dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1894
share rss forum feed

Manta
Premium
join:2003-11-04
UK

ISAKMP profile with NAT-T terminates before firewall

I've been scratching my head on this for a while and I'm getting nowhere. I have a Cisco 1801 running 12.4-24T4 with a single fixed external IP. Two external sites (amongst others) connect from dynamic IP using an ISAKMP profile. Everything is identical except one is behind NAT (site1) and the other is not (site2). The one not behind NAT connects fine and works as it always did - GRE tunnel anchored to loopback with IPSEC for encryption.
Site1 I had trouble with - and I think this may be down to differences in various versions of IOS - as I've been playing around with different boxes here. I've managed to get it to connect by either adding the internal IP to the ISAKMP profile or switching to hostname as the ISAKMP identity as suggested here »supportforums.cisco.com/docs/DOC-14308
That works nicely but now the GRE traffic is bouncing off my external ACL. I can add an exception but I'm confused as to why one tunnel needs this and the other doesn't when the only difference I can see is the NAT traversal. Something with CBAC not checking NAT-T connections perhaps? Doesn't seem to be any rogue translations appearing in NAT.

Thanks in advance for any fruitful head-scratching and apologies if it ends up tipping anyone over the edge!

Many thanks,
Gareth

version 12.4
no service pad
service timestamps debug datetime msec show-timezone
service timestamps log datetime msec show-timezone
service password-encryption
service sequence-numbers
!
hostname home
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 10240 notifications
enable secret 5 <cut>
!
aaa new-model
!
!
aaa authentication login local-auth local-case
aaa authorization network local-authorize local
!
!
aaa session-id common
clock timezone GMT 0
clock summer-time GMT recurring last Sun Mar 1:00 last Sun Oct 2:00
!
!
dot11 syslog
ip source-route
!
!
!
!
ip cef
ip domain name <cut>
ip inspect tcp reassembly queue length 100
ip inspect name cbac-internet ftp
ip inspect name cbac-internet h323
ip inspect name cbac-internet https
ip inspect name cbac-internet icmp
ip inspect name cbac-internet imap
ip inspect name cbac-internet pop3
ip inspect name cbac-internet rtsp
ip inspect name cbac-internet tftp
ip inspect name cbac-internet tcp router-traffic
ip inspect name cbac-internet udp router-traffic
ip inspect name cbac-internet http alert on
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username <cut> secret 5 <cut>
!
crypto keyring talktalk
  description TalkTalk dynamic IP ranges
  pre-shared-key address 0.0.0.0 0.0.0.0 key <cut>
!
crypto isakmp policy 20
 encr 3des
 authentication pre-share
 group 5
crypto isakmp key <cut> address <cut> no-xauth
crypto isakmp key <cut> address <cut> no-xauth
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
crypto isakmp nat keepalive 20
crypto isakmp profile ios-talktalk
   description Cisco router on TalkTalk connection
   keyring talktalk
   match identity address 62.24.128.0 255.255.128.0
   match identity address 84.13.0.0 255.255.0.0
   match identity address 89.242.0.0 255.254.0.0
   match identity address 89.240.0.0 255.254.0.0
   match identity address 92.28.0.0 255.254.0.0
   match identity address 92.26.0.0 255.254.0.0
   match identity address 92.24.0.0 255.254.0.0
   match identity address 78.144.0.0 255.252.0.0
   match identity address 78.148.0.0 255.252.0.0
   match identity address 2.96.0.0 255.248.0.0
   match identity address 92.0.0.0 255.224.0.0
   match identity address 92.16.0.0 255.128.0.0
   match identity host <site1 router FQDN>
!
!
crypto ipsec transform-set ipsec-tunnel esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
 description Site1 to Me IPSec tunnel to carry GRE
 set transform-set ipsec-tunnel
 set pfs group5
 set isakmp-profile ios-talktalk
 match address vpnacl-site1
!
crypto dynamic-map dynmap 20
 description site2 to me IPSec tunnel to carry GRE
 set transform-set ipsec-tunnel
 set pfs group5
 set isakmp-profile ios-talktalk
 match address vpnacl-site2
!
!
crypto map vpn-tunnel 50 ipsec-isakmp
 description another site IPSec tunnel to carry GRE
 set peer <cut>
 set transform-set ipsec-tunnel
 set pfs group5
 match address vpnacl-other
!
crypto map vpn-tunnel 999 ipsec-isakmp dynamic dynmap
!
!
interface Loopback0
 description Always-up interface to anchor tunnels to
 ip address 192.168.1.1 255.255.255.255
!
interface Tunnel1
 description Tunnel to other site
 bandwidth 1024
 ip unnumbered Loopback0
 ip multicast boundary multicast-boundary
 ip tcp adjust-mss 1200
 qos pre-classify
 keepalive 3 3
 tunnel source Loopback0
 tunnel destination 192.168.1.5
!
interface Tunnel3
 description Tunnel to Site2
 bandwidth 512
 ip unnumbered Loopback0
 ip multicast boundary multicast-boundary
 ip tcp adjust-mss 1200
 qos pre-classify
 keepalive 3 3
 tunnel source Loopback0
 tunnel destination 192.168.1.4
!
interface Tunnel4
 description Tunnel to Site1
 bandwidth 512
 ip unnumbered Loopback0
 ip multicast boundary multicast-boundary
 ip tcp adjust-mss 1200
 qos pre-classify
 keepalive 3 3
 tunnel source Loopback0
 tunnel destination 192.168.1.7
 
!
interface FastEthernet0
 description Outside
 mac-address <cut>
 bandwidth 10000
 bandwidth receive 100000
 ip address dhcp client-id FastEthernet0
 ip access-group internet-ingress in
 ip access-group internet-egress out
 ip flow ingress
 ip nat outside
 ip inspect cbac-internet out
 ip virtual-reassembly
 duplex auto
 speed auto
 snmp ifindex persist
 crypto map vpn-tunnel
!
 
ip nat inside source list nat-list interface FastEthernet0 overload
ip access-list extended internet-egress
 remark Invalid internet addresses
 deny   ip any 0.0.0.0 0.255.255.255 log
 deny   ip any 10.0.0.0 0.255.255.255 log
 deny   ip any 127.0.0.0 0.255.255.255 log
 deny   ip any 169.254.0.0 0.0.255.255 log
 deny   ip any 192.0.2.0 0.0.0.255 log
 deny   ip any 192.168.0.0 0.0.255.255 log
 remark Other
 permit icmp any any echo
 permit icmp any any echo-reply
 permit icmp any any traceroute
 permit tcp any any
 permit udp any any
 permit esp any any
 permit 41 host 86.24.95.251 host 212.113.147.150
 deny   ip any any log
ip access-list extended internet-ingress
 <cut>
 remark VPN enable
 permit esp any any
 permit udp any any eq isakmp
 permit udp any any eq non500-isakmp
 permit gre host 192.168.1.7 host 192.168.1.1
 remark non-routable IPs
 deny   ip 0.0.0.0 0.255.255.255 any log
 deny   ip 10.0.0.0 0.255.255.255 any log
 deny   ip 127.0.0.0 0.255.255.255 any log
 deny   ip 169.254.0.0 0.0.255.255 any log
 deny   ip 172.16.0.0 0.15.255.255 any log
 deny   ip 192.0.2.0 0.0.0.255 any log
 deny   ip 192.168.0.0 0.0.255.255 any log
 deny   ip host 255.255.255.255 any
 <cut>
 remark icmp restrictions
 permit icmp any any echo-reply
 permit icmp any any time-exceeded
 permit icmp any any unreachable
 deny   ip any any log
!
ip access-list extended nat-list
 deny   ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
 permit ip 10.0.0.0 0.255.255.255 any
!
ip access-list extended vpnacl-site1
 permit ip host 192.168.1.1 host 192.168.1.7
!
ip access-list extended vpnacl-site2
 permit ip host 192.168.1.1 host 192.168.1.4
!
ip access-list extended vpnacl-other
 permit ip host 192.168.1.1 host 192.168.1.5