[c-nsp] Cisco 877w - Unable to NAT traffic for remote IPSec Sites

Christopher Varley christopher.varley at zen.co.uk
Wed Sep 2 06:55:44 EDT 2009 

Hello All,

I am trying to configure a Cisco 877w to act as a IPSec tunnel
concentrator and provide Internet breakout for the remote sites.The
router is running c870-advsecurityk9-mz.124-15.T5.bin.

The solution currently comprises  of  seven Speedtouch 608WL routers
with the default route set to go over the IPSec tunnel.


ST 608wl  -----IPSec---|                 |
                               | Cisco 877  | --------Internet
ST 608wl  -----IPSec---|                 |


I have configured the IPSec tunnel and I am able to get traffic
between the sites however the Cisco router is not performing NAT for
the remote sites.

The  relevant sections of the configuration are :-

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key test123 address 1.1.1.1
crypto isakmp key test123 address 2.2.2.2
crypto isakmp key test123 address 3.3.3.3
crypto isakmp key test123 address 4.4.4.4
crypto isakmp key test123 address 5.5.5.5
crypto isakmp key test123 address 6.6.6.6
crypto isakmp key test123 address 7.7.7.7
!
!
crypto ipsec transform-set TRANSFORM esp-3des esp-md5-hmac
!
crypto map VPN 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set TRANSFORM
set pfs group2
match address 115
crypto map VPN 20 ipsec-isakmp
set peer 2.2.2.2
set transform-set TRANSFORM
set pfs group2
match address 125
crypto map VPN 30 ipsec-isakmp
set peer 3.3.3.3
set transform-set TRANSFORM
set pfs group2
match address 135
crypto map VPN 40 ipsec-isakmp
set peer 4.4.4.4
set transform-set TRANSFORM
set pfs group2
match address 145
crypto map VPN 50 ipsec-isakmp
set peer 5.5.5.5
set transform-set TRANSFORM
set pfs group2
match address 155
crypto map VPN 60 ipsec-isakmp
set peer 6.6.6.6
set transform-set TRANSFORM
set pfs group2
match address 165
crypto map VPN 70 ipsec-isakmp
set peer 7.7.7.7
set transform-set TRANSFORM
set pfs group2
match address 175
!
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer persistent
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname xyz123 at abc
ppp chap password 0 xxxxxxx
crypto map VPN
!
!
interface BVI1
description Customer Network
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip nat pool CUST-NATPOOL 82.70.186.30 82.70.186.30 netmask 255.255.255.248
ip nat inside source route-map NONAT pool CUST-NATPOOL overload
!
!
route-map NONAT permit 10
match ip address 110
!
!
access-list 110 deny   ip 192.168.20.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 deny   ip 192.168.20.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 110 deny   ip 192.168.20.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 110 deny   ip 192.168.20.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 110 deny   ip 192.168.20.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 110 deny   ip 192.168.20.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 110 deny   ip 192.168.20.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 110 deny   ip 192.168.20.0 0.0.0.255 10.10.0.0 0.0.1.255
access-list 110 permit ip 192.168.0.0 0.0.255.255 any
access-list 115 permit ip any 192.168.1.0 0.0.0.255
access-list 125 permit ip any 192.168.2.0 0.0.0.255
access-list 135 permit ip any 192.168.3.0 0.0.0.255
access-list 145 permit ip any 192.168.4.0 0.0.0.255
access-list 155 permit ip any 192.168.5.0 0.0.0.255
access-list 165 permit ip any 192.168.6.0 0.0.0.255
access-list 175 permit ip any 192.168.7.0 0.0.0.255


I am able see traffic from the spoke sites match ACL 110 permit
statement and also 115 but no entries are created in the NAT table .

Do you have any ideas on where I might be going wrong ?

Regards

Christopher Varley

More information about the cisco-nsp mailing list