NAT traffic over a IPSec tunnel (ISR)

Similar Messages

• Not Seeing NAT Translations Across GRE IPSec Tunnel

  Hello,
  I have a P2P GRE over IPSec tunnel beween two 3725s using NAT overload and the Internet as transport. I can reach the backside networks, tunnel endpoints, etc., and I have verified that the traffic is being encrypted. What I am not seeing however are any NAT translations taking place. They must be happeing because my traffic is being routed through the tunnel via the public interfaces. I am assuming that this is a result of the checksum being altered when the translation is done.
  Would I be correct in assuming that I could use something like NAT Transparency or IPSec over TCP/UDP to fix the problem and begin seeing NAT translations?
  Thanks for any help you guys may be able to provide!
  Anthony, CCNA (Network/Voice)

  Can you send over the configurations
  You seem to have a phase 1 issue, it's not negotiating correctly.
  Thanks

• All the traffic go through IPsec tunnel(site to site ) ,but something seems not working correctly

  Hi, all,
    I have seen a good post in google.com about how to make all the client's traffic though IPsec tunnel then out to the Internet from the Main site,now I attach this configuration and application for discussion, and what the problem is that I am still confused with the configuration on Main site ,  I hope anyone who can tell me more detail and how to accomplish it. Any answer will be appreciated , thank you !
  Quote :
  Question ? :
  Mine is a very simple configuration.  I have 2 sites linked via an IPsec tunnel.  Dallas is my Main HQ R1 and Austin R2 is my remote office.  I want all traffic from Austin to route thru the tunnel up to Dallas, then out to the Internet.
  Dallas (Main) Lan Net is: 10.10.200.0/24
  Austin (Remote) LAN Net is: 10.20.2.0/24
  The Dallas (Main) site has a VPN config of:
  Local Net: 0.0.0.0/0
  Remote Net: 10.20.2.0/24
  The Austin (Remote) site has a VPN config of:
  10.20.2.0/24
  Remote Net: 0.0.0.0/0
  The tunnel gets established just fine.  From the Austin LAN clients, I can ping the router at the main site (10.10.200.1).  This is how I know the tunnel is created, but I cannot ping anything beyond the router from the Austin LAN, e.g. 8.8.8.8.
  I'm sure it's something simple I failed to configure.  Anyone have any pointers or hints?
  Answer:
  Thanks to Jimp from the other thread, I was able to see why it was not working.  To fix, I had to change the Outbound NAT on the main side to Manual.  Then I created a new Outbound NAT rule that included the subnet from the Austin network (10.20.2.0).  Basically, I just created a copy of the default rule and changed the Source network.
  Once I made this change, Voila!  Traffic from the remote side started heading out to the Internet.  Now all traffic flows thru the Main site.  It makes perfect sense why I needed to make this change, it just took a slap in the head from Jimp to point me in the right direction.
  My question ?
  The answer said "To fix, I had to change the Outbound NAT on the main side to Manual.  Then I created a new Outbound NAT rule that included the subnet from the Austin network (10.20.2.0).  Basically, I just created a copy of the default rule and changed the Source network." what this mean and
  how to do it , could anybody give me the specific configuration ? thanks a lot.

  Thank you for Jouni's reply,  following is the configuration on Cisco 2800 router ,no firewall enable, :
  crypto isakmp policy 100
  encr aes 256
  authentication pre-share
  group 2
  crypto isakmp key x.x.x address 0.0.0.0 0.0.0.0
  crypto isakmp keepalive 60
  crypto ipsec transform-set IPsectrans esp-3des esp-md5-hmac
  crypto dynamic-map IPsecdyn 100
  set transform-set IPsectrans
  match address 102
  crypto map IPsecmap 100 ipsec-isakmp dynamic IPsecdyn
  interface Loopback1
  ip address 10.10.200.1 255.255.255.0
  interface FastEthernet0/0
  ip address 113.113.1.1 255.255.255.128
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  crypto map IPsecmap
  interface FastEthernet0/1
  ip address 192.168.1.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  duplex auto
  speed auto
  ip route 0.0.0.0 0.0.0.0 113.113.1.2
  ip http server
  no ip http secure-server
  ip nat inside source list 100 interface FastEthernet0/0 overload
  access-list 100 permit ip 192.168.1.0 0.0.0.255 any
  access-list 102 permit ip any 10.20.2.0 0.0.0.255

• Best way to pass IPv4 and IPv6 traffic over a GRE Tunnel

  Hello,
  We have two 3825 routers with Advanced Enterprise IOS 12.4.9(T). Each of them serves many IPv4 (private and public) and IPv6 networks on their respective site.
  We have created a wireless link between the two, using 4 wireless devices, with IP Addresses 10.10.2.2, 3, 4, 5 respectively (1 and 6 are the two end Ethernet interfaces on the routers).
  Then we created a GRE tunnel over this link using addresses 172.16.1.1 and 2 (for the two ends) to route traffic over this link.
  Now we want to route IPv6 traffic over the same link. However, we found that simply routing the IPv6 traffic over the above GRE / IP tunnel did not work.
  Questions:
  Is there a way we can use the same (GRE / IP) tunnel to transport both IPv4 and IPv6 traffic?
  If not, can we setup two GRE tunnels over the same wireless link, that is, one GRE / IP for IPv4 traffic and a second one GRE / IPv6 for IPv6 traffic?
  In brief, what is the suggested way to transport IPv4 and IPv6 traffic over the aforementioned (wireless) link?
  I have read http://www.cisco.com/c/en/us/td/docs/ios/12_4/interface/configuration/guide/inb_tun.html#wp1061361 and other Internet material, however I am still confused.
  Please help.
  Thanks in advance,
  Nick

  We have set up two tunnels over the same link, one GRE / IP for the IPv4 traffic and one IPv6 / IP ("manual") for the IPv6 traffic. This setup seems to be working OK.
  If there are other suggestions, please advise.
  Thanks,
  Nick

• ASA5500: TCP state bypass for traffic, coming from IPsec tunnel

  Hello!
  We have problems on central firewall with restricting traffic coming from remote office from IPsec. (The network sheme is attached)
  All branch offices are connected to central asa though IPsec.
  The main aim is to rule access from branch offices only on the central firewall, NOT on each IPsec tunnel
  According to the sheme:
  172.16.1.0/24 is on of the branch office LANs
  10.1.1.0/24 and 10.2.2.0/24 are central office LAN
  The crypto ACL looks like  permit ip 172.16.1.0/24 10.0.0.0/8
  The aim is to
  restrict access from 172.16.1.0/24 to 10.1.1.0/24
  When packets are generated from host 10.1.1.10 to 172.16.1.0/24 all is ok -  they are dropped by acl2
  When packets are generated from 172.16.1.0/24 to 10.1.1.10 they are not dropped by any ACL - the reason is stateful firewall - traffic bypasses all access lists on a back path
  I thought that TCP State Bypass feature can solve this problem and disable stateful firewall inspection for traffic coming from 172.16.1.0/24 to 10.1.1.0/24, but it didn't help.
  The central asa 5500 is configured according to cisco doc http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.html
  access-list tcp_bypass_acl extended permit tcp 172.16.1.0 255.255.255.0 10.1.1.0 255.255.255.0
  class-map tcp_bypass_map
  description "TCP traffic that bypasses stateful firewall"
  match access-list tcp_bypass_acl
  policy-map tcp_bypass_policy
  class tcp_bypass_map
  set connection advanced-options tcp-state-bypass
  service-policy tcp_bypass_policy interface outside
  service-policy tcp_bypass_policy interface inside
  Does anyone know, how to make TCP State Bypass works properly?

  I understand the pain of creating diffrent crypto for diffrent tunnels but i never come across better solution. However TCP state bypass is not going to help in regards to restrict access. TCP state bypass is a way to for FW to act like router which does not do statefull and I dont think that fits in your scenario.
  You can still control access on center site by using vpn-filters.
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml
  Thanks
  Ajay

• Tunnel Traffic going inside IPSEC tunnel

  Hi Everyone,
  Site A  has IP Sec Tunnel to Site B via ASA.
  Now Switch on Site A has GRE tunnel and destination of that tunnel is going inside the IPSEC tunnel.
  In other words IPSEC tunnel between 2 sites is also carrying the GRE Tunnel Traffic.
  Which command i can run on ASA to know if IPSEC is carrying GRE tunnel traffic  or
  What line in ASA config will tell me that this IPSEC is also carrying GRE tunnel traffic?
  Thanks
  MAhesh

  Hi Jouni,
  I can not put config here.
  But here is the info
  sh crypto map shows ASA  outside interface say GGG this interface has ipsec connection to other site.
  also sh conn all | inc GRE shows bunch of output.
  It shows ASA outside inetrface which is to WAN say GGG   8 times and it has say subnet range
  GRE GGG  10.22.31.4  XY 10.x.x.x.x
  GRE GGG  10.22.31.4  XY  10.x.x.x
  GRE GGG  10.22.31.3
  GRE GGG  10.22.31.3
  GRE GGG  10.22.31.3
  GRE GGG  10.22.31.4
  GRE GGG  10.22.31.4
  GRE GGG  10.22.31.4
  Where XY is interface of ASA which is next hop to tunnel destination.
  IP 10.x.x.x  is the tunnel source IP which is loopback on the switch.
  Do you know why it has 2 entries for same ASA  interface XY ?
  Also it has other entries for other ASA  interface.
  So does number of entries tell us number of GRE connections running ?
  Thanks
  MAhesh
  Message was edited by: mahesh parmar

• VLAN's over Internet/IPSec Tunnel

  Hi All !
  I have a problem.
  I have trunked 5 VLANS from various sites over sattelite and have them all ending on a hub router ,
  but my difficulty now is in getting them sent to the HQ over the internet.
  I have thought about only 2 ways of possibly being able to do this
  1. Get a leased Line :-)
  2. and the only feasable alternative ! is to get the VLANs sent per IPSec over the internet but this is my problem....
  How do I get a packet from a VLAN into an IPSec tunnel and vice versa ?
  What equipment would I need ? (more switches/routers)
  Do I need 1 IPSec tunnel for each VLAN to keep them separate from each other ?
  Can someone please help.

  You have posted this same question on the WAN Routing and Switching forum where it has gotten some responses. I suggest that we consolidate the discussion of this question on that forum.
  HTH
  Rick

• How to pass ra vpn subnet traffic through an ipsec tunnel

  Dear geeks,
  I have two sites lets call it main and dr connected via ipsec site to site vpn from cisco asa to cisco asa at both the ends. I also have Remote access vpn on both the ends  to the main site as well as on the dr site. 
  Now the question is if i connect to the ra vpn to the dr site can i pass the traffic from the ra subnet through the ipsec site to site to the main site so from the ra vpn connected pc i can directly access the servers in the main site also. the ra subnet traffic can it be included in the crypto access-list in the site to site .
  is there any drawbacks for this ..
  please do let me know if you need more details.
  thanks
  Manek

  This is a common implementation and described in numerous articles - it is often referred to as "hairpinning" or "U-Turn" as the traffic from RA VPN comes in via outside interface and then back out same interface to the peer site.
  Three things are generally required:
  1. the appropriate access-list entries (referenced by the crypto map associated with the tunnel)
  2. NAT exemption for the RA subnet traffic headed to the peer site
  3. permitting traffic via same-security-interface.
  (You'll generally get better visibility for this sort of question on the VPN forum. You can recategorize your original post via the widget in the top right.)

• Machine authentication over Client IPSEC tunnel

  I am in the process of converting our existing remote access from Microsoft Threat Management Gateway to Cisco ASA.  Our security folks just made me aware that in addition to the Radius authentication against AD credentials that they also want me to do machine authentication to make sure that the machine name of the system trying to get remote access has a machinea account in AD.
  I have been looking for a way to do this with the IPSEC client but havent found anything as yet.  Would appreciate any links that show me how to get this done.  Moving to Anyconnect isnt an option at this point due to budgetary issues.  I am using the latest Cisco VPN client in the 5.x train and have 8.2.5 code running on my 5520.
  What I may be looking at might be NAC (Network Admission Control ?).  Looking for all suggestions at this point.
  Thanks,
  Ron

  I've used enrolled user X.509 USER certificates with Cisco VPN Client 4.x / 5.x into an ASA. They were issued by a partner's root CA and the connection was allowed on the basis of that root CA being trusted by the remote ASA.
  But yes, what you are asking about is more of a NAC, or the successor Identity Services Engine (ISE) product type of feature. In the case of ISE, it can do what you ask but requires a good bit of investment to get that and many many other features.
  I strongly suspect that some additional investment will be necessary to get what your security team is requesting. At the very least AnyConnect Premium licenses and use of the Network Access Manager (NAM) feature. See this reference.

• Can ASA send it's syslogs over it's own IPsec tunnel?

  I'd like to send syslogs etc sourced on an ASA to a destination that is connected via an IPsec tunnel on the ASA sourcing the traffic. Is this possible?
  I'd have to have a a no-nat matching the traffic and also "same-security-traffic permit intra-interface". But which interface would I put on my "logging host" statement?
  Appreciate any pointers

  * Yes, the ASA can source traffic which can be sent over an IPSec tunnel.
  * For a syslog, you will want to create a site-to-site VPN connection (as opposed to configuring the ASA as a VPN head-end).
  * You will not need the 'same-security-traffic permit intra-interface' command -- the syslog traffic is being source from the ASA itself -- the syslog traffic is not being sourced 'from an interface'.
  * You will not need the 'no-nat' command either. Once again the syslog traffic is not traversing from one interface to another interface; therefore, an xlate will not be created.
  * When configuring your site-to-site VPN tunnel, you must specify 'interesting' traffic which is to be encrypted. Traffic from the ASA to the Syslog server should be marked as interesting (by matching the ACL which defines interesting traffic).
  * you specific the interface off which the syslog server resides in the 'logging host' command.
  In other words:
  * say your syslog server has IP address 1.1.1.1 which resides on the Internet.
  * say your outside interface on your ASA has an ip address of 200.200.200.200
  * say your syslog server is located at a remote operations center which reside on the Internet. You will create a VPN tunnel from the remote operations center to your ASA (site-to-site tunnel). Create an ACL for interesting traffic that says to 'permit ip host 200.200.200.200 host 1.1.1.1' to mark traffic as interesting from the ASA to the syslog server.
  * you will specify the outside interface in your 'logging host' command.
  THINGS YOU DON'T NEED:
  Because the syslog traffic is not transitting from one interface to another interface:
  * you do not need to configure an ACL to permit syslog traffic to leave the ASA to go to the syslog server
  * you do not need to configure NAT. An xlate is not required.
  Let me know if this gets you going. I would be happy to set this up in a lab environment to provide you a sample configuration if you need it. I don't have a syslog server but could demonstrate this by running administrative traffic to and from the ASA via the VPN tunnel.
  Regards,
  Troy

• IPSec tunnel and policy NAT question

  Hello All!
  I have a router acting as VPN gateway on my end and I need to implement NAT translations on my IPSEC tunnel as follows:
  1. I need to translate incoming IP address of the remote end of IPSec tunnel to some other IP address on our end
  2. I need to translate outgoin IP address of our end of IPSec tunnel to a different IP address
  I have impemented following configuration, but for some reason it is not working, I get packets decrypted on my end, but dont have packets encrypted to send to the other end.
  Here is the configuration
  Remote end  crypto interesting ACL:
  ip access-list extended crypto-interesting-remote
  permit ip host 192.168.1.10 host 10.0.0.10
  My end configuration:
  interface GigabitEthernet0/0
  ip address xxx.xxx.xxx.xxb yyy.yyy.yyy.yyy
  ip nat outside
  ip virtual-reassembly in
  duplex auto
  speed auto
  crypto map VPN
  ip access-list extended crypto-interesting-local
  permit ip host 10.0.0.10 host 192.168.1.10
  interface GigabitEthernet0/3
  ip address 172.16.0.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  speed auto
  ip nat inside source static 172.16.0.20 10.0.0.10   (to translate loca IP address to the one on the crypto-interesting list - exposed to the remote peer - it works)
  ip nat outside source static 192.168.1.10 192.168.168.10 (to translate remote IP address to some other IP address on our end - not working - I get packets decrypted, but no packets encrypted)
  ip route 192.168.168.10 255.255.255.255 gigabitethernet 0/0
  ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxa
  All the routes are set, crypto ipsec tunnel is up and working and I am wondering if this is possible to achieve two-way NAT translation ?
  Any response highly appreciated!
  Thanks!

  Figured that out.
  The problem was in route
  ip route 192.168.168.10 255.255.255.255 gigabitethernet 0/0
  should be next-hop IP address instead of interface gigabitethernet0/0
  Apparently packet arrives on the interface but does not pass it, when having route like this, becuase there is no one sitting with 192.168.168.10 ip address on the outside

• Static NAT with IPSec tunnel

  Hi,
  I have a hopefully fairly basic question regarding configuring some static NAT entries on a remote site 887 router which also has a IPSec tunnel configured back to our main office.  I am fairly new to networking so forgive me if I ask some really silly questions!
  I have been asked to configure some mobile phone "boost" boxes, which will take a mobile phone and send the traffic over the Internet - this is required because of the poor signal at the branch.  These boxes connect via Ethernet to the local network and need a direct connection to the Internet and also certain UDP and TCP ports opening up.
  There is only one local subnet on site and the ACL for the crypto map dictates that all traffic from this network to our head office go over the tunnel.  What I wanted to do was create another vlan, give this a different subnet.  Assign these mobile boost boxes DHCP reservations (there is no interface to them so they cannot be configured) and then allow them to break out to the Internet locally rather than send the traffic back to our head office and have to open up ports on our main ASA firewall. 
  From my research I came across this article (http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml
  So I went ahead and created a separate vlan and DHCP reservation and then also followed the guidelines outlined above about using a route-map to stop the traffic being sent down the tunnel and then configured static NAT statements for each of the four ports these boost boxes need to work.  I configure the ip nat inside/outside on the relevant ports (vlan 3 for inside, dialer 1 for outside)
  The configuration can be seen below for the NAT part;
  ! Denies vpn interesting traffic but permits all other
  ip access-list extended NAT-Traffic
  deny ip 172.19.191.0 0.0.0.255 172.16.0.0 0.3.255.255
  deny ip 172.19.191.0 0.0.0.255 10.0.0.0 0.255.255.255
  deny ip 172.19.191.0 0.0.0.255 192.168.128.0 0.0.3.255
  deny ip 172.19.191.0 0.0.0.255 12.15.28.0 0.0.0.255
  deny ip 172.19.191.0 0.0.0.255 137.230.0.0 0.0.255.255
  deny ip 172.19.191.0 0.0.0.255 165.26.0.0 0.0.255.255
  deny ip 172.19.191.0 0.0.0.255 192.56.231.0 0.0.0.255
  deny ip 172.19.191.0 0.0.0.255 192.168.49.0 0.0.0.255
  deny ip 172.19.191.0 0.0.0.255 192.168.61.0 0.0.0.255
  deny ip 172.19.191.0 0.0.0.255 192.168.240.0 0.0.7.255
  deny ip 172.19.191.0 0.0.0.255 205.206.192.0 0.0.3.255
  permit ip any any
  ! create route map
  route-map POLICY-NAT 10
  match ip address NAT-Traffic
  ! static nat
  ip nat inside source static tcp 192.168.1.2 50 85.233.188.47 50 route-map POLICY-NAT extendable
  ip nat inside source static udp 192.168.1.2 123 85.233.188.47 123 route-map POLICY-NAT extendable
  ip nat inside source static udp 192.168.1.2 500 85.233.188.47 500 route-map POLICY-NAT extendable
  ip nat inside source static udp 192.168.1.2 4500 85.233.188.47 4500 route-map POLICY-NAT extendable
  Unfortunately this didn't work as expected, and soon after I configured this the VPN tunnel went down.  Am I right in thinking that UDP port 500 is also the same port used by ISAKMP so by doing this configuration it effectively breaks IPSec?
  Am I along the right lines in terms of configuration?  And if not can anyone point me in the direction of anything that may help at all please?
  Many thanks in advance
  Brian

  Hi,
  Sorry to bump this thread up but is anyone able to assist in configuration?  I am now thinking that if I have another public IP address on the router which is not used for the VPN tunnel I can perform the static NAT using that IP which should not break anything?
  Thanks
  Brian

• Ipsec tunnel possible with Checkpoint ngx 6.5 and Cisco ISR-dual ISP?

  Hi Gurus,
  I have a requirement to fulfill in that there are 2 sites that I need to create an ipsec tunnel. A remote site running a Checkpoint ngx 6.5 and a local site with 2 different ISPs and 2 x ISR 29xx routers for both ISP and hardware redundancy. I have only done the vpn setup with one ISR and ISP1 so far.
  I am planning to have just 1 ISR (ISR1) and ISP1  being active at any given time. If ISP1 or ISR 1 goes out, all traffic should fail over to ISR2 with ISP2.
  is this possible with the ISRs?
  Checkpoint does not appear to allow seeing the different ISRs with 2 possible WAN ip addresses with the same encryption domain or 'interesting traffic', so i am not sure if this work at all.
  BGP won't be used.
  I have looked at ip sla, pbr, and it appears that the best I could achieve would be vpn traffic via ISR1 and ISP1, and could failover only the non vpn traffic to ISR2 and ISP2.  Please correct me if I am wrong....many thanks.
  Any ideas will be greatly appreciated..
  Civicfan

  I found the problem but dont know how to fix it now!
  Problem is on siteB with using the same ACL name "siteA" in both sequence numbers in cryptomap "outside_map"
  crypto map outside_map 9 match address SiteA
  crypto map outside_map 9 set peer 212.89.229.xx
  crypto map outside_map 9 set transform-set ESP-AES-256-SHA
  crypto map outside_map 9 set security-association lifetime seconds 28800
  crypto map outside_map 9 set security-association lifetime kilobytes 4608000
  crypto map outside_map 10 match address SiteA
  crypto map outside_map 10 set peer 212.89.235.yy
  crypto map outside_map 10 set transform-set ESP-AES-256-SHA
  crypto map outside_map 10 set security-association lifetime seconds 28800
  crypto map outside_map 10 set security-association lifetime kilobytes 4608000
  If I remove:
  no crypto map outside_map 9 match address SiteA
  the IPSEC through 2nd ISP on siteA is working correct

• IPSEC tunnel with NAT and NetMeeting

  I have established an IPSEC tunnel with two Cisco 2621 routers. Clients over the Internet are able to dial into the MCU server, which is behind one of the Cisco 2621 routers configured with NAT but the MCU is not able to call the client. The MCU is able to call any server or client on the LAN however it is not able to call anyone passed the router configured with NAT. Could anyone who has experience with NAT and IPSEC help me out?
  Thanks,

  The following doc should help...
  http://www.cisco.com/warp/public/707/ipsecnat.html

• AP registration over IPSEC Tunnel(ASA)

  Guys, 
  I have my WAP sitting behind ASA and have ipsec tunnel between ASA and router.below is the topology:-
  WAP>>ASA<<< IPSEC TUNNEL>>> Router<<<WLC
  Recently we have replaced router with ASA 5505 for security reasons and since then WAP is not able to registered to WLC. we have VPN tunnel up and working. Even WAP is able to ping to WLC ip address.
  Do we have any special configuration in my ASA considering my above topology. I can confirm that capwap and lwap ports are opened in asa.
  Please let me know if some one has faced this issue before.

  Hi,
  I hope you have already allowed the below mentioned ports as per your requirement.
  You must enable these ports:
  Enable these UDP ports for LWAPP traffic:
  Data - 12222
  Control - 12223
  Enable these UDP ports for mobility traffic:
  16666 - 16666
  16667 - 16667
  Enable UDP ports 5246 and 5247 for CAPWAP traffic.
  TCP 161 and 162 for SNMP (for the Wireless Control System [WCS])
  These ports are optional (depending on your requirements):
  UDP 69 for TFTP
  TCP 80 and/or 443 for HTTP or HTTPS for GUI access
  TCP 23 and/or 22 for Telnet or SSH for CLI access
  Also if it goes over the IPSec VPN, MTU size  for the path between AP and WLC should be of 1500, if it has the lesser MTU, then communication fails.
  Can you get me your WLC and ASA OS versions?
  Regards
  Karthik