Simplified Networking
  • Home
  • Technology VoD!
    • Cisco >
      • Route & Switch / Enterprise Infrastructure
  • Technology Breakdowns!
    • Route&Switch/Ent. Infra. >
      • L2 Technologies
      • L3 Technologies
      • VPN Technologies
      • Services >
        • IOS - Dynamic NAT
        • HSRP - IPv4 Setup
        • HSRP - Priority and Preemption
    • Service Provider >
      • IGPs (Interior Gateway Protocols)
      • First Hop Redundancy >
        • HSRP (Hot Standby Router Protocol) >
          • HSRP - IOS/IOS XE Setup
          • HSRP - IOS XR Setup
      • BGP (Border Gateway Protocol)
      • Inter AS Multicast (MSDP)
      • Intra-AS MPLS
      • Inter-AS MPLS
    • Security >
      • IOS Firewall
      • ASA Firewall
      • FirePOWER Threat Defense >
        • FTD - FTD NGFW Device Setup and FMC Integration
      • VPNs >
        • PKI
        • Site to Site VPNs
        • Remote Access VPNs >
          • IOS Remote Access
          • ASA Remote Access
    • Data Center >
      • Nexus 9000v >
        • Nexus 9000v - Enabling Features
        • Nexus 9000v - VLANs and Trunks
        • Nexus 9000v - LACP Port Channels
        • Nexus 9000v - vPC (Virtual Port Channel)
        • Nexus 9000v - OSPFv2
        • Nexus 9000v - VXLAN - Ingress Replication Flood and Learn
        • Nexus 9000v - IP Multicast
        • Nexus 9000v - VxLAN - Multicast Flood and Learn
        • Nexus 9000v - VxLAN - BGP EVPN with Multicast
        • Nexus 9000v - VxLAN - BGP EVPN w/Ingress Replication
        • Nexus 9000v - VxLAN - Inter-VxLAN Routing with BGP EVPN
        • Nexus 9000v - VXLAN - External Routing
      • Nexus 7000v
    • Palo Alto

​Site to Site VPN - IOS Routers with Crypto Map and NAT Exemption

Picture
This lab example is where NAT and VPN is enabled on the same interface and both must be usable.

ip access-list extended NAT
 permit ip 10.1.0.0 0.0.255.255 any

interface g0/1
 ip nat inside
!
interface g0/0
 ip nat outside
!
ip nat inside source list NAT interface GigabitEthernet0/0 overload

IOSv14#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/20/26 ms


IOSv14#ping 10.18.21.21
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.18.21.21, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)


IOSv14#ping 10.1.4.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.4.4, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)



R3#sh ip nat translations 
Pro Inside global      Inside local       Outside local      Outside global
icmp 103.0.0.3:628     10.1.14.14:628     10.3.11.3:628      10.3.11.3:628
icmp 103.0.0.3:629     10.1.14.14:629     1.1.1.1:629        1.1.1.1:629
icmp 103.0.0.3:630     10.1.14.14:630     10.1.4.4:630       10.1.4.4:630
icmp 103.0.0.3:631     10.1.14.14:631     10.18.21.21:631    10.18.21.21:631



The reason why the pings are failing when they were previously working is due to the order of operations a router go through, route, then NAT then encyption. The issue is that the router is trying to NAT the traffic when it should not be. The fix is to add deny statements to the NAT ACL.

ip access-list extended NAT
 1 deny ip 10.1.0.0 0.0.255.255 10.1.4.0 0.0.0.255
 2 deny ip 10.1.0.0 0.0.255.255 10.18.21.0 0.0.0.255
 3 deny ip 10.1.0.0 0.0.255.255 10.8.18.0 0.0.0.255 
 4 deny ip 10.1.0.0 0.0.255.255 10.10.20.0 0.0.0.255
 5 deny ip 10.1.0.0 0.0.255.255 10.20.23.0 0.0.0.255



IOSv14#ping 1.1.1.1    
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 17/36/54 ms
IOSv14#ping 10.1.4.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 45/68/108 ms
IOSv14#ping 10.18.21.21
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.18.21.21, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 63/65/68 ms
IOSv14#ping 10.8.18.18 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.8.18.18, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 31/42/69 ms
IOSv14#ping 10.10.20.20
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.20.20, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 37/45/59 ms
IOSv14#ping 10.20.23.23                 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.20.23.23, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 38/47/66 ms



​R3#show ip access-lists NAT
Extended IP access list NAT
    1 deny ip 10.1.0.0 0.0.255.255 10.1.4.0 0.0.0.255 (18 matches)
    2 deny ip 10.1.0.0 0.0.255.255 10.18.21.0 0.0.0.255 (5 matches)
    3 deny ip 10.1.0.0 0.0.255.255 10.8.18.0 0.0.0.255 (5 matches)
    4 deny ip 10.1.0.0 0.0.255.255 10.10.20.0 0.0.0.255 (5 matches)
    5 deny ip 10.1.0.0 0.0.255.255 10.20.23.0 0.0.0.255 (5 matches)
    10 permit ip 10.1.0.0 0.0.255.255 any (44 matches)
Powered by Create your own unique website with customizable templates.
  • Home
  • Technology VoD!
    • Cisco >
      • Route & Switch / Enterprise Infrastructure
  • Technology Breakdowns!
    • Route&Switch/Ent. Infra. >
      • L2 Technologies
      • L3 Technologies
      • VPN Technologies
      • Services >
        • IOS - Dynamic NAT
        • HSRP - IPv4 Setup
        • HSRP - Priority and Preemption
    • Service Provider >
      • IGPs (Interior Gateway Protocols)
      • First Hop Redundancy >
        • HSRP (Hot Standby Router Protocol) >
          • HSRP - IOS/IOS XE Setup
          • HSRP - IOS XR Setup
      • BGP (Border Gateway Protocol)
      • Inter AS Multicast (MSDP)
      • Intra-AS MPLS
      • Inter-AS MPLS
    • Security >
      • IOS Firewall
      • ASA Firewall
      • FirePOWER Threat Defense >
        • FTD - FTD NGFW Device Setup and FMC Integration
      • VPNs >
        • PKI
        • Site to Site VPNs
        • Remote Access VPNs >
          • IOS Remote Access
          • ASA Remote Access
    • Data Center >
      • Nexus 9000v >
        • Nexus 9000v - Enabling Features
        • Nexus 9000v - VLANs and Trunks
        • Nexus 9000v - LACP Port Channels
        • Nexus 9000v - vPC (Virtual Port Channel)
        • Nexus 9000v - OSPFv2
        • Nexus 9000v - VXLAN - Ingress Replication Flood and Learn
        • Nexus 9000v - IP Multicast
        • Nexus 9000v - VxLAN - Multicast Flood and Learn
        • Nexus 9000v - VxLAN - BGP EVPN with Multicast
        • Nexus 9000v - VxLAN - BGP EVPN w/Ingress Replication
        • Nexus 9000v - VxLAN - Inter-VxLAN Routing with BGP EVPN
        • Nexus 9000v - VXLAN - External Routing
      • Nexus 7000v
    • Palo Alto