All Cisco-Network Study Notes: Common Problems and Resolutions

Common Problems and Resolutions

Most of the issues discussed in this section cause problems during or after tunnel buildup. For instance, the tunnel might have been built up properly, but users might be unable to send data for one of the following reasons:

NAT with IPsec Issues
Firewall and IPsec issues
MTU issues
Split tunneling issues

NAT With IPsec Issues

NAT can interact or interfere with IPsec in the following ways:

NAT in the tunnel end points
NAT in the middle of an IPsec tunnel

NAT in the Tunnel End Points

There can be either a dynamic or static NAT entry configured on tunnel end points (routers). For IPsec to function correctly, be sure to configure NAT on the router to bypass the IPsec packets. Example 6-36 shows a sample output of bypassing dynamic NAT entries on the Dhaka router shown in Figure 6-6.

Example 6-36. Sample Output of Bypassing Dynamic NAT Entries on Dhaka Router as Shown in Figure 6-6

! The following line is perform PAT for the internet bound traffic for inside network
! 10.1.1.0/24
Dhaka(config)# ip nat inside source route-map nonat interface Ethernet1/0 overload
! Following deny statement on the ACL is to exclude the traffic from NAT/PAT. This is the
! traffic will go through the IPSec tunnel.
Dhaka(config)# access list 150 deny ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
! Rest of the traffic will be translated
Dhaka(config)# access list 150 permit ip 10.1.1.0 0.0.0.255 any
! Need to apply the ACL under the route map
Dhaka(config)# route-map nonat permit 10
Dhaka(config)# match ip address 150
Dhaka(config)#

Bypassing static NAT entries is a bit tricky. Static NAT entries can be bypassed using a loopback interface and policy routing for Cisco IOS images in versions earlier than 12.2.4T; starting from 12.2.4T, a route-map can be used with static NAT to bypass NAT.

Example 6-37 shows the configuration required to bypass static NAT on the Dhaka router.

Example 6-37. Configuration Steps Required for Bypassing Static NAT Entries for Dhaka Router Shown in Figure 6-5

Dhaka# show running-config
crypto map to_Doha 10 IPsec-isakmp
set peer 30.1.1.1
set transform-set myset
! This is the ACL that defines the traffic that needs to go through the IPsec tunnel.
! When configuring NAT, you need to bypass this traffic
match address 101
! Create a loop back interface so that static NAT can be pointed here as outgoing
Interface loopback 0
ip address 1.1.1.1 255.255.255.252
interface Ethernet1/0
ip address 20.1.1.1 255.255.255.0
! This is the outgoing interface (facing towards the internet)
ip nat outside
! Crypto map is applied here
crypto map to_Doha
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
! This is the inside interface for the NAT
ip nat inside
ip route-cache policy
! This policy route will be triggered before NAT and the crypto which will take care of
! the bypassing of the IPSec traffic.
ip policy route-map nonat
! ACL 1 defines what traffic needs to be NATed.
ip nat inside source list 1 interface Ethernet0/3 overload
! This is the static NAT
ip nat inside source static 10.1.1.12 20.1.1.20
! This access-list 1 is used in the NAT statement to traffic that traffic that needs to
! be translated
access list 1 permit 10.0.0.0 0.255.255.255
! This ACL is to define the IPSec interesting traffic
access list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
! This ACL is used in the route map to define the traffic that needs to bypass the NAT
access list 120 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
! This route map is applied on the Ethernet 0/0 interface
route-map nonat permit 10
match ip address 120
set ip next-hop 1.1.1.2
Dhaka#

Example 6-38 shows how to bypass static NAT using route map on the Dhaka router shown in Figure 6-6.

Example 6-38. Shows How to Bypass Static NAT Using Route Map on Dhaka Router Shown in Figure 6-6

Dhaka# show running-config
crypto map to_Doha 10 IPsec-isakmp
set peer 30.1.1.1
set transform-set myset
match address 101
interface Ethernet1/0
ip address 20.1.1.1 55.255.255.0
ip nat outside
crypto map to_Doha
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
ip nat inside

ip nat inside source list 1 interface Ethernet0/3 overload
ip nat inside source static 10.1.1.1 20.1.1.20 route-map nonat
access-list 1 permit 10.1.1.0 255.255.255.0
access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 120 deny ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 120 permit ip 10.1.1.0 0.0.0.255 any

route-map nonat permit 10
match ip address 120
Dhaka#

Note

Example 6-38 shows how to bypass static NAT, which is a better method than bypassing static NAT as shown in Example 6-37.

If NAT is broken, execute the following debug to troubleshoot NAT issues on the router.

show ip nat translation
debug ip nat
debug ip policy