Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1113
Views
10
Helpful
10
Replies

IPSEC traffic bypassing NAT

wgebers
Level 1
Level 1

‎06-22-2022 02:33 PM

Hi All, 

 

First time posting here, so my apologies if I miss any relevant information. 

 

I have a requirement to access a legacy device on a remote network over our IPSEC tunnel. 

The remote network has an IR829 on site and an IKEv2 tunnel between the remote site and our main location. 

The legacy device does not have the IR829 set as it's pimary gateway, so in order to access it, I need the traffic to be NAT'd behind the GE4 interface. 

 

To achieve this, I have the following configuration: 

 

interface GigabitEthernet4
 switchport access vlan 10
 switchport mode access
 no ip address

interface Vlan10
 ip address XXX.XXX.XXX.A 
 ip nat outside
 ip virtual-reassembly in
 ip virtual-reassembly out

ip nat inside source route-map MAINT interface Vlan10 overload

ip access-list extended MAINT
 permit ip any XXX.XXX.XXX.0 0.0.0.255

route-map MAINT permit 10
 match ip address MAINT
 match interface Vlan10

interface Loopback0
 ip address YYY.YYY.YYY.YYY 255.255.255.255
 ip nat inside
 ip virtual-reassembly in

 

When I ping from the loopback address to the device and inspect the packets, I can see that the NAT is being applied and the traffic appears to originate from XXX.XXX.XXX.A 

 

When I ping the from the remote network to the device and inspect the packets, the NAT is not being applied and the traffic appears to originate from the remote network and the ping response fails. 

 

Is there an additional piece of configuration required to include the IPSEC inbound traffic in the NAT rule for this interface? 

 

Many thanks, 

Labels:
10 Replies 10

Georg Pauwen
VIP
VIP

‎06-22-2022 03:14 PM

Hello,

 

where is the IPSec tunnel terminated ? Can you post the configuration of that device as well, or better yet, a schematic diagram of your topology ?

0 Helpful

MHM Cisco World
VIP
VIP

‎06-22-2022 03:25 PM

of course this will happened the dynamic NAT is not bidirectional and hence the 
if you ping from INSIDE to OUTSIDE the ping will success and there is entry in NAT translate table 
this dynamic entry will be in table for default timeout 
if you Ping from OUTSIDE to INSIDE during the time the entry is appear the ping success if not the ping is failed.

so what is solution ??
config static NAT from Inside to VLAN., this give you bidirectional traffic.

wgebers
Level 1
Level 1
In response to MHM Cisco World

‎06-24-2022 03:16 AM

Thanks. 

 

I will setup the statc NAT and try. 

0 Helpful

paul driver
VIP
VIP

‎06-26-2022 01:12 AM

Hello
In short ipsec and nat are incompatible as nat will translate the source host ip thus this natted address wont match with the ipsec source, So to make them work depends on where you ae performing NAT


Is it on the same device as the ipsec hosts or is it inpath between the two ipsec hosts?

With the first scenario both your rtrs will need to be able to support NAT-T (Network Translation Traversal) otherwise you will incure failure when you are running nat/ipsec between ipsec hosts.

Alternatively, if you have NAT in path between to ipsec hosts then you may be able to create a GRE tunnel with Ipsec to run over the NAT device

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

wgebers
Level 1
Level 1

‎06-27-2022 04:12 AM

Thanks Paul, 

I am starting to understand the problem. 

 

The traffic I am trying to NAT originates from a WAN interface that is outside NAT'd. 

I am then asking the router to NAT the same traffic behind another outside interface which is why it is not detected. 

 

So either I need to find a way to NAT outside to outside traffic (maybe via a loopback address in the middle), which would then cause the traffic to originate inside for the sake of the secondary interface. 

 

Or as you suggested, I need to have a GRE tunnel running over the IPSEC IKEv2 tunnel that then gives me an inside interface within the Cisco router. 

0 Helpful

MHM Cisco World
VIP
VIP

‎06-27-2022 04:52 AM

Can you draw topolgy here 

0 Helpful

emurray
Level 1
Level 1

‎06-27-2022 05:39 AM - edited ‎06-27-2022 08:59 AM

Have you thought of configuring destination NAT on the IR829?

 

EDIT: My original post had source nat by mistake

0 Helpful

wgebers
Level 1
Level 1

‎06-29-2022 03:45 AM

VPN NAT.png

0 Helpful

MHM Cisco World
VIP
VIP
In response to wgebers

‎06-29-2022 04:45 AM

try config NVI in loopback. 

0 Helpful

wgebers
Level 1
Level 1

‎06-29-2022 03:46 AM

Thankyou for your replies. 

 

Topology attached. 

 

WAN interface is OUTSIDE NAT'd with exclusions for the Site-Site VPN traffic.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card