Cisco1800 is a NAT router with one public IP, say W.X.Y.Z. VPN box 1 has a private IP, and VPN box 2 has a public IP. There is a tunnel established between the vpn gateways. This is working fine, and I have a connection between LAN1 and LAN2.
But I don't understand one thing: every connection tha I make from the Internet to the router's public IP is forwarded to the VPN box 1; suppose:
I telnet to the W.X.Y.Z, and I get the VPN box 1 management console. I open a web browser and go to https://W.X.Y.Z and I get the VPN box 1 WWW interface. Why is this happening?
I'd like to forward only VPN traffic to the VPN box 1, which are IKE and ESP protocols. How can I do that?
interface FastEthernet0/0 ip address W.X.Y.Z 255.255.255.240 ip nat outside duplex auto speed auto ! interface FastEthernet0/1 ip address 10.44.44.1 255.255.255.0 ip nat inside duplex auto speed auto ! ip classless ip route 0.0.0.0 0.0.0.0 W.X.Y.G no ip http server ip nat inside source list 10 interface FastEthernet0/0 overload ip nat inside source static esp 10.44.44.254 interface FastEthernet0/0 ! !
access-list 10 permit any
! control-plane ! ! line con 0 logging synchronous line aux 0 line vty 0 4 password 7 08274217114B0A0402 logging synchronous login transport input telnet
Don't know offhand, but this is bad ju-ju in a NAT config:
! access-list 10 permit any !
NAT ACLs should only match the traffic you want to be natted. If you tell NAT to modify any old traffic, it will, and the result may not be what you want or expect. Not saying it's causing the problem but it ought to be fixed.
Looking at Cisco IOS NAT Application Layer Gateways,
Single IPsec ESP Mode tunnels in a Port Address Translation (PAT) configuration # Release 12.2(1.4)Mainline # DDTS CSCdu28439 # Single IPsec ESP mode tunnel at a time, first step prior to adding support for multiple concurrent IPsec tunnels in a PAT configuration in Release 12.2(13)T # A new extended entry derived from this translation # Traffic must be generated form the "inside" # New CLI [no]ip nat inside source static esp interface
Multiple IPsec ESP Mode tunnels in a (PAT) configuration
# Release 12.2(13)T # Ability to support multiple IPsec ESP mode tunnels in a PAT/Overload configuration # For IPsec peers that do not support NAT-T (UDP wrapping)
The static esp command "might" also be natting more traffic than you want, so if your IOS doesn't need it you might get rid of it.
Sometimes you get what you ask for. All traffic includes local router traffic, and a side effect of natting local router traffic is that you can't telnet, ssh etc. to the router public IP address. Only traffic with
10.44.44.0/24 source addresses needs to be natted so you should change your NAT ACL to match those addresses.
! access-list 10 permit 10.44.44.0 0.0.0.255 !
Perhaps you should look at using NAT Traversal on you VPN concentrators. Search for "vpn concentrator nat traversal" on cisco.com. That should allow you to get rid of the static esp command in your router.
This assumes that the static esp command is somehow involved in your original problem, which we don't really know.
I changed 'permit any' to the above. But it was one step. I had to remove 'ip nat inside source static esp...' in the second. After that I can telnet to the router from the Internet.
But now I connot reach LAN1 from LAN2 sometimes. There is no problem reaching LAN2 from LAN1. I suppose that the router establishes temporary esp NAT entry when connecting LAN2 from LAN1. After that I can connect to LAN1 from LAN2. But if there is no traffic for a longer time, I cannot connect from LAN2 to LAN1. These are only my 'supposes'... I have to investigate them deeper.
I tried to avoid NAT-T to check if the 'normal' vpn tunnel would have established. But because of the problems I will probably have to consider implementing NAT-T.
It looks it is involved.
If you have any ideas how to solve the problem without NAT-T, let me know please. Thank you for your help.
OK, so the static entry was interfering as well. Did you get a "show ip nat translations" before and after to see what was in there? Have you tried putting the static back to see if it was a temporary condition or if it's always there when the static is there?
Your supposes are correct. LAN2 -> LAN1 traffic will only get through the router if there is a matching translation in the NAT translation table, and when you are using dynamic NAT, i.e. no static NAT, entries in the table are only created by traffic that crosses the router from nat inside interface to nat outside interface.
Dynamic NAT tranlations do have an inactivity timeout. You can use "show ip nat translations verbose" to (maybe) see what the timeout is, and you might be able to use "ip nat timeout" to change it. Otherwise you might need to provide some sort of keepalive traffic to ensure the translations don't time out.
After some connections from LAN1 to LAN2 have been established, I can connect in the opposite way. Look at A) (below) to see the 'sh ip nat translations [verbose]' output.
After a timeout has expired, I can't connect; look at B) for NAT info
But when I put the static esp nat entry back, I can connect from LAN2 to LAN1 immediatelly. But also I loose the connection from the Internet to the router. I can't telnet to it any more. I have to go to LAN1 and telnet to the router inside address.
Is it an IOS bug or normal behaviour with that static esp entry? Maybe upgrading IOS is the solution?
You mean some device in the LAN1 periodically pinging an IP address from LAN2... That could be a solution.
Any way, I would like to have the possibility to get from LAN2 to LAN1 any time, and also to the router from the Internet. If I get newer IOS, I'll try that first. If not, I will have to put some 'pinger' to the LAN1.
B) Router>sh ip nat translations Pro Inside global Inside local Outside local Outside global tcp W.X.Y.Z:22 10.44.44.254:22 --- --- tcp W.X.Y.Z:443 10.44.44.254:443 --- --- udp W.X.Y.Z:500 10.44.44.254:500 --- --- udp W.X.Y.Z:4500 10.44.44.254:4500 --- ---
Router>sh ip nat translations verbose Pro Inside global Inside local Outside local Outside global tcp W.X.Y.Z:22 10.44.44.254:22 --- --- create 1d03h, use 12:39:15 timeout:0, timing-out, flags: extended, extendable, static, use_count: 0, entry-id: 28, lc_entries: 0 tcp W.X.Y.Z:443 10.44.44.254:443 --- --- create 1d04h, use 1d04h timeout:0, timing-out, flags: extended, extendable, static, use_count: 0, entry-id: 10, lc_entries: 0 udp W.X.Y.Z:500 10.44.44.254:500 --- --- create 1d04h, use 00:06:50 timeout:0, timing-out, flags: extended, extendable, static, use_count: 1, entry-id: 2, lc_entries: 0 udp W.X.Y.Z:4500 10.44.44.254:4500 --- --- create 1d04h, use 1d04h timeout:0, timing-out, flags: extended, extendable, static, use_count: 0, entry-id: 1, lc_entries: 0
My situation looks almost the same as in the article, besides the VPN gateways that are not Cisco routers. I suppose it could be a bug in the IOS, and I'll try to upgrade it. If I can't get one, I'll implement another solution suggested by Martin Gallagher. Or I'll try NAT-T. I don't know yet.