1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

No-Nat Site-To-Site VPN CISCO

Discussion in 'Networks & Internet Connectivity' started by oldbag, 20 Apr 2010.

  1. oldbag

    Sgarrista

    Joined: 14 Oct 2003

    Posts: 7,844

    All,

    I'm trying to set up a site-to-site vpn on a cisco 877 and have defined the phase 2 statements and on the end I have "match address 104" to point to an access-list to allow traffic over the local and remote subnets - does anyone know how I tell the access-list not to NAT?

    Thanks.
     
  2. nrh1703

    Gangster

    Joined: 30 Dec 2003

    Posts: 263

    i've got a site-to-site vpn between an 857 and 877. the configs are as follows, should be self explanatory but let me know if you have any questions. I followed some guides on the cisco site but I don't have the URLs to hand anymore. If you want I can try and find them again.

    cisco857, site A (10.0.0.0/24):
    Code:
    crypto isakmp policy 1
     encr 3des
     authentication pre-share
     group 2
    crypto isakmp key ******** address <public IP address of site B> no-xauth
    !
    crypto ipsec security-association lifetime seconds 86400
    !
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
     mode transport
    !
    crypto map siteA-siteB 1 ipsec-isakmp
     set peer <public IP address of site B>
     set transform-set ESP-3DES-SHA
     match address 103
    interface Dialer0
     crypto map siteA-siteB
    access-list 103 permit ip 10.0.0.0 0.0.0.255 10.1.0.0 0.0.0.255
    access-list 106 deny   ip 10.0.0.0 0.0.0.255 10.1.0.0 0.0.0.255
    access-list 106 permit ip 10.0.0.0 0.0.0.255 any
    
    route-map nonat permit 10
     match ip address 122
    
    cisco877, siteB (10.1.0.0/24):
    Code:
    crypto isakmp policy 1
     encr 3des
     authentication pre-share
     group 2
    crypto isakmp key ******** address <public IP address of site A> no-xauth
    !
    crypto ipsec security-association lifetime seconds 86400
    !
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
     mode transport
    !
    
    crypto map SDM_CMAP_1 1 ipsec-isakmp
     set peer <public IP address of site A>
     set transform-set ESP-3DES-SHA
     match address 103
    
    interface Dialer0
     crypto map SDM_CMAP_1
    
    ip nat inside source list 106 
    interface Dialer0 overload
    
    access-list 103 permit ip 10.1.0.0 0.0.0.255 10.0.0.0 0.0.0.255
    access-list 106 deny   ip 10.1.0.0 0.0.0.255 10.0.0.0 0.0.0.255
    access-list 106 permit ip 10.1.0.0 0.0.0.255 any
    
    route-map nonat permit 10
     match ip address 106
     
    Last edited: 21 Apr 2010
  3. oldbag

    Sgarrista

    Joined: 14 Oct 2003

    Posts: 7,844

    Cool, thanks.

    On Site B, you have the statement "ip nat inside source list 106 interface Dialer0 overload" and"

    route-map nonat permit 10
    match ip address 106

    I think I am confused how the route-map relates to the ip nat statement ?

    I tried doing it this way:

    ip nat inside source route-map nonat interface Dialer0 overload

    access-list 106 deny ip 10.1.0.0 0.0.0.255 10.0.0.0 0.0.0.255
    access-list 106 permit ip 10.1.0.0 0.0.0.255 any

    route-map nonat permit 10
    match ip address 106

    However when doing "debug crypto ipsec" and looking at the log, for the proxy addresses the source is the local private LAN, but the destination is the public address of the destination and not the private LAN of the destination.
     
    Last edited: 20 Apr 2010
  4. [email protected]

    Gangster

    Joined: 21 Jun 2004

    Posts: 295

    Location: Doncaster

    you should just be able to add a deny statement to the beginning of the list that specifies which traffic you wish to translate..

    ip nat inside source list 101 interface atm0 overload

    access-list 101 deny ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255 (Don't nat the Interesting VPN Traffic)
    access-list 101 permit ip 192.168.0.0 0.0.0.255 any (NAT anything else)

    Site A - 192.168.0.0/24 ----------VPN------------- 10.0.0.0/24 - Site B

    Cheers
     
  5. oldbag

    Sgarrista

    Joined: 14 Oct 2003

    Posts: 7,844

    So now I get this:

    000320: *Apr 21 12:11:07.028 PCTime: IPSEC(validate_proposal_request): proposal
    part #1,
    (key eng. msg.) INBOUND local= 83.x.x.x, remote= 87.x.x.x,
    local_proxy= 172.16.25.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 87.x.x.x/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= NONE (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
    00323: *Apr 21 12:11:07.028 PCTime: map_db_find_best did not find matching map
    00324: *Apr 21 12:11:07.028 PCTime: IPSEC(ipsec_process_proposal): proxy identi
    ies not supported

    Why for remote_proxy is it seeing the public IP of the peer and not the internal lan. In my config I have:

    access-list 104 permit ip 172.16.25.0 0.0.0.255 10.0.0.0 0.255.255.255
    access-list 104 deny ip 172.16.25.0 0.0.0.255 any

    with "match address 104" on the crypto map statements.

    Any ideas?
     
  6. nrh1703

    Gangster

    Joined: 30 Dec 2003

    Posts: 263

    there was a missing line break, i've corrected it now.
     
  7. [email protected]

    Gangster

    Joined: 21 Jun 2004

    Posts: 295

    Location: Doncaster

    are you able to post the configs? it looks like there is still a nat issue there. have you got a deny statement to specify that traffic crossing the VPN should not be translated? i may be mistaken but it also looks like your missing a transform set and optional security-association for the phase 2 proposal (highlighted in bold)

    Also i don't believe the access-list used in the crypto map needs the deny statement at the end... it should be covered by the implicit deny. its my understanding that the access-list is used to specify the traffic you want to be encrypted. so yours kind of says, encrypt traffic from here to here, but don't bother with anything from 172.16.25.0/24 and don't bother with anything else either (implicit deny)
     
    Last edited: 21 Apr 2010
  8. oldbag

    Sgarrista

    Joined: 14 Oct 2003

    Posts: 7,844

    Here you go, this may help?

    This is what I have:

    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    lifetime 28800
    crypto isakmp key <key> address 87.X.X.X no-xauth

    crypto ipsec transform-set BR-3DES-SHA1 esp-3des esp-sha-hmac
    !
    crypto map SITE1 1 ipsec-isakmp
    set peer 87.X.X.X
    set security-association lifetime kilobytes 100000
    set transform-set BR-3DES-SHA1
    set pfs group2
    match address 104
    !
    ip nat pool INTERNET <public ip of cisco> <public ip of cisco> netmask 255.255.255.252
    ip nat inside source route-map nonat pool INTERNET overload

    access-list 104 permit ip 172.16.25.0 0.0.0.255 10.0.0.0 0.0.31.255
    access-list 104 deny ip 172.16.25.0 0.0.0.255 any
    access-list 105 remark No NAT Rules
    access-list 105 deny ip 172.16.25.0 0.0.0.255 10.0.0.0 0.0.31.255
    access-list 105 permit ip 172.16.25.0 0.0.0.255 any

    route-map nonat permit 10
    match ip address 105
     
  9. [email protected]

    Gangster

    Joined: 21 Jun 2004

    Posts: 295

    Location: Doncaster

    there doesn't look a great deal wrong with that tbh. you dont need the deny statement in the 104 access list though.

    are you able to post the config from the remote device... or even better both configs with the private stuff removed?

    [email protected]