Not Seeing NAT Translations Across GRE IPSec Tunnel

Similar Messages

• "Discoverying Proxy" across a IPSEC Tunnel over wireless

  Bear with me here, there are lot of moving parts in this puzzle, and I'm unsure where to look.
  Users are using IE7 (some IE8's), group policy has "Automatically Detect Settings", and we have published a WPAD DNS entry, and are hosting the PAC file on the S370 box.  We're very early in our deployment, so we're still functioning in "Monitor mode", till management has some information, and will direct us on what traffic they will allow .
  The majority of users are located at our main site, the same site our Proxy is at, these users are having zero problems.  For all intents and purposes, they don't even know the proxy is there.
  about 30% of our users are located at remote sites.  They are connected via an IPSEC L2L VPN tunnel  (ASA5505 at remote site, connecting to an ASA5550 at main site)
  The users using a wired connection work fine
  Wireless users, connecting via LWAPP accesspoints (Wireless LAN controller version 4.2.176.0) at the remote sites, experience a delay connecting to the proxy, usually a few minutes.  I actually believe that they are bypassing the proxy, since it takes two minutes.  Unfortually, most of my users at the remote sites are wireless.
  Thing's I'm immediately going to try are upgrading to the latest version of WLAN controller software, and then open a TAC case on the wireless LAN controller, but before I do this,  has anyone run across something similar to this before?  (Proxy discovery having issues across an IPSEC tunnel)
  Mike

  Hi Javier,
  Please explain to me how I should explain this technically elaborate issue to either ISP tech support? :-P
  Well, I tried my best and ended up on the phone for 5 hours with 6 different techs between Verizon and TWC BC. I should get paid for explaining them the basics of networking.
  Anyhow, my last desperate attempt was to ask the tech to reboot my ONT so I'd get a new IP. Maybe some traffic balancer or filter didn't like my source and destination IP combination. Maybe it was cursed.
  Ring. Ring. I finally got an awesome tech (John) from Verizon who actually knew what he was talking about. I connected my Verizon supplied router again and asked if he could log into it or run pings from it remotely (to show him that I'm not crazy). Though other techs told me that was not possible, he did in just a few seconds without much pain. He saw the pings failing as well. Then he said pings from the Verizon ONT gateway were successful, so I assumed it must have been an issue somewhere in Verizon's neck of the (network) woods where the problem persisted.
  Long story short: The new IP address worked like a charm and no more packet drops.

• NAT traffic over a IPSec tunnel (ISR)

  Hi.
  I's suppose to setup i IPSec tunnel between an 1811 and some sort of CheckPoint firewall. The IPSec part isen't that big of a deal, but the system manager on the "CheckPoint side" want the traffic though the tunnel should originate from a public IP-address, and only one source IP-address.
  So, Let say that my ISP have given me 10.10.1.1 - 10.10.1.5, our inside clients have an IP-address from the range 192.168.10.0/24, and the remote application in the "Checkpoint site" has the IP-address 172.16.1.10. The result of this should be:
  IPSec tunnel is created using the 10.10.1.1 IP-address.
  The traffic from the 192.168.1.0/24 clients should access the application at 172.16.1.10 using 10.10.1.2 as source address OVER the IPSec tunnel.
  Is this possible? I guess that it would mean that I have to NAT the traffic going though the IPSec tunnel, but I'm having trouble getting this to work. I have googled all day long looking for something similar.
  Anyone who could shed some light? Any insight appreciated.
  Sheers!
  /Johan Christensson

  Thanks jjohnston1127!
  Well, i guess that it would work, and I wasen't that far off, but got stuck in the "ip nat inside" rule when I where to specify either a pool och an interface. It diden't accur to me that a pool chould just consist of 1 IP-address.
  How ever, this raised a new problem. The "match address" access-list that I use in the crypto map for the IPSec configuration currently looks something like this:
  access-list 150 permit ip host 10.10.1.2 host 172.16.1.10
  If i change it to something like this, the tunnel negotiation get triggerd.
  access-list 150 permit ip 192.168.1.0 0.0.0.255 host 172.16.1.10
  How ever i assume that the negotiation failes because the tunnel configuration in my router has a different "local network" than the "remote network" at the Checkpoint site.
  Is this because that the NAT'ing dosen't get processed before the IPSec configuration?
  Can this behavior be changed?
  Best regards,
  Johan Christensson

• Help getting GRE IPsec tunnel setup

  We are setting up an old office building as an offsite data center. The network cosists on a PIX 501 firewall and a 2811 router.  I am attempting to setup a GRE tunnel over IPsec back to the main office.  The main office consists of a PIX515, a 2821 router, and a 2921 router.  
  There is also an ASA5510 in our main office that is used as our primary connection for all of our external services and as a GRE endpoint for our other offices.  The PIX515 is used to connect our main office clients to the internet and we would like traffic between it and our offsite data center to go across it as well.   The default route is to use the ASA.   We used policy based routing on the 2821 and 2921 routers to direct the appropriate traffic to the PIX515.   
  I have attached a PDF that shows a general overview. 
  Right now I am not able to get the tunnel setup.  It appears that the offsite datacenter is sending packets but is not receiving any when I issue the “show crypto ipsec sa” commands on both firewalls.  I will show the output of that command below. 
  Main Office
  The external address     198.40.227.50.
  The loopback address   10.254.10.6
  The tunnel address        10.2.60.1
  Offsite Datacenter
  The external address     198.40.254.178
  The loopback address   10.254.60.6
  The tunnel address        10.2.60.2
  The main office PIX515 Config (Edited – if I am missing something that you need please let me know).
  PIX Version 7.2(2)
  interface Ethernet0
  mac-address 5475.d0ba.5012
  nameif outside
  security-level 0
  ip address 198.40.227.50 255.255.255.240
  interface Ethernet1
  nameif inside
  security-level 100
  ip address 10.10.10.3 255.255.0.0
  access-list outside_cryptomap_60 extended permit gre host 10.254.10.6 host 10.254.60.6
  access-list outside_cryptomap_60 extended permit ip host 10.254.10.6 host 10.254.60.6
  global (outside) 1 interface
  nat (outside) 1 10.60.0.0 255.255.0.0
  nat (inside) 0 access-list noNat
  route outside 0.0.0.0 0.0.0.0 198.40.227.49 1
  route inside 10.60.0.0 255.255.0.0 10.10.10.1 1
  route inside 10.254.10.6 255.255.255.255 10.10.10.253 1
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto dynamic-map ClientVPN_dyn_map 10 set transform-set ESP-3DES-SHA
  crypto map cr-lakeavemap 10 match address outside_cryptomap_60
  crypto map cr-lakeavemap 10 set peer 198.40.254.178
  crypto map cr-lakeavemap 10 set transform-set ESP-3DES-SHA
  crypto map cr-lakeavemap 65535 ipsec-isakmp dynamic ClientVPN_dyn_map
  crypto map cr-lakeavemap interface outside
  crypto isakmp identity address
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp nat-traversal  20
  tunnel-group DefaultRAGroup ipsec-attributes
  isakmp keepalive threshold 10 retry 2
  tunnel-group 198.40.254.178 type ipsec-l2l
  tunnel-group 198.40.254.178 ipsec-attributes
  The offsite datacenter PIX501 config (again edited)
  PIX Version 6.3(5)
  interface ethernet0 auto
  interface ethernet1 100full
  nameif ethernet0 outside security0
  nameif ethernet1 inside security100
  access-list crvpn permit gre host 10.254.60.6 host 10.254.10.6
  access-list crvpn permit ip host 10.254.60.6 host 10.254.10.6
  mtu outside 1500
  mtu inside 1500
  ip address outside 198.40.254.178 255.255.255.240
  ip address inside 10.60.10.2 255.255.0.0
  route outside 0.0.0.0 0.0.0.0 198.40.254.177 1
  route inside 10.2.60.2 255.255.255.255 10.60.10.1 1
  route inside 10.254.60.6 255.255.255.255 10.60.10.1 1
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map ClientVPN_dyn_map 10 match address ClientVPN
  crypto dynamic-map ClientVPN_dyn_map 10 set transform-set ESP-3DES-SHA
  crypto map cr-lakeavemap 10 ipsec-isakmp
  crypto map cr-lakeavemap 10 match address crvpn
  crypto map cr-lakeavemap 10 set peer 198.40.227.50
  crypto map cr-lakeavemap 10 set transform-set ESP-3DES-SHA
  crypto map cr-lakeavemap 65535 ipsec-isakmp dynamic ClientVPN_dyn_map
  crypto map cr-lakeavemap client authentication LOCAL
  crypto map cr-lakeavemap interface outside
  isakmp enable outside
  isakmp key ******** address 198.40.227.50 netmask 255.255.255.255
  isakmp identity address
  isakmp keepalive 10
  isakmp nat-traversal 20
  isakmp policy 10 authentication pre-share
  isakmp policy 10 encryption 3des
  isakmp policy 10 hash sha
  isakmp policy 10 group 2
  isakmp policy 10 lifetime 86400
  Output of the “show crypto ipsec sa” command
  From the main office
  Crypto map tag: cr-lakeavemap, seq num: 10, local addr: 198.40.227.50
         access-list outside_cryptomap_60 permit gre host 10.254.10.6 host 10.254.60.6
         local ident (addr/mask/prot/port): (10.254.10.6/255.255.255.255/47/0)
         remote ident (addr/mask/prot/port): (10.254.60.6/255.255.255.255/47/0)
         current_peer: 198.40.254.178
         #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
         #pkts decaps: 18867, #pkts decrypt: 18867, #pkts verify: 18867
         #pkts compressed: 0, #pkts decompressed: 0
         #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
         #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
         #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
         #send errors: 0, #recv errors: 0
         local crypto endpt.: 198.40.227.50, remote crypto endpt.: 198.40.254.178
         path mtu 1500, ipsec overhead 58, media mtu 1500
         current outbound spi: D78E63C9
        inbound esp sas:
        spi: 0x5D63434C (1566786380)
           transform: esp-3des esp-sha-hmac none
           in use settings ={L2L, Tunnel, }
           slot: 0, conn_id: 2, crypto-map: cr-lakeavemap
           sa timing: remaining key lifetime (kB/sec): (4274801/7527)
           IV size: 8 bytes
           replay detection support: Y
      outbound esp sas:
        spi: 0xD78E63C9 (3616433097)
           transform: esp-3des esp-sha-hmac none
           in use settings ={L2L, Tunnel, }
           slot: 0, conn_id: 2, crypto-map: cr-lakeavemap
           sa timing: remaining key lifetime (kB/sec): (4275000/7527)
           IV size: 8 bytes
           replay detection support: Y
  From the offsite datacenter
     local  ident (addr/mask/prot/port): (10.254.60.6/255.255.255.255/47/0)
     remote ident (addr/mask/prot/port): (10.254.10.6/255.255.255.255/47/0)
     current_peer: 198.40.227.50:500
     dynamic allocated peer ip: 0.0.0.0
       PERMIT, flags={origin_is_acl,}
      #pkts encaps: 22360, #pkts encrypt: 22360, #pkts digest 22360
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
      #send errors 1156, #recv errors 0
       local crypto endpt.: 198.40.254.178, remote crypto endpt.: 198.40.227.50
       path mtu 1500, ipsec overhead 56, media mtu 1500
       current outbound spi: 5d63434c
       inbound esp sas:
        spi: 0xd78e63c9(3616433097)
          transform: esp-3des esp-sha-hmac ,
          in use settings ={Tunnel, }
          slot: 0, conn id: 1, crypto map: cr-lakeavemap
          sa timing: remaining key lifetime (k/sec): (4608000/6604)
          IV size: 8 bytes
          replay detection support: Y
       inbound ah sas:
       inbound pcp sas:
       outbound esp sas:
        spi: 0x5d63434c(1566786380)
          transform: esp-3des esp-sha-hmac ,
          in use settings ={Tunnel, }
          slot: 0, conn id: 2, crypto map: cr-lakeavemap
          sa timing: remaining key lifetime (k/sec): (4607792/6596)
          IV size: 8 bytes
          replay detection support: Y
       outbound ah sas:
       outbound pcp sas:
  I'm not sure where the issue lies and have beat my head on this for awhile so any help/insight is greatly appreciated.  If there is anything else you'd like to see please let me know. 

  Hi Joe,
  This should be moved to a VPN forum, however, something comes up Really quickly from the problem. Here:
     #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
  Thats from the Pix on the Main office, so I think the GRE traffic is not either getting or being encrypted. I am assuming this is the IP address of the router behind the main office 10.254.10.6 is that correct?
  If so, I would put a capture on the Pix to see if the GRE traffic is getting to that PIX on the inside (Unencrupted but Encapsulated on GRE) and make sure that it is not being dropped. To ensure that, you can see the logs on the PIX and see if the firewall is dropping the GRE previous being encrypted.
  Also, a packet tracer can be run to ensure that the Traffic has a VPN phase which would indicate that it is following the correct phases and it would be encrypted.
  Let me know.
  Mike Rojas.

• GRE IPSEC tunnel between 2 cisco routers

  Hello all,
  I have configure a GRE tunnel between 2 sites on cisco router,although the GRE tunnel works fine.
  once i have configure the IPSEC ...tunnel, the same is not stable .it goes down after sometime & keeps going into MM_State
  #sh crypto isakmp sa
  IPv4 Crypto ISAKMP SA
  dst                             src             state                          conn-id status
  x.x.x.x.                     x.x.x.x.x    MM_NO_STATE          0 ACTIVE
  although the GRE tunnel works fine
  Regards
  Tejas

  Hi David,
  it is quite strange but when i started this discussion my issue was that show crypto isakmp sa shows state as "MM_NO_STATE" but now the problem is different
  now today morning, i followed some steps
  step 1. configure simple GRE tunnel between my 2 locations , able to ping other end tunnel IP with source tunnel IP  all works fine .
  step 2.  started conditional debug for peer along with crypto isakmp & cryptp ipsec debug on both locations.
  step 3 implement the IPSEC config on both the router, i have attach the same in a separate file
  Now the problem is IPSEC negotiation has been successful see output below but my tunnel is down
  SITE A
  sh crypto isakmp sa
  IPv4 Crypto ISAKMP SA
  dst             src             state          conn-id status
  114.143.78.X   14.102.64.X    QM_IDLE           1015 ACTIVE
  SITE B
  #sh crypto isakmp sa | include 14.102.64.X
  14.102.64.X    114.143.78.X   QM_IDLE          15532 ACTIVE
  Now i am not sure why my tunnel is down ???
  Please check the attach notepad
  Regards
  Tejas

• IPSec tunnel and policy NAT question

  Hello All!
  I have a router acting as VPN gateway on my end and I need to implement NAT translations on my IPSEC tunnel as follows:
  1. I need to translate incoming IP address of the remote end of IPSec tunnel to some other IP address on our end
  2. I need to translate outgoin IP address of our end of IPSec tunnel to a different IP address
  I have impemented following configuration, but for some reason it is not working, I get packets decrypted on my end, but dont have packets encrypted to send to the other end.
  Here is the configuration
  Remote end  crypto interesting ACL:
  ip access-list extended crypto-interesting-remote
  permit ip host 192.168.1.10 host 10.0.0.10
  My end configuration:
  interface GigabitEthernet0/0
  ip address xxx.xxx.xxx.xxb yyy.yyy.yyy.yyy
  ip nat outside
  ip virtual-reassembly in
  duplex auto
  speed auto
  crypto map VPN
  ip access-list extended crypto-interesting-local
  permit ip host 10.0.0.10 host 192.168.1.10
  interface GigabitEthernet0/3
  ip address 172.16.0.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  speed auto
  ip nat inside source static 172.16.0.20 10.0.0.10   (to translate loca IP address to the one on the crypto-interesting list - exposed to the remote peer - it works)
  ip nat outside source static 192.168.1.10 192.168.168.10 (to translate remote IP address to some other IP address on our end - not working - I get packets decrypted, but no packets encrypted)
  ip route 192.168.168.10 255.255.255.255 gigabitethernet 0/0
  ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxa
  All the routes are set, crypto ipsec tunnel is up and working and I am wondering if this is possible to achieve two-way NAT translation ?
  Any response highly appreciated!
  Thanks!

  Figured that out.
  The problem was in route
  ip route 192.168.168.10 255.255.255.255 gigabitethernet 0/0
  should be next-hop IP address instead of interface gigabitethernet0/0
  Apparently packet arrives on the interface but does not pass it, when having route like this, becuase there is no one sitting with 192.168.168.10 ip address on the outside

• GRE IPSec between Cisco 2811 and FortiGate 110C

  Hello,
  Does anybody know if it is possible to configure GRE IPSec tunnel between Cisco 2811 router and FortiGate 110C firewall? I know that FortiGate supports IPSec and GRE tunnels, but maybe somebody succeeded in establishing an IPSec GRE between those routers? Could you also give a link to the appropriate documentation if it is possible?

  Hi,
  You can configure the GRE tunnel on the 2811.
  I'm aware that you can configure sort of a GRE tunnel on the Fortinet as well, but I have not seen a GRE tunnel between a Cisco and other vendor.
  I've only seen GRE tunnels between Cisco devices (however I have not tried it to assure you that it will not work :-()
  Federico.

• GRE traffic can not pass through LRT224 IPSec Tunnel

  Hi,
  We have a trouble when using Cisco Router GRE tunnel plus LRT224 IPSec Gateway-Gateway Tunnel.
  We found after reboot, GRE packets can not pass trough LRT224 IPSec tunnel. need to restart serval time then gre will back to normal.
  Besides that, GRE keepalive packets can not pass trough LRT224 IPSec Tunnel.
  please help. I had tried to upgrade to latest firmware version.
  Firmware Version : v1.0.3.09 (Dec 26 2014 14:28:46) 
  A-END:
  interface Tunnel1
  ip address 10.216.80.105 255.255.255.252
  ip mtu 1400
  ip nat outside
  ip virtual-reassembly in
  ip tcp adjust-mss 1360
  ip ospf network point-to-point
  ip ospf hello-interval 3
  ip ospf cost 10000
  tunnel source 10.216.81.2
  tunnel destination 10.216.80.90
  end
  B-END:
  interface Tunnel11
  ip address 10.216.80.110 255.255.255.252
  ip mtu 1400
  ip tcp adjust-mss 1360
  ip ospf network point-to-point
  ip ospf cost 10000
  ip ospf hello-interval 3
  tunnel source 10.216.80.91
  tunnel destination 10.216.81.3
  end
  CISCO2911 <> LRT224 <> INTERNET <> LRT224 <> CISCO 2621
  San

  Can you post the results from the below command for the Cisco Routers?
  IOS Command: "sh version"
  Why not static route without NAT through the LRT224 IPSec VPN?
  Just curious why did you use LRT224's for the Site to Site VPN instead of the Cisco Routers?
  Please remember to Kudo those that help you.
  Linksys
  Communities Technical Support

• Overlapping Networks with Tunnel GRE/IPsec and NAT

  Has anyone experience with NATing on a GRE tunnel interface? I need to NAT between two private networks because they are overlapping. I tried to NAT directly on the tunnel interface.
  e.g.
  Ethernet 0/0
  ip nat inside
  Tunnel0 (GRE with CryptoMap)
  ip nat outside
  However I didn't succeed this way. What's the best way to achive my goal?

  Thanks. I already checked this paper. The problem is that it only talks about IPsec and not about GRE/Ipsec and nating on a Tunnel interface.
  However I made some tests in the lab and it worked fine. So I went back to the customer-site and I had to reboot the small 836 to get it working.
  What I learnedis : "ip nat outside" on a tunnel interface on a Cisco 836 is no problem. This is good news if you have to add partners companies with GRE/IPsec and they don't have IP ranges you like, so you just NAT them and give them IP addresses of your choice.

• All the traffic go through IPsec tunnel(site to site ) ,but something seems not working correctly

  Hi, all,
    I have seen a good post in google.com about how to make all the client's traffic though IPsec tunnel then out to the Internet from the Main site,now I attach this configuration and application for discussion, and what the problem is that I am still confused with the configuration on Main site ,  I hope anyone who can tell me more detail and how to accomplish it. Any answer will be appreciated , thank you !
  Quote :
  Question ? :
  Mine is a very simple configuration.  I have 2 sites linked via an IPsec tunnel.  Dallas is my Main HQ R1 and Austin R2 is my remote office.  I want all traffic from Austin to route thru the tunnel up to Dallas, then out to the Internet.
  Dallas (Main) Lan Net is: 10.10.200.0/24
  Austin (Remote) LAN Net is: 10.20.2.0/24
  The Dallas (Main) site has a VPN config of:
  Local Net: 0.0.0.0/0
  Remote Net: 10.20.2.0/24
  The Austin (Remote) site has a VPN config of:
  10.20.2.0/24
  Remote Net: 0.0.0.0/0
  The tunnel gets established just fine.  From the Austin LAN clients, I can ping the router at the main site (10.10.200.1).  This is how I know the tunnel is created, but I cannot ping anything beyond the router from the Austin LAN, e.g. 8.8.8.8.
  I'm sure it's something simple I failed to configure.  Anyone have any pointers or hints?
  Answer:
  Thanks to Jimp from the other thread, I was able to see why it was not working.  To fix, I had to change the Outbound NAT on the main side to Manual.  Then I created a new Outbound NAT rule that included the subnet from the Austin network (10.20.2.0).  Basically, I just created a copy of the default rule and changed the Source network.
  Once I made this change, Voila!  Traffic from the remote side started heading out to the Internet.  Now all traffic flows thru the Main site.  It makes perfect sense why I needed to make this change, it just took a slap in the head from Jimp to point me in the right direction.
  My question ?
  The answer said "To fix, I had to change the Outbound NAT on the main side to Manual.  Then I created a new Outbound NAT rule that included the subnet from the Austin network (10.20.2.0).  Basically, I just created a copy of the default rule and changed the Source network." what this mean and
  how to do it , could anybody give me the specific configuration ? thanks a lot.

  Thank you for Jouni's reply,  following is the configuration on Cisco 2800 router ,no firewall enable, :
  crypto isakmp policy 100
  encr aes 256
  authentication pre-share
  group 2
  crypto isakmp key x.x.x address 0.0.0.0 0.0.0.0
  crypto isakmp keepalive 60
  crypto ipsec transform-set IPsectrans esp-3des esp-md5-hmac
  crypto dynamic-map IPsecdyn 100
  set transform-set IPsectrans
  match address 102
  crypto map IPsecmap 100 ipsec-isakmp dynamic IPsecdyn
  interface Loopback1
  ip address 10.10.200.1 255.255.255.0
  interface FastEthernet0/0
  ip address 113.113.1.1 255.255.255.128
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  crypto map IPsecmap
  interface FastEthernet0/1
  ip address 192.168.1.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  duplex auto
  speed auto
  ip route 0.0.0.0 0.0.0.0 113.113.1.2
  ip http server
  no ip http secure-server
  ip nat inside source list 100 interface FastEthernet0/0 overload
  access-list 100 permit ip 192.168.1.0 0.0.0.255 any
  access-list 102 permit ip any 10.20.2.0 0.0.0.255

• Static NAT with IPSec tunnel

  Hi,
  I have a hopefully fairly basic question regarding configuring some static NAT entries on a remote site 887 router which also has a IPSec tunnel configured back to our main office.  I am fairly new to networking so forgive me if I ask some really silly questions!
  I have been asked to configure some mobile phone "boost" boxes, which will take a mobile phone and send the traffic over the Internet - this is required because of the poor signal at the branch.  These boxes connect via Ethernet to the local network and need a direct connection to the Internet and also certain UDP and TCP ports opening up.
  There is only one local subnet on site and the ACL for the crypto map dictates that all traffic from this network to our head office go over the tunnel.  What I wanted to do was create another vlan, give this a different subnet.  Assign these mobile boost boxes DHCP reservations (there is no interface to them so they cannot be configured) and then allow them to break out to the Internet locally rather than send the traffic back to our head office and have to open up ports on our main ASA firewall. 
  From my research I came across this article (http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml
  So I went ahead and created a separate vlan and DHCP reservation and then also followed the guidelines outlined above about using a route-map to stop the traffic being sent down the tunnel and then configured static NAT statements for each of the four ports these boost boxes need to work.  I configure the ip nat inside/outside on the relevant ports (vlan 3 for inside, dialer 1 for outside)
  The configuration can be seen below for the NAT part;
  ! Denies vpn interesting traffic but permits all other
  ip access-list extended NAT-Traffic
  deny ip 172.19.191.0 0.0.0.255 172.16.0.0 0.3.255.255
  deny ip 172.19.191.0 0.0.0.255 10.0.0.0 0.255.255.255
  deny ip 172.19.191.0 0.0.0.255 192.168.128.0 0.0.3.255
  deny ip 172.19.191.0 0.0.0.255 12.15.28.0 0.0.0.255
  deny ip 172.19.191.0 0.0.0.255 137.230.0.0 0.0.255.255
  deny ip 172.19.191.0 0.0.0.255 165.26.0.0 0.0.255.255
  deny ip 172.19.191.0 0.0.0.255 192.56.231.0 0.0.0.255
  deny ip 172.19.191.0 0.0.0.255 192.168.49.0 0.0.0.255
  deny ip 172.19.191.0 0.0.0.255 192.168.61.0 0.0.0.255
  deny ip 172.19.191.0 0.0.0.255 192.168.240.0 0.0.7.255
  deny ip 172.19.191.0 0.0.0.255 205.206.192.0 0.0.3.255
  permit ip any any
  ! create route map
  route-map POLICY-NAT 10
  match ip address NAT-Traffic
  ! static nat
  ip nat inside source static tcp 192.168.1.2 50 85.233.188.47 50 route-map POLICY-NAT extendable
  ip nat inside source static udp 192.168.1.2 123 85.233.188.47 123 route-map POLICY-NAT extendable
  ip nat inside source static udp 192.168.1.2 500 85.233.188.47 500 route-map POLICY-NAT extendable
  ip nat inside source static udp 192.168.1.2 4500 85.233.188.47 4500 route-map POLICY-NAT extendable
  Unfortunately this didn't work as expected, and soon after I configured this the VPN tunnel went down.  Am I right in thinking that UDP port 500 is also the same port used by ISAKMP so by doing this configuration it effectively breaks IPSec?
  Am I along the right lines in terms of configuration?  And if not can anyone point me in the direction of anything that may help at all please?
  Many thanks in advance
  Brian

  Hi,
  Sorry to bump this thread up but is anyone able to assist in configuration?  I am now thinking that if I have another public IP address on the router which is not used for the VPN tunnel I can perform the static NAT using that IP which should not break anything?
  Thanks
  Brian

• NAT of overlapping network through IPSEC tunnel

  I am having a NAT problem constructing a router to PIX tunnel (12.4-15T3 to 7.2). I need to both NAT overload through the outside interface for all internet traffic and NAT to a private network for traffic that will flow through an IPSEC tunnel.
  Because there is network overlap between sites I have added a NAT on the router as follows:
  1) A NAT pool of 254 172.17.20.x addresses.
  2) An access list permiting traffic to the hosts on the other side of the tunnel.
  3) A NAT source statement using the above ACL and pool.
  The IPSEC configuration then includes the 172.17.20.x addresses in the tunnel specification. The tunnel pegs up correctly under this config, traffic originating behind the router is NATd to 172.17.20.x if and only if the traffic matches the access list.
  However, once a host has created a 172.17.20.x NAT translation, the normal overload NAT out to the internet no longer works. Even if the second traffic destination does not match the access-list created for the 172.17.20.x NAT statement, the existing translation slot is used. Since 172.17.20.x is not valid on the internet, this has a negative effect on the staff in this location :-/
  Both NATing to the internet (using overload PAT on the outside IP address) and NATing for the tunnel (using the list of 172.17.20.x address) are necessary. What am I missing?

  Refer to PIX/ASA 7.x and later: Site to Site (L2L) IPsec VPN with Policy NAT (Overlapping Private Networks) Configuration Example
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml

• Remote Access VPN, no split tunneling, internet access. NAT translation problem

  Hi everyone, I'm new to the forum.  I have a Cisco ASA 5505 with a confusing (to me) NAT issue.
  Single external IP address (outside interface) with multiple static object NAT translations to allow port forwarding to various internal devices.  The configuration has been working without issues for the last couple years.
  I recently configured a remote access VPN without split tunneling and access to the internet and noticed yesterday that my port forwarding had stopped working.
  I reviewed the new NAT rules for the VPN and found the culprit. 
  I have been reviewing the rules over and over and from everything I can think of, and interpret, I'm not sure how this rule is affecting the port forwarding on the device or how to correct it.
  Here are the NAT rules I have in place: (The "inactive" rule is the culprit.  As soon as I enable this rule, the port forwarding hits a wall)
  nat (inside,outside) source static any any destination static VPN_Subnet VPN_Subnet no-proxy-arp route-lookup
  nat (outside,outside) source static VPN_Subnet VPN_Subnet destination static VPN_Subnet VPN_Subnet no-proxy-arp route-lookup
  nat (outside,outside) source dynamic VPN_Subnet interface inactive
  object network obj_any
  nat (inside,outside) dynamic interface
  object network XXX_HTTP
  nat (inside,outside) static interface service tcp www www
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
  Any help would be appreciated.

  Try by changing the nat rule to nat (outside,outside) after-auto source dynamic VPN_Subnet interface
  With Regards,
  Safwan

• IPSEC tunnel with NAT and NetMeeting

  I have established an IPSEC tunnel with two Cisco 2621 routers. Clients over the Internet are able to dial into the MCU server, which is behind one of the Cisco 2621 routers configured with NAT but the MCU is not able to call the client. The MCU is able to call any server or client on the LAN however it is not able to call anyone passed the router configured with NAT. Could anyone who has experience with NAT and IPSEC help me out?
  Thanks,

  The following doc should help...
  http://www.cisco.com/warp/public/707/ipsecnat.html

• Can a Cisco 881 router create an L2TP/IPsec tunnel via NAT to Windows 2008?

  Hi
  Was anyone successfull in setting up an L2TP/IPsec tunnel through NAT-T against a Windows 2008/ R2 RRAS server? I am using an 881 router and the layout is someting like this:
  Client -> 881 -> NAT -> internet -> Windows 2008 RRAS
  The tunnel goes form the 881 to the Windows server (not from the client...).
  Thanks
  Roland

  Hi Federico
  Thanks for your help! Much appreciated.
  In my case this should be transparent to the client - I would like not to initiate the connection from the client.
  Does that makes sense? I am considering L2TP because Windows 2008 R2 doesn't support IPSec tunnels through NAT (2008 R2 being the responder and the Cisco router the initiator of the IPSec connection).
  Regards
  Roland