Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

NAT question IPSEC tunnel

Status
Not open for further replies.
nunzeo

nunzeo

Programmer
Nov 17, 2003
196
US
look at my following router config. the router creates a tunnel back to our datacenter. all traffic goes through the tunnel, including web based traffic. i have a question regarding the NATing. is ACL 101 correct if i need to NAT my local network on the router to my remote site?




Username:
Password:
VPN#show run
Building configuration...

Current configuration : 3592 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname vpn
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
!
username admin privilege 15 secret 5
no aaa new-model
ip subnet-zero
ip cef
!
!
no ip domain lookup
ip domain name yourdomain.com
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
crypto isakmp key vpn address x.x.x.25
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set test esp-aes esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel tox.x.x.25
set peer x.x.x.25
set transform-set ESP-3DES-SHA
match address 100
!
!
!
interface FastEthernet0
no ip address
no cdp enable
!
interface FastEthernet1
no ip address
no cdp enable
!
interface FastEthernet2
no ip address
no cdp enable
!
interface FastEthernet3
no ip address
no cdp enable
!
interface FastEthernet4
ip address x.x.x.50 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto map SDM_CMAP_1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.31.5.83 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip local policy route-map SDM_RMAP_1
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.54
ip route 10.31.0.0 255.255.252.0 10.31.5.1
ip route 10.31.6.0 255.255.255.0 10.31.5.1
ip route 10.31.200.0 255.255.255.0 10.31.5.1
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.31.5.0 0.0.0.255
access-list 100 permit ip 10.31.0.0 0.0.255.255 any
access-list 101 deny ip 10.31.0.0 0.0.255.255 any
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.31.5.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 103 remark CCP_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 10.31.5.0 0.0.0.255 10.0.0.0 0.255.255.255
snmp-server community RW
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
control-plane
!
^C
!
line con 0
login local
no modem enable
transport preferred all
transport output all
line aux 0
transport preferred all
transport output all
line vty 0 4
privilege level 15
login local
transport preferred all
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
end

vpn#
 
Sort by date Sort by votes
No, ACL 101 is incorrect. There is an implicit "deny ip any any" at the end of any ACL, which in this case is denying any traffic from matching the route map, so your route policy is broken.

CCNP, CCDP
 
Upvote 0 Downvote
so do you what should it be set to if i am sending all traffic through the tunnel?
 
Upvote 0 Downvote
ACL 101 controls a local routing policy, which has just the one match statement but doesn't do anything to any traffic. You don't really need policy-based routing if you're just trying to set a default route through the tunnel anyway.

Just so we're clear on this, in your "ip route 0.0.0.0 0.0.0.0 x.x.x.54", is that address on the same subnet as your fa4 interface?

If that is true, then it's ACL 100 you need to modify, not 101. To encrypt *all* traffic through that tunnel, do "no access-list 100" followed by "access-list 100 permit ip any any". Make sure that you make the same change on the other side of the tunnel, and note that this should bring down the tunnel while the change is being made on both ends.

CCNP, CCDP
 
Upvote 0 Downvote
Oh, and there are other static routes pointing to 10.31.5.1 as the next hop. If you truly want *all* traffic to go through the tunnel, you can remove those, but I wouldn't do so unless you know what purpose they serve.

CCNP, CCDP
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Zero6
  • Locked
  • Question
question about cisco cbs 350-12xs 12 port 10g sfp+
Replies
0
Views
231
Zero6
Zero6
Mogles49
  • Locked
  • Question
Firewall ACL question
Replies
1
Views
187
burtsbees
burtsbees
Mogles49
  • Locked
  • Question
tshooting-tunnels
Replies
0
Views
126
Mogles49
Mogles49
DigitalG
  • Locked
  • Question
cisco rv180 vpn tunnel between a rv130
Replies
0
Views
115
DigitalG
DigitalG
darktriad
  • Locked
  • Question
Cisco ASA 9.4: Configuring NAT
Replies
0
Views
188
darktriad
darktriad

Part and Inventory Search

Sponsor

Back
Top