Nat issue on vpn cisco isr 4321

Hello Forum
I have one issue here,I have configured the Ipsec with partner but the tunnel does not come up since i have to nat inside private IP to the Public IP and on the access list i have to list the inside host (nated public IP ) external host Public IP with ports under TCP service but the tunnel does not come up.
Also on the same IP once i nat the Private IP to Public IP some of the service in which the access list have been created using that Private IP goes down

ip nat inside source static 10.0.0.93 197.256.40.136

ip access-list extended 128
 remark IPSec SERVICE
 permit tcp host 6.X.Y.230 host 197.Z.A.136 eq 80

Hello Elias

There could be a few reasons why your IPSec tunnel isn’t coming up. Here are a few things you can check:

  • Phase 1 and Phase 2 settings: Ensure that the settings for both Phase 1 and Phase 2 match on both ends of the tunnel. This includes encryption, hash, authentication method, Diffie-Hellman group, and lifetime.
  • NAT-T: If one end of your tunnel is behind NAT, you’ll need to enable NAT-Traversal (NAT-T) on both ends of the tunnel.
  • Access Lists: The access lists on both ends of the tunnel need to mirror each other. This means that if you have an access list on one end that permits traffic from A to B, the other end needs an access list that permits traffic from B to A.
  • Routing: Ensure that your routing is set up correctly so that traffic destined for the remote network is being sent to the correct next hop.

As for your NAT issue, it sounds like your NAT rule might be conflicting with an existing service. When you create a static NAT rule, it will take precedence over any dynamic NAT rules. If you have a service that’s using the private IP you’re trying to NAT, it will be affected by the static NAT rule. You might need to reconfigure your NAT rules or the service that’s being affected. It’s hard to say without more information about your network setup.

Some notes that may help you to deal with NAT and IPSec:

I hope this has been helpful!

Laz

PS I “sanitized” your configuration you shared just so that the public IP addresses are not made known to others for security purposes… :slight_smile:

Thank you very much for your input.

The problem is that i have other Tunnel which use private IP for encryption with new request that i have to use public IP for Ipsec but my server are running with Private IP so same server IP will need to be on various VPN tunnel in which one tunnel need Public IP so once i configure static NAT other service goes Down.
I think now i need to configure NAT which does not affect other service using the same Private IP to Public

Hello Elias

It’s not completely clear to me the topology that you’re describing, but it sounds like you’re on the right track. In order to resolve the issue, you may want to take a look at policy NAT using route maps as a solution. I can’t help you specifically without knowing more details of your topology and addressing scheme, but I suggest that you take a look at this lesson for more information:

With policy NAT you can allow the specific traffic defined in your access list to be NAT’d, while not affecting the other services using the same Private IP.

Let us know how you get along, and if we can be of further help.

I hope this has been helpful!

Laz

Thanks Laz

However to be clear is that i have this problem of failure to implement VPN tunnel site to site,due to NAT issue from Private to Public IP address.
I need to establish a secure vpn tunnel with the encrypted traffic from inside to outside but the problem is once i put NAT statement other service using that Private IP goes down.
so i need to establish VPN tunnel without affecting other services.
I tried policy base NAT but it seems not working

Hello Elias

I’m sorry that we couldn’t provide a successful solution for your requirements. Using NAT with VPNs can often be troublesome and sometimes requires extensive troubleshooting. In any case, let us know how you get along and how you have come to a solution for your particular setup.

Laz

Thanks Laz
The issue is that i need to establish the VPN tunnels with the IP which i have NATED,also on the ACL i need explicit define the intended traffic with specific ports but theissue is the tunnel is not getting up in phase 2 it’s only phase 1 get up.
I will use fake ip just to explain my concern below

============================================================

crypto ipsec transform-set TEST esp-aes 256 esp-sha-hmac
 mode tunnel

crypto map SDM_CMAP_1 5 ipsec-isakmp
 description tunnel TEST
 set peer 10.2.65.13
 set transform-set ESP-AES-SHA
 match address 12


ip nat inside source static 20.1.1.10 192.168.1.13

ip access-list extended 12
 remark IPSec TEST
 permit tcp host 192.168.10.14 host 192.168.1.13 eq 9003
 permit tcp host 192.168.10.15 host 192.168.1.13 eq 19003

===========================================================

Hello Elias

Unfortunately I don’t have an immediate solution for you, but I can give you some guidelines to proceed with some troubleshooting. Based on the configuration you provided:

  • Verify that your transform-set name matches in your crypto map and transform-set configuration. In your example, you’ve defined the transform-set as “TEST”, but in the crypto map, you’ve set it as “ESP-AES-SHA”. These should match.

  • Ensure that your ACL is correctly defining the traffic you want to encrypt. In your example, you’re permitting traffic from hosts 192.168.10.14 and 192.168.10.15 to host 192.168.1.13 on specific ports. If this is the traffic you want to encrypt, then it’s correct. However, if you’re trying to encrypt traffic from 20.1.1.10 (the NATed IP), you’ll need to adjust your ACL accordingly.

  • Verify that your phase 2 parameters match on both ends of the tunnel. This includes the transform-set and the ACL. Mismatches here could prevent the tunnel from coming up in phase 2.

  • Check your NAT configuration. In your example, you’re NATing 20.1.1.10 to 192.168.1.13. If 192.168.1.13 is the IP you’re using in your crypto map and ACL, the NAT could be causing issues. Generally, you’ll want to exclude your VPN traffic from being NATed.

  • Lastly, check the logs on both ends of the tunnel for any error messages that could provide more insight into why phase 2 isn’t coming up. This can often provide useful information for troubleshooting.

Now if you’re still having problems, then it may be worth examining a different approach that eliminates NAT completely from the equations. In any case, keep us updated on your progress…

I hope this has been helpful!

Laz