We have a Cisco 1841 with a EHWIC-4ESG with a
simple config and need to do a NAT between 2 vlans.
We need that all traffic from 192.168.16.0/24
with destination for 10.1.0.0/16 and for 10.120.0.0/16 be source NATed for
range 10.2.166.x. This because we have a partner that delegated this sub-range
for us to connect for his company network.
FastEthernet 0/0/3 is connected to the router
of this partner with address 10.2.166.1.
When traffic go out from router using a simple
telnet or came from our VPDN or from router itself (telnet with source
interface vlan1) NAT works fine and is logged in ACLs. But when traffic cames
from LAN the NAT do not work and is not logged in the ACLs.
Here is relevant parts of the config. Router is
running IOS 12.4.8 Advanced Security.
If somebody have questions please fell free to ask
and sorry for my poor english.
Current configuration : 6527 bytes
!
version 12.4
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname XXXXXX
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login default line
aaa authentication ppp default local
aaa authorization network default
if-authenticated
!
aaa session-id common
!
resource policy
!
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.16.1
192.168.16.10
!
ip dhcp pool 1
network 192.168.16.0 255.255.255.0
domain-name xxxxx
default-router 192.168.16.1
dns-server 208.67.222.222
!
!
ip name-server 208.67.222.222
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
local
name VPDN01
!
!
!
!
username cnteste privilege 7 password 7
HSDFQW37REWHIUFGSFGDSAJGF8EW7RTW87
!
!
!
crypto isakmp policy 10
encr
3des
hash md5
authentication pre-share
group 2
lifetime
28800
!
crypto isakmp policy 20
encr aes
256
authentication pre-share
group 5
lifetime
3600
crypto isakmp key jojojojo address
148.177.xxx.xxx
crypto isakmp key kekekeke address
200.255.xxx.xxx
!
!
crypto ipsec transform-set VPN_001 esp-aes 256
esp-sha-hmac
crypto ipsec transform-set VPN_002 esp-3des
esp-md5-hmac
!
crypto map VPNs 1 ipsec-isakmp
description VPNs Remota 002
set peer
200.255.xxx.xxx
set
security-association lifetime seconds 28800
set
transform-set VPN_002
set pfs
group5
match
address 160
crypto map VPNs 2 ipsec-isakmp
description
VPNs Remota 001
set peer
148.177.xxx.xxx
set
transform-set VPN_001
match
address 150
!
!
!
interface Loopback998
ip
address 200.170.xxx.xxx 255.255.255.255
ip nat
outside
ip
virtual-reassembly
!
interface Loopback999
ip
address 200.170.xxx.xxx 255.255.255.255
ip nat
outside
ip
virtual-reassembly
!
interface FastEthernet0/0
description ISP01
ip
address dhcp
ip nat
outside
ip
virtual-reassembly
speed
auto
full-duplex
fair-queue
crypto
map VPNs
!
interface FastEthernet0/1
description
RESERVED FOR ISP02
ip
address dhcp
ip nat
outside
ip
virtual-reassembly
shutdown
speed
auto
full-duplex
fair-queue
!
interface FastEthernet0/0/0
description Interface LAN
!
interface FastEthernet0/0/1
shutdown
!
interface FastEthernet0/0/2
shutdown
!
interface FastEthernet0/0/3
description PARTNER CONNECTION
switchport access vlan 10
!
interface Virtual-Template1
ip
unnumbered Vlan1
ip nat
inside
ip
virtual-reassembly
ip
mroute-cache
peer
default ip address dhcp-pool 1
ppp
encrypt mppe auto passive
ppp
authentication ms-chap ms-chap-v2
!
interface Vlan1
description description VLAN 1 Interface
F0/0/0
ip
address 192.168.16.1 255.255.255.0
ip nat
inside
ip
virtual-reassembly
ip
policy route-map FROM-LAN
!
interface Vlan10
description
VLAN 10 Interface F0/0/3 PARTNER CONNECTION
ip
address 10.2.166.100 255.255.254.0
ip nat
outside
ip
virtual-reassembly
!
ip local pool VPDN01 192.168.254.51
192.168.254.199
ip route 0.0.0.0 0.0.0.0 189.38.252.1
ip route 10.1.0.0 255.255.0.0 10.2.166.1
ip route 10.120.0.0 255.255.0.0 10.2.166.1
!
ip http server
ip http port 2280
ip http authentication local
no ip http secure-server
ip nat pool NAT-PARTNER 10.2.166.128
10.2.166.160 prefix-length 26
ip nat inside source list 140 interface
FastEthernet0/0 overload
ip nat inside source list NAT-PARTNER pool
NAT-PARTNER overload
!
ip access-list extended NAT-PARTNER
permit
ip 192.168.16.0 0.0.0.255 10.1.0.0 0.0.255.255 log-input
permit
ip 192.168.16.0 0.0.0.255 10.120.0.0 0.0.255.255 log-input
deny
ip any any
!
access-list 1 permit 192.168.16.0 0.0.0.255
access-list 1 permit 192.168.254.0 0.0.0.255
access-list 71 permit 192.168.16.1
access-list 99 permit 192.168.16.3
access-list 100 permit ip any any
access-list 101 deny ip any any
access-list 130 permit ip 192.168.254.0
0.0.0.255 10.0.0.0 0.255.255.255
access-list 140 deny ip 192.168.16.0 0.0.0.255 10.1.0.0
0.0.255.255
access-list 140 deny ip 192.168.16.0 0.0.0.255 10.90.0.0
0.0.255.255
access-list 140 deny ip 192.168.16.0 0.0.0.255 10.97.0.0 0.0.255.255
access-list 140 deny ip 192.168.16.0 0.0.0.255 10.120.0.0
0.0.255.255
access-list 140 permit ip 192.168.16.0
0.0.0.255 any
access-list 140 permit ip 192.168.254.0
0.0.0.255 any
access-list 150 permit ip 192.168.16.0
0.0.0.255 10.97.0.0 0.0.255.255 log
access-list 160 permit ip 192.168.16.0
0.0.0.255 10.90.0.0 0.0.255.255 log
!
route-map FROM-LAN permit 10
match ip
address NAT-PARTNER
set ip
next-hop 10.2.166.1
!
Just to tank you. In the end we did a IOS
upgrade to 12.4.25 and EHWIC-1GE-SFP-CU NAT is now Ok with same config.
没有评论:
发表评论