cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1432
Views
0
Helpful
8
Replies

Help NATing LAN host to Loopback interface.

Lewis Goulden
Level 1
Level 1

         Due to security reasons the VPN only allows the source IP of a loopback with a PUB IP.

In order to use this address from the LAN I assuming the best approach is to NAT the LAN host to the Loopback IP.

I need help doing this.

Host IP : 192.168.1.10 (in vlan1)

loopback0 :  1.1.1.1  (all traffic needs to be NATed to this from host to transit VPN)

any help would be greatly appreciated.          

8 Replies 8

Hello.

What kind of VPN do you want?

Do you use the loopback to originate/receive any other traffic?

----

PS:

The easiest could be like

int LAN_internal_interface

ip nat inside

int WAN_external_interface

ip nat outside

ip access-l sta LAN_NAT

permit 192.168.1.0 0.0.0.255

ip nat inside source list LAN_NAT int lo0 overload

or

ip nat pool LO0 1.1.1.1 1.1.1.1 prefix-length 30

ip nat inside source list LAN_NAT pool LO0 overload

to do a simple test i connected two routers via GNS3

R2 ------ fa0/0 ------ ----- fa0/0 -----> R3

R2 has loopback0 1.1.1.1

R2 has LAN (fa0/0) 192.168.1.1/24

R2 has loopback1 192.168.2.1

R3 is acting as a LAN host 192.168.1.10

When i telnet from R3 to the Loopback1 address 192.168.2.1 i should be natted to 1.1.1.1 and if i do a show users i should see 1.1.1.1 IP

but i do not.

Example:

R2#telnet 192.168.2.1

Trying 192.168.2.1 ... Open

User Access Verification

Password:

R2>en

Password:

R2#show users

    Line       User       Host(s)              Idle       Location

   0 con 0                idle                 00:03:14

  66 vty 0                192.168.2.1          00:00:00 192.168.1.10

* 67 vty 1                idle                 00:00:00 192.168.2.1

  Interface    User               Mode         Idle     Peer Address

R2#

Here is the configurations.

R2:

Current configuration : 1569 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R2

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$mxfk$S00eOFiT06vvqUnP/8NKo0

!

no aaa new-model

memory-size iomem 5

no ip icmp rate-limit unreachable

ip cef

!

!

!

!

no ip domain lookup

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

ip tcp synwait-time 5

!

!

!

!

!

interface Loopback0

ip address 1.1.1.1 255.255.255.255

ip nat outside

ip virtual-reassembly

!

interface Loopback2

ip address 192.168.2.1 255.255.255.0

!

interface FastEthernet0/0

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface Serial0/0

no ip address

encapsulation frame-relay

clock rate 2000000

!

interface Serial0/0.100 point-to-point

ip address 23.23.23.1 255.255.255.252

frame-relay interface-dlci 100

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet1/0

no ip address

shutdown

duplex auto

speed auto

!

ip forward-protocol nd

!

!

no ip http server

no ip http secure-server

ip nat pool Lo0 1.1.1.1 1.1.1.1 prefix-length 30

ip nat inside source list LAN-NAT pool Lo0 overload

!

ip access-list standard LAN-NAT

permit 192.168.1.0 0.0.0.255

!

!

!

!

control-plane

!

!

!

!

!

!

!

!

!

!

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

line aux 0

exec-timeout 0 0

privilege level 15

logging synchronous

line vty 0 4

password nortel

login

!

!

end

R3:

Current configuration : 1181 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R3

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

memory-size iomem 5

no ip icmp rate-limit unreachable

ip cef

!

!

!

!

no ip domain lookup

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

ip tcp synwait-time 5

!

!

!

!

!

interface FastEthernet0/0

ip address 192.168.1.10 255.255.255.0

duplex auto

speed auto

!

interface Serial0/0

no ip address

encapsulation frame-relay

clock rate 72000

!

interface Serial0/0.200 point-to-point

ip address 23.23.23.2 255.255.255.252

frame-relay interface-dlci 200

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet1/0

no ip address

shutdown

duplex auto

speed auto

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.1.1

!

!

no ip http server

no ip http secure-server

!

!

!

!

control-plane

!

!

!

!

!

!

!

!

!

!

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

line aux 0

exec-timeout 0 0

privilege level 15

logging synchronous

line vty 0 4

login

!

!

end

Please use 3 routers in GNS: R1-R2-R3. Don't us ip unnumbered.

R2 is doing NAT.

telnet from R1 to R3.

provide your config from R2.

PS: "ip nat ouside" is needed under WAN interface, not loopback!

Lewis,

I don't believe you're going to need "ip nat outside" on your loopback interface in order to get this to work the way that you want. You will, however, need "ip nat outside" on the serial side interface since your traffic is really going out of that interface. Also, when you telnet, source the interface that you're using for nat inside like:

telnet 192.168.2.1 /source f0/0

If you don't source it, it's going to use the wan interface in your situation.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

sorry just to explain my problem better.

The IP of the loopback has to be the source IP of traffic when transiting this VPN.

The GNS lab config is purly to try and NAT LAN traffic the the IP of a loopback.

Sorry, Lewis, but word VPN is a little confusing.

Could you please explain what do you want to achieve?

What traffic will host be sending - will it be common TCP sessions, or some sort of VPN (SSL VPN, IPSec or any other encapsulation)?

IPSec VPN

Diagram attached

Hello, Lewis.

Now it's much clearer.

I guess you need a single command on your router:

ip nat inside source static udp 192.168.1.10 3305 1.1.1.1 3305

(or replace it with tcp if needed)

it won't help if client will originate session from any other port (than 3305).

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: