Hey guys, another issue I'm having and couldn't get much help on from the cisco community forum:
I'm having a weird issue with the below topology. I have a Nexus 9k with an additional (besides the default) vrf created to isolate some LANs (represented by loopbacks for my testing). I'm not trying to route directly from one vrf to the other, but rather through another device and a firewall. The issue I'm running into is that traffic seems to die when it tries to go from one Loopback to the other.
Picture of topology: https://imgur.com/a/Ur9UU3B
As configured in the topology Lo72 can ping both interfaces on the router and the outside firewall interface, but not the loopback201 in vrf RED or the physical interface in vrf RED. However, if I shut down lo72 on the nexus and move it down to the router, everything works just fine. Which leads me to believe that the firewall is not the issue.
N9K vrf default
***************
ip route 10.0.10.0/24 10.1.1.1
ip route 10.0.20.0/24 10.1.1.1
!
interface Ethernet1/9
description Connection to BORDER
ip address 10.1.1.2/30
no shut
!
interface loopback72
ip address 192.168.21.1/24
***************************************************************************
ROUTER
************
hostname BORDER
!
boot-start-marker
boot-end-marker
!
crypto ikev2 proposal PROP
encryption aes-gcm-128
prf sha256
group 5
!
crypto ikev2 policy IKEV2_POLICY
proposal PROP
!
crypto ikev2 keyring KEYRING
peer ALL
address 0.0.0.0 0.0.0.0
pre-shared-key local TEST
pre-shared-key remote TEST
!
crypto ikev2 profile IKEV2_PROFILE
match identity remote address 10.0.0.2 255.255.255.255
identity local address 10.0.0.1
authentication remote pre-share
authentication local pre-share
keyring local KEYRING
!
crypto ipsec transform-set TSET esp-aes 192 esp-sha256-hmac
mode tunnel
!
crypto map CM 10 ipsec-isakmp
set peer 10.0.0.2
set transform-set TSET
set ikev2-profile IKEV2_PROFILE
match address AC_GRAY
!
interface GigabitEthernet0/1
no switchport
ip address 10.1.1.1 255.255.255.252
duplex auto
speed auto
!
interface GigabitEthernet0/8
no switchport
ip address 10.0.0.1 255.255.255.252
duplex auto
speed auto
crypto map CM
!
ip forward-protocol nd
!
ip route 192.168.20.0 255.255.255.0 10.1.1.2
ip route 192.168.21.0 255.255.255.0 10.1.1.2
ip route 10.0.10.0 255.255.255.0 10.0.0.2
ip route 10.0.20.0 255.255.255.0 10.0.0.2
!
ip access-list extended AC_GRAY
permit ip 192.168.20.0 0.0.0.255 10.0.10.0 0.0.0.255
permit ip 192.168.20.0 0.0.0.255 10.0.20.0 0.0.0.255
permit ip 192.168.21.0 0.0.0.255 10.0.10.0 0.0.0.255
permit ip 192.168.21.0 0.0.0.255 10.0.20.0 0.0.0.255
!
*******************************************************************************
FIREWALL
***********
interface GigabitEthernet1/1
nameif inside
security-level 100
ip address 10.2.2.1 255.255.255.0
!
interface GigabitEthernet1/8
nameif outside
security-level 0
ip address 10.0.0.2 255.255.255.252
!
interface Management1/1
management-only
nameif MGT
security-level 0
ip address 1.0.0.1 255.255.255.252
!
access-list RED extended permit ip 10.0.10.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list RED extended permit ip 10.0.20.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list RED extended permit ip 10.0.10.0 255.255.255.0 192.168.21.0 255.255.255.0
access-list RED extended permit ip 10.0.20.0 255.255.255.0 192.168.21.0 255.255.255.0
access-list TESTICMPIN extended permit icmp host 10.0.10.1 host 192.168.21.1
access-list TESTICMPOUT extended permit icmp host 192.168.21.1 host 10.0.10.1
access-group TESTICMPIN in interface inside
access-group TESTICMPOUT in interface outside
mtu inside 1500
mtu outside 1500
mtu MGT 1500
icmp unreachable rate-limit 1 burst-size 1
route outside 192.168.20.0 255.255.255.0 10.0.0.1 1
route outside 192.168.21.0 255.255.255.0 10.0.0.1 1
route inside 10.0.10.0 255.255.255.0 10.2.2.2 1
route inside 10.0.20.0 255.255.255.0 10.2.2.2 1
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication login-history
http server enable
http 10.100.26.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev2 ipsec-proposal TSET
protocol esp encryption aes-192
protocol esp integrity sha-256
crypto ipsec security-association pmtu-aging infinite
crypto map CM 10 match address RED
crypto map CM 10 set peer 10.0.0.1
crypto map CM 10 set ikev2 ipsec-proposal TSET
crypto map CM interface outside
crypto ca trustpool policy
crypto ikev2 policy 10
encryption aes-gcm
integrity null
group 5
prf sha256
lifetime seconds 86400
crypto ikev2 enable outside
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev2
dynamic-access-policy-record DfltAccessPolicy
tunnel-group 10.0.0.1 type ipsec-l2l
tunnel-group 10.0.0.1 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
*****************************************************************************
N9K vrf RED
*************
interface Ethernet1/11
description Connection to FW Inside
vrf member RED
ip address 10.2.2.2/30
no shutdown
interface loopback201
vrf member RED
ip address 10.0.10.1/24
vrf context RED
ip route 192.168.20.0/24 10.2.2.1
ip route 192.168.21.0/24 10.2.2.1
address-family ipv4 unicast
No comments:
Post a Comment