > set transform-set rtpset
    > match address 101
    > !
    >
    >
    > !
    > interface Ethernet0/0
    > ip address 192.168.2.1 255.255.255.0
    > ip nat inside
    > half-duplex
    >
    >
    > !
    > interface Ethernet1/0
    > ip address 209.42.x.x 255.255.255.0
    > ip nat outside
    > no ip route-cache cef
    > no ip route-cache
    > half-duplex
    > crypto map unite
    > !
    > ip nat pool hdata 209.42.x.x 209.42.x.x netmask 255.255.255.­0
    > ip nat inside source route-map hmap pool hdata overload
    > no ip http server
    > no ip http secure-server
    > ip classless
    > ip route 0.0.0.0 0.0.0.0 209.42.x.1
    > !
    > !
    > access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0

    ­0.0.0.255
    >
    > access-list 101 deny ip 192.168.2.0 0.0.0.255 any
    > access-list 102 deny ip 192.168.2.0 0.0.0.255 192.168.1.0

    ­0.0.0.255
    >
    > access-list 102 permit ip 192.168.2.0 0.0.0.255 any
    > !
    > route-map hmap permit 102
    > match interface Ethernet1/0
    > !
    >
    >
    > Debug shows the following:
    > Remote#show crypto isakmp sa
    > dst src state conn-id slot
    >
    >
    > Remote#
    >
    >
    > Remote2#show crypto isakmp sa
    > dst src state conn-id slot
    > Remote2#
    >
    >
    > Thanks again,
    >
    >
    > Reply
    >
    >
    >
    >
    >
    > Helmut Ulrich Jan 27, 2:52 am show options
    >
    > Newsgroups: comp.dcom.sys.cisco
    > From: Helmut Ulrich <> - Find messages by this

    author
    >
    > Date: Thu, 27 Jan 2005 11:52:59 +0100
    > Local: Thurs, Jan 27 2005 2:52 am
    > Subject: Re: CISCO IPSEC TUNNELS WITH NAT
    > Reply | Reply to Author | Forward | Print | Individual Message | Show
    > original | Report Abuse
    >
    >
    >
    > > ip nat pool apool 209.42.Y.Y 209.42.Y.Y netmask 255.255.2­55.0
    > > ip nat inside source route-map amap pool apool overload
    > > !
    > > !
    > > access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.­0

    > 0.0.0.255
    > > access-list 101 deny ip 192.168.1.0 0.0.0.255 any
    > > access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.2.­0

    > 0.0.0.255
    > > access-list 102 permit ip 192.168.1.0 0.0.0.255 any
    > > !
    > > route-map amap permit 102
    > > match interface Ethernet1/0
    > > !

    >
    >
    > I think the route-map is not doing what you want. Your route­-map
    > meens
    > that any traffic which is bound for interface ethernet1/0 is­

    matchted
    >
    > and according to this nat is done for this traffic.
    > I thhink you only want that trffic which is machted in acces­s list
    > 102
    > will be natted.
    >
    > Your route-map should look like this:
    >
    >
    > route-map amap permit 10
    > match ip address 102
    >
    >
    > Don't forget to to the same on the ohter router.
    >
    >
    > After this, traffich from 192.168.1.0 to 192.168.2.0 should ­no

    longer
    > be
    > nated and should be sent over the ipsec tunnel.
    >
    >
    > Reply
    >
    >
    >
    >
    >
    > bvlmv Jan 29, 5:37 pm show options
    >
    > Newsgroups: comp.dcom.sys.cisco
    > From: "bvlmv" <> - Find messages by this author
    > Date: 29 Jan 2005 17:37:17 -0800
    > Local: Sat, Jan 29 2005 5:37 pm
    > Subject: Re: CISCO IPSEC TUNNELS WITH NAT
    > Reply | Reply to Author | Forward | Print | Individual Message | Show
    > original | Remove | Report Abuse
    >
    > Hi, Thanks for your reply but unfor it still doesn't create ­the SA.
    > Any
    > other suggestions?
    > Thanks,
    >
    >
    >
    > - Hide quoted text -
    > - Show quoted text -
     
    bvlmv, Jan 30, 2005
    #4
  5. bvlmv

    Hansang Bae Guest

    bvlmv wrote:

    > GOT IT!
    > Thanks for all the input, works like a charm!


    Keep an eye on it as IPSec tends to bomb out from time to time. Search
    for paranoid keepalives at CCO to see if your version does it
    automatically.

    Also, why did you turn off CEF and Fast switching on your dirty side
    Ethernet port?

    --

    hsb


    "Somehow I imagined this experience would be more rewarding" Calvin
    **************************ROT13 MY ADDRESS*************************
    Due to the volume of email that I receive, I may not not be able to
    reply to emails sent to my account. Please post a followup instead.
    ********************************************************************
     
    Hansang Bae, Jan 31, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. bvlmv

    CISCO IPSEC TUNNELS WITH NAT

    bvlmv, Jan 27, 2005, in forum: Cisco
    Replies:
    2
    Views:
    3,457
    bvlmv
    Jan 30, 2005
  2. Replies:
    1
    Views:
    746
  3. skweetis
    Replies:
    0
    Views:
    1,214
    skweetis
    Dec 11, 2006
  4. Jporter67

    IPSec over NAT-T on Cisco ASA5505 mysteriously stops working

    Jporter67, Sep 1, 2009, in forum: General Computer Support
    Replies:
    0
    Views:
    2,692
    Jporter67
    Sep 1, 2009
  5. jayteezer
    Replies:
    1
    Views:
    1,421
    bod43
    May 23, 2010
Loading...

Share This Page