RE: VPN + NAT + ISDN = Stumped

Hi Steve.  Aren't VPN's fun?

Here is what I see.  It looks like your VPN Server's current config
won't work because you are running NAT for the VPN-able address range.
Because of this, your Crypto Transform never matches it's Access-list.
(The source address is going to be whatever IP the Dialer takes)...

So, here is what I think is the simplest way to fix it.  
You need to exclude traffic destined for the VPN from NAT.
---
No access-list 103 
access-list 103 deny ip 10.10.0.0 0.0.255.255 10.100.200.0/24 0.0.0.255
Access-list 103 permit ip any any
---

Alternately, here is how I like to do it if you are going to be adding
multiple VPN's.  This allows you to only update a single ACL, and you
don't have to tamper with your NAT ACL.

---
No access-list 103
Access-list 103 permit ip any any

Route-map NatPolicy Deny 10
        Match ip address 132 (this is the ACL you use for your Crypto
Map)
Route-map NatPolicy Permit 10
        Match Ip address 103 (This is Permit Any)

No ip nat inside source 103 interface serial0 overload
Ip nat inside source route-map NatPolicy interface serial0 overload
---

Let me know if this doesn't work and I'll look again.

Good Luck,
Ejay Hire
Network Engineer (looking for work on the side)
ejayhire@xxxxxxxxxxx

-----Original Message-----
From: Steve Lim [mailto:limmer@xxxxxxxxxx] 
Sent: Friday, August 08, 2003 11:39 AM
To: cisco-nsp@xxxxxxxxxxxxxxx
Subject: [nsp] VPN + NAT + ISDN = Stumped

Hello,
        I checked the archives, unless I missed something, the list
discussion 
fizzled a similar question by Ray Davis at Carpnet.

        The SA session establishes, and that's about it. Private Hosts
on 
either end are unable to see each other. I must be missing something?

        The config that I used on the ISDN side works on a router that
uses a 
DSL circuit. The only differance I can see is Dialer 0 on the ISDN 
router vs. fa0 on the DSL router.

Private Network 10.100.200.0/24 Remote Side Router
WAN IP 111.111.111.51/32 Remote Side Router

WAN IP 222.222.222.100 VPN-Gateway HQ Side Router
Private Network 10.10.0.0/16

Layout:

Local LAN
Host1 | Host2 | Host 3
1.100.200.1 | 10.100.200.2 | 10.100.200.3
        ||
        ||
        (Fastether)
        ||
        ||
-------------------------
|10.100.200.254/24 fa0  |
|                       |
|Router 1751            |
|                       |
|111.111.111.51 dialer0 |
-------------------------
        ||
        ||
        (ISDN)
        ||
        ||
------------------------
|                       |
|ISP/Internet Cloud     |
|                       |
-------------------------
        ||
        ||
        (T1)
        ||
        ||
------------------------
|222.222.222.100 se0    |
|                       |
|VPN Gateway            |
|                       |
|10.10.0.254/16 fa0     |
-------------------------
        ||
        ||
        ||
        (Fastether)
        ||
        ||
Host1
10.10.0.82/16

-----------------------------
Remote Router Config (1721):
Note: It's a nasty config :(

crypto isakmp policy 1
  hash md5
  authentication pre-share
crypto isakmp key bla1 address 222.222.222.100
!
crypto ipsec transform-set bla2 esp-3des esp-sha-hmac
!
crypto map Test 1 ipsec-isakmp
  set peer 222.222.222.100
  set transform-set bla2
  match address 101

interface BRI0
  no ip address
  ip nat outside
  encapsulation ppp
  dialer rotary-group 0
  dialer-group 1
  isdn switch-type basic-ni
  isdn spid1 41412345670101 1234567
  isdn spid2 41412345680101 1234568
  crypto map Test

interface FastEthernet0
  ip address 10.100.200.254 255.255.255.0
  ip nat inside
  speed auto
!
interface Dialer0
  ip address negotiated
  ip nat outside
  encapsulation ppp
  dialer in-band
  dialer idle-timeout 2000000
  dialer string 2336981
  dialer load-threshold 1 outbound
  dialer-group 1
  ppp authentication pap callin
  ppp pap sent-username blablaa@xxxxxxx password bla
  ppp multilink
  crypto map Test

ip nat inside source list 103 interface dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0


access-list 101 permit ip 10.100.200.0 0.0.0.255 10.10.0.0 0.0.255.255

access-list 103 deny   ip 10.100.200.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 103 permit ip host 10.100.200.1 any
access-list 103 permit ip host 10.100.200.2 any
access-list 103 permit ip host 10.100.200.3 any

dialer-list 1 protocol ip permit


---------------------
VPN Gateway Config:

crypto isakmp policy 2
  hash md5
  authentication pre-share
!
crypto isakmp key bla1 address 111.111.111.51
!
crypto ipsec transform-set bla2 esp-3des esp-sha-hmac
!
crypto map Test 32 ipsec-isakmp
  set peer 111.111.111.51
  set transform-set bla2
  match address 132
!
interface se0
  ip addess 222.222.222.100 255.255.255.252
  ip nat outside
  crypto map Test

inteface fa0
  ip address 10.10.0.254 255.255.0.0
  ip nat inside

ip nat inside source 103 interface serial0 overload
ip route 0.0.0.0 0.0.0.0 serial 0

access-list 132 permit ip 10.10.0.0 0.0.255.255 10.100.200.0 0.0.0.255
access-list 103 permit ip 10.10.0.0 0.0.255.255 10.0.0.0 0.255.255.255

SL
-- 
<><><><><><><><><><><><><><><><><><><><>
Steve Lim - Network Engineer (Michigan)
Corecomm -An ATX Communications Company
Life is a feast, enjoy it while you wait
for desert -limmer

_______________________________________________
cisco-nsp mailing list  cisco-nsp@xxxxxxxxxxxxxxx
http://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


_______________________________________________
cisco-nsp mailing list  cisco-nsp@xxxxxxxxxxxxxxx
http://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/