Solved: How to tell ipsec lan-to-lan tunnel to be "ip nat inside"

d.lachapelle · ‎02-10-2015

I'm wondering if there are any ipsec tunnel experts who might be able to help me on a quirky setup.

I have a site which surfs through another site. So Site A traffic comes to Site B through a private connection and then goes out from there (internet and other services). There is a new service that I need to hit in Site B through a private cloud that I need to nat to get to. I have to nat traffic from Site A & Site B to a specific Site B IP address to hit this service.

There is no issue getting the Site B traffic natted and go out as I can put the “ip nat inside” on the router's vlan interface and it gets natted properly. The issue I’m having is that the Site A traffic doesn’t seem to be getting natted after it comes across the ipsec tunnel.

Here is my nat ACL, the first line is showing hits for Site B traffic but nothing for Site A

Extended IP access list NAT

10 permit ip 10.3.0.0 0.0.3.255 host x.46.226.1 (117 matches)

30 permit ip 10.200.124.0 0.0.0.255 host x.46.226.1

ip nat pool NAT-INSIDE 10.31.48.4 10.31.48.4 netmask 255.255.255.248
ip nat inside source list NAT pool NAT-INSIDE vrf XXXXXX overload

Here is the successful nat from the Site B subnet getting natted to the proper IP:

SiteBrouter#show ip nat trans
Pro Inside global Inside local Outside local Outside global
tcp 10.31.48.4:36354 10.3.1.3:36354 x.46.226.1:80 x.46.226.1:80

I have never had to do this type of setup before other than with GRE tunnels. With GRE tunnels I simply add the “ip nat inside” command to the tunnel, like this:

interface Tunnel1

ip unnumbered GigabitEthernet0/0/1

ip mtu 1400

ip nat inside

tunnel source Loopback2

tunnel destination xxxxxxxx

ip virtual-reassembly

I have been looking online for some sort of solution but I’m not finding it. I don’t think NAT-T is the answer as I’m trying to nat AFTER the traffic comes out of the tunnel. Basically I need to tell the ipsec tunnel to be the “ip nat inside”. I did find one command “set nat demux” that can be applied in the crypto map but it seems to have to do with L2TP.

If it matters, side A is an ASA and side B is can’t do GRE as the ASA doesn’t support it or I could fix this. Here is the diagram.

AllertGen · ‎02-11-2015

Hello, d.lachapelle.

About ACL hits at side B. Do you have a command "ip nat inside" at the site B at the interface for ASA? If you do and this is not helps you, you can try using loopback intaface as nat inside and route all traffic from ipsec tunnel to loopback by policy map.

Best Regards.

View solution in original post

AllertGen · ‎02-11-2015

Hello, d.lachapelle.

About ACL hits at side B. Do you have a command "ip nat inside" at the site B at the interface for ASA? If you do and this is not helps you, you can try using loopback intaface as nat inside and route all traffic from ipsec tunnel to loopback by policy map.

Best Regards.

d.lachapelle · ‎02-11-2015

You ended up being correct on your second suggestion of the lookback interface. It's referred to as Nat on a stick according to Cisco. TAC suggested this to me as well as the best method and I have since implemented it successfully. Here's the snippet of config if anyone is interested. Thanks for the help AllertGen.

interface loopback 10
ip address 172.16.254.1 255.255.255.252
ip nat inside

ip access-list ext 150
permit ip 10.200.124.0 0.0.0.255 host x.46.226.1

route-map service-NAT 10
match ip address 150
set ip next-hop 172.16.254.2

interface gig0/0
ip policy route-map service-NAT

d.lachapelle · ‎02-11-2015

.