cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

VPN and static NAT problem

2206
Views
5
Helpful
2
Comments

Symptoms

The need was to reach an host inside a LAN through a VPN connection managed by the LAN gateway (Cisco 1921).

The LAN gateway performs NAT and there was a dedicate nat rule for the host i wanted to reach through VPN.

I couldn't connect to the host.

Same result trying to connect to ports involved in port forwarding.

Everything excluded by static NAT or port-forwarding was reachable instead.

Diagnosis

I noticed that the router performed nat on return traffic when I tried to reach hosts involved in static nat through vpn.

This was because i specified a no-nat rule, but it was applied only to the global nat rule, while static nat and port-forwarding had their own rules fixed static in nat table.

 

Solution

This is the configuration I used to fix this situation:

 

STATIC NAT IP <-> IP
!
ip access-list extended NAT
 deny   ip [local-network] [local-wildcard] [vpn-network] [vpn-wildcard]
 permit ip [local-network] [local-wildcard] any
!
route-map NAT permit 10
 match ip address NAT
!
ip nat inside source static [local-ip] [global-ip] route-map NAT

 


PORT-FORWARDING IP:PORT <-> IP:PORT
!
ip access-list extended nonat-vpn
 deny tcp host [host-ip] eq [port] [vpn-network] [vpn-wildcard]
 permit tcp host [host-ip] eq [port]  any
!
route-map nonat-vpn permit 10
 match ip address nonat-vpn
!
ip nat inside source static tcp [local-ip] [local-port] [global-ip] [global-port] route-map nonat-vpn extendable

Comments
Beginner

Excellent explanation of the problem with a solution that works.  What if the "Port-forwarding" NAT statement is done with the interface name instead of a static global-IP. (Internet access is DHCP).  In that case we cannot add a route-map at the end of the NAT statement.  Any ideas how to solve this ?

 

Thanks,

SimonT

Hi Simon,

 

IOS doesn't allow you to configure route-map if you don't specify an IP address in a NAT rule...

 

I tried this configuration in a lab environment, maybe can help you:

 

### INSIDE INTERFACE ###
interface FastEthernet0/0
 ip address 10.1.1.1 255.255.255.0 secondary //this IP emulates the static nat host
 ip address 10.1.1.254 255.255.255.0
 ip nat inside

### OUTSIDE INTERFACE - static host nat performed on this interface ###
interface FastEthernet0/1
 ip address 20.1.1.1 255.255.255.252
 ip nat outside

 

### Loopback0 interface - global NAT performed on this interface ###

interface Loopback0
 ip address 30.3.3.3 255.255.255.255

 

### GLOBAL NAT ACL ###
ip access-list extended nat
 deny   ip host 10.1.1.1 any
 permit ip 10.1.1.0 0.0.0.255 any


### Global NAT ###
ip nat inside source list nat interface Loopback0 overload

R1#ping 10.0.0.1 source 10.1.1.254
[...]
R1#sh ip nat translation
Pro Inside global      Inside local       Outside local      Outside global
icmp 30.3.3.3:15       10.1.1.254:15      10.0.0.1:15        10.0.0.1:15

 

 

### ACL to NAT SINGLE HOST ###
ip access-list extended NAT-HOST
 deny   ip host 10.1.1.1 10.0.0.0 0.255.255.255  //10.0.0.0/8 -> vpn remote net
 permit ip host 10.1.1.1 any

### Single host NAT ###
ip nat inside source list NAT-HOST interface FastEthernet0/1 overload


R1#ping 10.0.0.1 source 10.1.1.1
[...]
R1#sh ip nat tr
R1#
R1#ping 200.0.0.1 source 10.1.1.1
[...]
R1#sh ip nat tr
Pro Inside global      Inside local       Outside local      Outside global
icmp 20.1.1.1:17       10.1.1.1:17        200.0.0.1:17       200.0.0.1:17

 

I hope this configuration con be helpful.

 

Jacopo

CreatePlease to create content
Content for Community-Ad