Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
26003
Views
0
Helpful
1
Replies

IPSec VPN allow traffic to second outside interface at main office?

Eric Fuller
Level 1
Level 1

‎05-05-2016 07:20 AM - edited ‎03-05-2019 03:57 AM

First off hello and howdy.  First time posting but I have an issue that was lightly discussed with a cisco engineer about 7 months ago and after the customer finnaly decided to implement the recommendations, I can't get traffic to route properly and NOW another engineer tells me it isn't possible.

2 sites - HQ and REMOTE.

HQ has 2 "outside" interfaces.  1 is internet, one is a private T1 to a hosted medical software.  Traffic on both of these interfaces has to be NATed from their perspective IP addresses (I know, "duh" on the internet interface but the medical one is the same way - all traffic going out it must be NAT from the interface IP as well).

So... (outside IP addresses changed for obvious reasons)

HQ Office - 891F Cisco (base K9) router

OUTSIDE Int GIG8 - internet 25.25.25.25/255.255.255.252

Gateway 25.25.25.24

OUTSIDE FE0 - private 172.16.201.6/255.255.255.252

gateway 172.16.201.5

LAN - 192.168.50.0 / 255.255.255.0

default route 0.0.0.0 25.25.25.24

static route 172.16.0.0 172.16.201.5

Everything works like a charm at HQ side.  Very basic in general.  Internet traffic goes out internet, any traffic destined to 172.16.2.0 gets routed to the private outside interface.  All works.

REMOTE Office - C881-K9  881 router

OUTSIDE INT FE4 - 33.33.33.33 / 255.255.255.252

Gateway 33.33.33.32

LAN - 192.168.51.0 /255.255.255.0

ALL WORKS FINE

Here is where the issues start.

Standard Ipsec tunnel from site to site.  192.168.500 <--> 192.168.51.0

ALL WORKS FINE - both offices talk to each other fine.

Traffic at REMOTE office needs to be routed over VPN tunnel destined for 172.16.2.0 as well.   So the tunnel at remote also has the lan traffic from 192.168.51.0 destined to 172.16.0.0 also routed through tunnel.  The tunnel appears to be running fine and I can PING the HQ Private interface 172.16.201.6.  I cannot however ping anything after that.  Can't ping 172.16.201.5 or the specific IP addresses on the other end (172.16.2.15 for example.  Of course all pings work fine at HQ site.

Seems to be a simple NAT issue some where.  Called Cisco - after two days the engineer came back and said sorry you can't do this.  The VPN tunnels is coming in the internet outside interface and trying to pass traffic from the tunnel (remote LAN ip traffic) to another outside interface (private connection) and that NAT isn't allowed to occur.  Can't NAT traffic from originating from an outside interface to another outside interface.  The NAT traffic has to flow from outside to inside and vice versa.  I then have asked now for 3 days on a recommendation to do it and no response.

I don't see why its an issue... I fully admit my cisco awareness is limited (I work with it a lot but I am not versed well in IOS language).

I'm attaching sample config from both locations with outside IP addresses changed and just the perceived "important parts".

Basically in words this is what I need.  Ipsec tunnel between HQ and REMOTE.  Both sites need to talk.  They do now.  Traffic destined for private network at HQ needs to be reachable (and NATed with the private interface IP) from both networks as well over VPN.  Private interface needs to accept traffic from 192.168.50.0 and 192.168.51.0 networks and NAT traffic out.

According to Cisco - NAT isn't kicking in - the ios router isn't NATing traffic from the VPN tunnel to the private interface - which is why the traffic gets lost.  Basically its sending packets from (example) 192.168.51.45 out the private interface but isn't NATing it so the other end is basically dropping the packets (because they won't route anything that originates from anything else then "172.16.201.6" address).

show ip nat trans appears to support that theory because when we ping from the remote office, there are no IP NAT translations occurring from the source addresses of remote office.  The traffic is coming over tunnel (not NATed) as they should but it never gets NATed on the private interface either - therefor dropped.

I hope all that made sense.  This appears to be an easy layout - I mean I'm sure we are not the only ones that ever needed to router traffic from a tunnel at a remote site to another private "vendor" connection.  I could add another router in the mix of course - give it a 192.168.50.7 address and just add a static route that says "send detination traffce to this gateway" but I can't see why I need a 3rd router for this - if I need it I will but to me this should be "doable" with one.

Labels:
Preview file
2 KB
Preview file
2 KB
0 Helpful
1 Reply 1

Philip D'Ath
VIP Alumni
VIP Alumni

‎05-06-2016 01:00 AM

The first engineer is completely correct - this is possible.  TAC is also correct, you can not NAT from an "outside" to an "outside" interface.

What I will describe is the simple solution.

Change the VPN between the two sites to being GRE over IPSEC.  You can just use a tunnel with an ipsec profile attached.  Actually, just get it going with the GRE tunnels first with the crypto turned off, and then add in the crypto once you get the core concept working.

Your configs are missing two much detail for me to give you specific examples.

At the head end, use "ip nat inside" on the Tunnel interface, then just NAT it to the medical interface like your other "ip nat inside" interface.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card