Why is this happening?

Discussion in 'Cisco' started by Tomasz Grzelak, May 11, 2006.

  1. Hi!

    I've got the topology:


    [LAN1]--|VPN box 1|--Cisco1800--..Inet..--|VPN box 2|--[LAN2]
    | |
    -----------IPSec tunnel------------


    Cisco1800 is a NAT router with one public IP, say W.X.Y.Z.
    VPN box 1 has a private IP, and VPN box 2 has a public IP. There is a
    tunnel established between the vpn gateways. This is working fine, and I
    have a connection between LAN1 and LAN2.

    But I don't understand one thing: every connection tha I make from the
    Internet to the router's public IP is forwarded to the VPN box 1; suppose:

    I telnet to the W.X.Y.Z, and I get the VPN box 1 management console. I
    open a web browser and go to https://W.X.Y.Z and I get the VPN box 1 WWW
    interface.
    Why is this happening?

    I'd like to forward only VPN traffic to the VPN box 1, which are IKE and
    ESP protocols. How can I do that?

    I attach my router config below.

    Thank you,
    Tomasz Grzelak

    ------------------------------------------------------

    interface FastEthernet0/0
    ip address W.X.Y.Z 255.255.255.240
    ip nat outside
    duplex auto
    speed auto
    !
    interface FastEthernet0/1
    ip address 10.44.44.1 255.255.255.0
    ip nat inside
    duplex auto
    speed auto
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 W.X.Y.G
    no ip http server
    ip nat inside source list 10 interface FastEthernet0/0 overload
    ip nat inside source static esp 10.44.44.254 interface FastEthernet0/0
    !
    !

    access-list 10 permit any

    !
    control-plane
    !
    !
    line con 0
    logging synchronous
    line aux 0
    line vty 0 4
    password 7 08274217114B0A0402
    logging synchronous
    login
    transport input telnet
     
    Tomasz Grzelak, May 11, 2006
    #1
    1. Advertisements

  2. Don't know offhand, but this is bad ju-ju in a NAT config:

    !
    access-list 10 permit any
    !

    NAT ACLs should only match the traffic you want to be natted. If you
    tell NAT to modify any old traffic, it will, and the result may not be
    what you want or expect. Not saying it's causing the problem but it ought
    to be fixed.

    Looking at Cisco IOS NAT Application Layer Gateways,
    http://www.cisco.com/en/US/products/ps6640/products_white_paper09186a00801af2b9.shtml

    Single IPsec ESP Mode tunnels in a Port Address Translation (PAT)
    configuration

    # Release 12.2(1.4)Mainline
    # DDTS CSCdu28439
    # Single IPsec ESP mode tunnel at a time, first step prior to adding
    support for multiple concurrent IPsec tunnels in a PAT configuration in
    Release 12.2(13)T
    # A new extended entry derived from this translation
    # Traffic must be generated form the "inside"
    # New CLI
    [no]ip nat inside source static esp <IL address> interface <Interface
    name>

    Multiple IPsec ESP Mode tunnels in a (PAT) configuration

    # Release 12.2(13)T
    # Ability to support multiple IPsec ESP mode tunnels in a PAT/Overload
    configuration
    # For IPsec peers that do not support NAT-T (UDP wrapping)

    The static esp command "might" also be natting more traffic than you
    want, so if your IOS doesn't need it you might get rid of it.

    Commands that may be prove useful.

    show ip nat trans
    show ip nat stat
    debug ip nat

    All the usual debug caveats apply.
     
    Martin Gallagher, May 12, 2006
    #2
    1. Advertisements

  3. but the problem is I want all traffic to be NATted - VPN box 1 needs
    full Internet access, and additionally it needs the tunnel with VPN box 2
    Looking at Cisco IOS NAT Application Layer Gateways, I looked at the site, read the info, but IOS on my router is 12.3(8)T5,
    so it is fresh enough I suppose...
    so how can I tell the router to forward all esp traffic to the VPN box 1 ?
    Thank you for your reply!
    Tomasz Grzelak
     
    Tomasz Grzelak, May 12, 2006
    #3
  4. Sometimes you get what you ask for. All traffic includes local router
    traffic, and a side effect of natting local router traffic is that you
    can't telnet, ssh etc. to the router public IP address. Only traffic with
    10.44.44.0/24 source addresses needs to be natted so you should
    change your NAT ACL to match those addresses.

    !
    access-list 10 permit 10.44.44.0 0.0.0.255
    !

    Perhaps you should look at using NAT Traversal on you VPN concentrators.
    Search for "vpn concentrator nat traversal" on cisco.com. That should
    allow you to get rid of the static esp command in your router.

    This assumes that the static esp command is somehow involved in your
    original problem, which we don't really know.
     
    Martin Gallagher, May 14, 2006
    #4
  5. I changed 'permit any' to the above. But it was one step. I had to
    remove 'ip nat inside source static esp...' in the second.
    After that I can telnet to the router from the Internet.

    But now I connot reach LAN1 from LAN2 sometimes. There is no problem
    reaching LAN2 from LAN1.
    I suppose that the router establishes temporary esp NAT entry when
    connecting LAN2 from LAN1. After that I can connect to LAN1 from LAN2.
    But if there is no traffic for a longer time, I cannot connect from LAN2
    to LAN1.
    These are only my 'supposes'... I have to investigate them deeper.
    I tried to avoid NAT-T to check if the 'normal' vpn tunnel would have
    established. But because of the problems I will probably have to
    consider implementing NAT-T.
    It looks it is involved.

    If you have any ideas how to solve the problem without NAT-T, let me
    know please.
    Thank you for your help.

    Tomasz Grzelak
     
    Tomasz Grzelak, May 15, 2006
    #5
  6. OK, so the static entry was interfering as well. Did you get a "show ip
    nat translations" before and after to see what was in there? Have you
    tried putting the static back to see if it was a temporary condition or
    if it's always there when the static is there?
    Your supposes are correct. LAN2 -> LAN1 traffic will only get through
    the router if there is a matching translation in the NAT translation
    table, and when you are using dynamic NAT, i.e. no static NAT, entries
    in the table are only created by traffic that crosses the router from
    nat inside interface to nat outside interface.

    Dynamic NAT tranlations do have an inactivity timeout. You can use "show
    ip nat translations verbose" to (maybe) see what the timeout is, and you
    might be able to use "ip nat timeout" to change it. Otherwise you might
    need to provide some sort of keepalive traffic to ensure the translations
    don't time out.
     
    Martin Gallagher, May 15, 2006
    #6
  7. Tomasz Grzelak

    anybody43 Guest

    anybody43, May 16, 2006
    #7
  8. Tomasz Grzelak

    anybody43 Guest

    Hi,

    There are in fact "nat esp" related bugs in your software.
    Not an exact match but pretty close looking.

    Suggest at least 12.3.10T.

    I would fancy going to the latest quite frankly, or
    maybe the one before.
     
    anybody43, May 16, 2006
    #8
  9. After some connections from LAN1 to LAN2 have been established, I can
    connect in the opposite way. Look at A) (below) to see the 'sh ip nat
    translations [verbose]' output.

    After a timeout has expired, I can't connect; look at B) for NAT info

    But when I put the static esp nat entry back, I can connect from LAN2 to
    LAN1 immediatelly. But also I loose the connection from the Internet to
    the router. I can't telnet to it any more. I have to go to LAN1 and
    telnet to the router inside address.

    Is it an IOS bug or normal behaviour with that static esp entry?
    Maybe upgrading IOS is the solution?
    You mean some device in the LAN1 periodically pinging an IP address from
    LAN2... That could be a solution.

    Any way, I would like to have the possibility to get from LAN2 to LAN1
    any time, and also to the router from the Internet.
    If I get newer IOS, I'll try that first. If not, I will have to put some
    'pinger' to the LAN1.

    Thank you,
    Tomasz Grzelak

    ----------------------------------------------------------------------

    A)

    Router>sh ip nat translations
    Pro Inside global Inside local Outside local
    Outside global
    esp W.X.Y.Z:0 10.44.44.254:0 A.B.C.D:0 A.B.C.D:EA52915D
    tcp W.X.Y.Z:22 10.44.44.254:22 --- ---
    tcp W.X.Y.Z:443 10.44.44.254:443 --- ---
    udp W.X.Y.Z:500 10.44.44.254:500 --- ---
    udp W.X.Y.Z:4500 10.44.44.254:4500 --- ---
    esp W.X.Y.Z:0 10.44.44.254:7FFD A.B.C.D:0 A.B.C.D:0
    esp W.X.Y.Z:0 10.44.44.254:F3087FFD A.B.C.D:0 A.B.C.D:0

    Incomplete ESP translations:
    0 esp_conn=0x62864D58, hanging off nat entry 0x6282EE10


    Router>sh ip nat translations verbose
    Pro Inside global Inside local Outside local
    Outside global
    esp W.X.Y.Z:0 10.44.44.254:0 A.B.C.D:0 A.B.C.D:EA52915D
    create 00:01:23, use 00:00:04 timeout:0, timing-out,
    flags:
    extended, esp-notimeout, use_count: 1, entry-id: 417, lc_entries: 0
    tcp W.X.Y.Z:22 10.44.44.254:22 --- ---
    create 1d03h, use 12:17:10 timeout:0, timing-out,
    flags:
    extended, extendable, static, use_count: 0, entry-id: 28, lc_entries: 0
    tcp W.X.Y.Z:443 10.44.44.254:443 --- ---
    create 1d03h, use 1d03h timeout:0, timing-out,
    flags:
    extended, extendable, static, use_count: 0, entry-id: 10, lc_entries: 0
    udp W.X.Y.Z:500 10.44.44.254:500 --- ---
    create 1d04h, use 00:00:55 timeout:0, timing-out,
    flags:
    extended, extendable, static, use_count: 2, entry-id: 2, lc_entries: 0
    udp W.X.Y.Z:2179 10.44.44.254:2179 153.19.250.123:123
    153.19.250.123:123
    create 00:04:47, use 00:04:47 timeout:300000, left 00:00:12,
    Map-Id(In): 1,
    flags:
    extended, use_count: 0, entry-id: 415, lc_entries: 0
    udp W.X.Y.Z:4500 10.44.44.254:4500 --- ---
    create 1d04h, use 1d04h timeout:0, timing-out,
    flags:
    extended, extendable, static, use_count: 0, entry-id: 1, lc_entries: 0
    esp W.X.Y.Z:0 10.44.44.254:7FFD A.B.C.D:0 A.B.C.D:0
    create 00:00:55, use 00:00:52 timeout:300000, left 00:04:07,
    Map-Id(In): 1,
    flags:
    extended, use_count: 0, entry-id: 419, lc_entries: 0
    esp W.X.Y.Z:0 10.44.44.254:F3087FFD A.B.C.D:0 A.B.C.D:0
    create 00:01:23, use 00:00:18 timeout:300000, left 00:04:41,
    Map-Id(In): 1,
    flags:
    extended, use_count: 0, entry-id: 416, lc_entries: 0

    Incomplete ESP translations:
    0 esp_conn=0x62864D58, hanging off nat entry 0x6282EE10

    -----------------------------------------------------------------------

    B)
    Router>sh ip nat translations
    Pro Inside global Inside local Outside local
    Outside global
    tcp W.X.Y.Z:22 10.44.44.254:22 --- ---
    tcp W.X.Y.Z:443 10.44.44.254:443 --- ---
    udp W.X.Y.Z:500 10.44.44.254:500 --- ---
    udp W.X.Y.Z:4500 10.44.44.254:4500 --- ---


    Router>sh ip nat translations verbose
    Pro Inside global Inside local Outside local
    Outside global
    tcp W.X.Y.Z:22 10.44.44.254:22 --- ---
    create 1d03h, use 12:39:15 timeout:0, timing-out,
    flags:
    extended, extendable, static, use_count: 0, entry-id: 28, lc_entries: 0
    tcp W.X.Y.Z:443 10.44.44.254:443 --- ---
    create 1d04h, use 1d04h timeout:0, timing-out,
    flags:
    extended, extendable, static, use_count: 0, entry-id: 10, lc_entries: 0
    udp W.X.Y.Z:500 10.44.44.254:500 --- ---
    create 1d04h, use 00:06:50 timeout:0, timing-out,
    flags:
    extended, extendable, static, use_count: 1, entry-id: 2, lc_entries: 0
    udp W.X.Y.Z:4500 10.44.44.254:4500 --- ---
    create 1d04h, use 1d04h timeout:0, timing-out,
    flags:
    extended, extendable, static, use_count: 0, entry-id: 1, lc_entries: 0
     
    Tomasz Grzelak, May 16, 2006
    #9
  10. My situation looks almost the same as in the article, besides the VPN
    gateways that are not Cisco routers.
    I suppose it could be a bug in the IOS, and I'll try to upgrade it.
    If I can't get one, I'll implement another solution suggested by Martin
    Gallagher. Or I'll try NAT-T.
    I don't know yet.

    Thank you,
    Tomasz Grzelak
     
    Tomasz Grzelak, May 16, 2006
    #10
  11. I'll reply to myself:
    upgrading IOS solved the problem, it is the solution!
    Now I can telnet to the router from the internet and have the tunnel
    established all the time! :)

    Tomasz Grzelak
     
    Tomasz Grzelak, May 19, 2006
    #11
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.