Answer the question
In order to leave comments, you need to log in
V
V
Vadim Rybalko2016-01-29 13:56:27
Vadim Rybalko, 2016-01-29 13:56:27
Why is it not translated through NAT by clients connected via VPDN to Cisco 1921?
There is a Cisco 1921/K9 router with securityk9 and datak9 technology packages. The router is connected to two ISPs, each of which has allocated one external IP address. Behind the router is a local network that accesses the Internet through NAT by default through the first provider, in case of unavailability through the second one. The unreachability check is implemented via ip sla + dependent default gateway. Also, PBR is configured on the router to adequately send responses to requests from the outside from the same interface from which the request came. For this, reflect access-list is used.
Everything works great.
There is a need to accept outside dial-in users via IPsec / L2TP, everything also works, the internal network works fine for VPN users. But there was a problem with passing dial-in users to the Internet, as if they were local users, for some reason translation rules are not created. Actually the question is: why is this happening and where is the error in the config?
!
version 15.4
!
aaa new-model
!
aaa group server radius VPN-RADIUS
server-private %radius-ip% auth-port 1812 acct-port 1813 test username radiustest idle-time 15 key 7 0000000000
ip radius source-interface Vlan12
!
aaa authentication ppp VPN-CLIENTS group VPN-RADIUS local
!
aaa authorization network VPN-CLIENTS group VPN-RADIUS local
aaa accounting network VPN-CLIENTS
action-type start-stop
group VPN-RADIUS
!
ip dhcp pool Office
network 10.10.2.0 255.255.255.0
update dns
default-router 10.10.2.1
dns-server 10.10.2.2
lease 0 12
update arp
!
vpdn enable
!
vpdn-group VPN-clients
! Default L2TP VPDN group
! Default PPTP VPDN group
accept-dialin
protocol any
virtual-template 1
lcp renegotiation always
no l2tp tunnel authentication
l2tp tunnel timeout no-session 15
ip mtu adjust
!
redundancy
!
track 10 ip sla 10 reachability
!
track 11 ip sla 11 reachability
!
track 20 ip sla 20 reachability
!
track 21 ip sla 21 reachability
!
track 100 list boolean or
object 10
object 11
delay down 20 up 10
!
track 200 list boolean or
object 20
object 21
delay down 20 up 10
!
crypto isakmp policy 10
encr aes 256
hash sha256
authentication pre-share
group 5
!
crypto isakmp key SharedSecret address 0.0.0.0 no-xauth
!
crypto ipsec transform-set ESP-AES256-SHA2 esp-aes esp-sha256-hmac
mode transport
!
crypto dynamic-map L2TP-clients 10
set nat demux
set transform-set ESP-AES256-SHA2
!
crypto map L2TP-clients 10 ipsec-isakmp dynamic L2TP-clients
!
bridge irb
!
interface GigabitEthernet0/0
description Uplink to ISP1
no ip address
no ip split-horizon
duplex auto
speed auto
no cdp enable
bridge-group 1
!
interface GigabitEthernet0/1
description Uplink to ISP2
no ip address
no ip split-horizon
duplex auto
speed auto
no cdp enable
bridge-group 2
!
interface GigabitEthernet0/0/0
description LAN
switchport access vlan 12
switchport mode access
no ip address
!
interface Virtual-Template1
ip address 10.10.31.1 255.255.255.128
ip nat inside
ip virtual-reassembly in
ip tcp header-compression
peer default ip address pool VPN-clients
keepalive 300
ppp encrypt mppe auto
ppp authentication ms-chap ms-chap-v2 VPN-CLIENTS
ppp accounting VPN-CLIENTS
ppp ipcp dns 10.10.2.2
!
interface Vlan12
description Office
ip address 10.10.2.254 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
standby version 2
standby 0 ip 10.10.2.1
standby 0 timers 1 3
standby 0 preempt
standby 0 authentication md5 key-chain HSRP-internal
ip tcp adjust-mss 1412
no autostate
!
interface BVI1
description ISP1 uplink bridge
ip address %ISP1-ADDR% 255.255.255.240
ip access-group WAN-IN_1 in
ip access-group WAN-OUT_1 out
ip nat outside
ip virtual-reassembly in
no ip split-horizon
crypto map L2TP-clients
!
interface BVI2
description ISP2 uplink bridge
ip address %ISP2-ADDR% 255.255.255.252
ip access-group WAN-IN_2 in
ip access-group WAN-OUT_2 out
ip nat outside
ip virtual-reassembly in
no ip split-horizon
crypto map L2TP-clients
!
ip local policy route-map Route-Revert
ip local pool VPN-clients 10.10.31.5 10.10.31.126
!
ip nat pool ISP_1 %ISP1-ADDR% %ISP1-ADDR% netmask 255.255.255.240
ip nat pool ISP_2 %ISP2-ADDR% %ISP2-ADDR% netmask 255.255.255.252
ip nat inside source route-map ISP_1 pool ISP_1 overload
ip nat inside source route-map ISP_2 pool ISP_2 overload
ip route 0.0.0.0 0.0.0.0 %ISP1-GW% 10 track 100
ip route 0.0.0.0 0.0.0.0 %ISP1-GW% 20 track 200
!
ip access-list extended NAT-networks
permit ip 10.0.0.0 0.255.255.255 any
ip access-list extended Route-Revert_1
evaluate WAN-IN_1-reflect
ip access-list extended Route-Revert_2
evaluate WAN-IN_2-reflect
ip access-list extended WAN-IN_1
permit tcp any any established
evaluate WAN-OUT_1-reflect
permit ip any any reflect WAN-IN_1-reflect timeout 300
ip access-list extended WAN-IN_2
permit tcp any any established
evaluate WAN-OUT_2-reflect
permit ip any any reflect WAN-IN_2-reflect timeout 300
ip access-list extended WAN-OUT_1
permit tcp any any established
evaluate WAN-IN_1-reflect
permit ip any any reflect WAN-OUT_1-reflect timeout 300
permit ip any any
ip access-list extended WAN-OUT_2
permit tcp any any established
evaluate WAN-IN_2-reflect
permit ip any any reflect WAN-OUT_2-reflect timeout 300
!
route-map ISP_1 permit 10
match interface BVI1
!
route-map ISP_2 permit 10
match interface BVI2
!
route-map Route-Revert permit 10
match ip address Route-Revert_2
set ip next-hop %ISP2-GW%
!
route-map Route-Revert permit 20
match ip address Route-Revert_1
set ip next-hop %ISP1-GW%
!Translation rules for VPN users are simply not created, and in WAN-OUT_1-reflect you can find an unusual entry where src is not % ISP1-ADDR%, but an untranslated internal address (10.10.31.x).
Similar questions
Y
D
H
H
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question