No-Nat Site-To-Site VPN CISCO

Soldato
Joined
14 Oct 2003
Posts
7,831
All,

I'm trying to set up a site-to-site vpn on a cisco 877 and have defined the phase 2 statements and on the end I have "match address 104" to point to an access-list to allow traffic over the local and remote subnets - does anyone know how I tell the access-list not to NAT?

Thanks.
 
Associate
Joined
30 Dec 2003
Posts
284
i've got a site-to-site vpn between an 857 and 877. the configs are as follows, should be self explanatory but let me know if you have any questions. I followed some guides on the cisco site but I don't have the URLs to hand anymore. If you want I can try and find them again.

cisco857, site A (10.0.0.0/24):
Code:
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key ******** address <public IP address of site B> no-xauth
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
 mode transport
!
crypto map siteA-siteB 1 ipsec-isakmp
 set peer <public IP address of site B>
 set transform-set ESP-3DES-SHA
 match address 103
interface Dialer0
 crypto map siteA-siteB
access-list 103 permit ip 10.0.0.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 106 deny   ip 10.0.0.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 106 permit ip 10.0.0.0 0.0.0.255 any

route-map nonat permit 10
 match ip address 122

cisco877, siteB (10.1.0.0/24):
Code:
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key ******** address <public IP address of site A> no-xauth
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
 mode transport
!

crypto map SDM_CMAP_1 1 ipsec-isakmp
 set peer <public IP address of site A>
 set transform-set ESP-3DES-SHA
 match address 103

interface Dialer0
 crypto map SDM_CMAP_1

ip nat inside source list 106 
interface Dialer0 overload

access-list 103 permit ip 10.1.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 106 deny   ip 10.1.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 106 permit ip 10.1.0.0 0.0.0.255 any

route-map nonat permit 10
 match ip address 106
 
Last edited:
Soldato
OP
Joined
14 Oct 2003
Posts
7,831
Cool, thanks.

On Site B, you have the statement "ip nat inside source list 106 interface Dialer0 overload" and"

route-map nonat permit 10
match ip address 106

I think I am confused how the route-map relates to the ip nat statement ?

I tried doing it this way:

ip nat inside source route-map nonat interface Dialer0 overload

access-list 106 deny ip 10.1.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 106 permit ip 10.1.0.0 0.0.0.255 any

route-map nonat permit 10
match ip address 106

However when doing "debug crypto ipsec" and looking at the log, for the proxy addresses the source is the local private LAN, but the destination is the public address of the destination and not the private LAN of the destination.
 
Last edited:
Associate
Joined
21 Jun 2004
Posts
295
Location
Doncaster
you should just be able to add a deny statement to the beginning of the list that specifies which traffic you wish to translate..

ip nat inside source list 101 interface atm0 overload

access-list 101 deny ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255 (Don't nat the Interesting VPN Traffic)
access-list 101 permit ip 192.168.0.0 0.0.0.255 any (NAT anything else)

Site A - 192.168.0.0/24 ----------VPN------------- 10.0.0.0/24 - Site B

Cheers
 
Soldato
OP
Joined
14 Oct 2003
Posts
7,831
So now I get this:

000320: *Apr 21 12:11:07.028 PCTime: IPSEC(validate_proposal_request): proposal
part #1,
(key eng. msg.) INBOUND local= 83.x.x.x, remote= 87.x.x.x,
local_proxy= 172.16.25.0/255.255.255.0/0/0 (type=4),
remote_proxy= 87.x.x.x/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
00323: *Apr 21 12:11:07.028 PCTime: map_db_find_best did not find matching map
00324: *Apr 21 12:11:07.028 PCTime: IPSEC(ipsec_process_proposal): proxy identi
ies not supported

Why for remote_proxy is it seeing the public IP of the peer and not the internal lan. In my config I have:

access-list 104 permit ip 172.16.25.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 104 deny ip 172.16.25.0 0.0.0.255 any

with "match address 104" on the crypto map statements.

Any ideas?
 
Associate
Joined
21 Jun 2004
Posts
295
Location
Doncaster
So now I get this:

000320: *Apr 21 12:11:07.028 PCTime: IPSEC(validate_proposal_request): proposal
part #1,
(key eng. msg.) INBOUND local= 83.x.x.x, remote= 87.x.x.x,
local_proxy= 172.16.25.0/255.255.255.0/0/0 (type=4),
remote_proxy= 87.x.x.x/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
00323: *Apr 21 12:11:07.028 PCTime: map_db_find_best did not find matching map
00324: *Apr 21 12:11:07.028 PCTime: IPSEC(ipsec_process_proposal): proxy identi
ies not supported

Why for remote_proxy is it seeing the public IP of the peer and not the internal lan. In my config I have:

access-list 104 permit ip 172.16.25.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 104 deny ip 172.16.25.0 0.0.0.255 any

with "match address 104" on the crypto map statements.

Any ideas?

are you able to post the configs? it looks like there is still a nat issue there. have you got a deny statement to specify that traffic crossing the VPN should not be translated? i may be mistaken but it also looks like your missing a transform set and optional security-association for the phase 2 proposal (highlighted in bold)

Also i don't believe the access-list used in the crypto map needs the deny statement at the end... it should be covered by the implicit deny. its my understanding that the access-list is used to specify the traffic you want to be encrypted. so yours kind of says, encrypt traffic from here to here, but don't bother with anything from 172.16.25.0/24 and don't bother with anything else either (implicit deny)
 
Last edited:
Soldato
OP
Joined
14 Oct 2003
Posts
7,831
Here you go, this may help?

This is what I have:

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key <key> address 87.X.X.X no-xauth

crypto ipsec transform-set BR-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto map SITE1 1 ipsec-isakmp
set peer 87.X.X.X
set security-association lifetime kilobytes 100000
set transform-set BR-3DES-SHA1
set pfs group2
match address 104
!
ip nat pool INTERNET <public ip of cisco> <public ip of cisco> netmask 255.255.255.252
ip nat inside source route-map nonat pool INTERNET overload

access-list 104 permit ip 172.16.25.0 0.0.0.255 10.0.0.0 0.0.31.255
access-list 104 deny ip 172.16.25.0 0.0.0.255 any
access-list 105 remark No NAT Rules
access-list 105 deny ip 172.16.25.0 0.0.0.255 10.0.0.0 0.0.31.255
access-list 105 permit ip 172.16.25.0 0.0.0.255 any

route-map nonat permit 10
match ip address 105
 
Associate
Joined
21 Jun 2004
Posts
295
Location
Doncaster
there doesn't look a great deal wrong with that tbh. you dont need the deny statement in the 104 access list though.

are you able to post the config from the remote device... or even better both configs with the private stuff removed?

$8ct@
 
Back
Top Bottom