Solved: Issue with VPN/NAT ??

ribin.jones · ‎12-07-2009

Hi,

I am at my Central office and we have two branch offices. We have site to site VPN from the two branch offices to the Central office. We have some servers in the Central office LAN for outside access to our clients and also for access from our branch offices. Our clients access these servers using public IP which is NAted to this server. Ideally, our branch office people should be able to access this server using private IP.

For example, we have an application server with IP 192.168.50.50 whose 443 port is NATed. This server is being accessed by our clients through WAN and meanwhile, we are not able to pull out the application from our branch offices via VPN. From the branch office LAN I am able to ping this server 192.168.50.50, but the issue is while accessing the 443 port which is NATed. I can access other ports which are not NATed of the same server from my branch office. Any idea where I am wrong?

Thanks for any help

- Ribin

Ricardo Prado Rueda · ‎12-08-2009

Hi Ribin,

Is the VPN server an IOS router? Based on your description this is most likely the case. The problem here is that based on the NAT order of operation the static port translation is taking place before the traffic can be encrypted. What needs to be done here is either configure the static NAT rule to be conditional (with a route-map), or add a PBR policy to avoid NAT translation when the traffic is meant for the remote network:

* Conditional NAT

Let's say that the remote network is 10.10.10.0/24, you setup a route-map in the folowing way:

access-list 199 permit tcp host 192.168.50.50 eq 443 10.10.10.0 0.0.0.255

route-map NONAT permit 10

match ip address 199

ip nat inside source static tcp 192.168.50.50 443 X.X.X.X 443 route-map NONAT

This change will prevent NAT from happening when the destination of the traffic is through a VPN tunnel (remote network 10.10.10.0/24). I don't recommend this option a lot, since I have seen several problems when adding a route-map to a static port translation rule, however is the easiest setup.

* NONAT PBR

Assuming that the remote network is 10.10.10.0/24

interface loopback0
ip address 10.255.255.1 255.255.255.252 <<<<<< ANY ADDRESS NOT WITHIN YOUR NETWORK

access-list 199 permit tcp host 192.168.50.50 eq 443 10.10.10.0 0.0.0.255

route-map NONAT permit 10

match ip address 199

route-map NONAT 10
match ip address NONAT
set ip next-hop 10.255.255.2

interface
ip policy route-map NONAT

This change will send all traffic from the server meant to the remote VPN network to the loopback interface. The loopback interface is not tagged as NAT INSIDE or OUTSIDE, therefore the static NAT translation rule is ignored (only for the traffic selected by access-list 199) and the traffic gets successfully encrypted.

Regards,

Rick.

View solution in original post

Ricardo Prado Rueda · ‎12-08-2009

Hi Ribin,

Is the VPN server an IOS router? Based on your description this is most likely the case. The problem here is that based on the NAT order of operation the static port translation is taking place before the traffic can be encrypted. What needs to be done here is either configure the static NAT rule to be conditional (with a route-map), or add a PBR policy to avoid NAT translation when the traffic is meant for the remote network:

* Conditional NAT

Let's say that the remote network is 10.10.10.0/24, you setup a route-map in the folowing way:

access-list 199 permit tcp host 192.168.50.50 eq 443 10.10.10.0 0.0.0.255

route-map NONAT permit 10

match ip address 199

ip nat inside source static tcp 192.168.50.50 443 X.X.X.X 443 route-map NONAT

This change will prevent NAT from happening when the destination of the traffic is through a VPN tunnel (remote network 10.10.10.0/24). I don't recommend this option a lot, since I have seen several problems when adding a route-map to a static port translation rule, however is the easiest setup.

* NONAT PBR

Assuming that the remote network is 10.10.10.0/24

interface loopback0
ip address 10.255.255.1 255.255.255.252 <<<<<< ANY ADDRESS NOT WITHIN YOUR NETWORK

access-list 199 permit tcp host 192.168.50.50 eq 443 10.10.10.0 0.0.0.255

route-map NONAT permit 10

match ip address 199

route-map NONAT 10
match ip address NONAT
set ip next-hop 10.255.255.2

interface
ip policy route-map NONAT

This change will send all traffic from the server meant to the remote VPN network to the loopback interface. The loopback interface is not tagged as NAT INSIDE or OUTSIDE, therefore the static NAT translation rule is ignored (only for the traffic selected by access-list 199) and the traffic gets successfully encrypted.

Regards,

Rick.

ribin.jones · ‎12-09-2009

Thanks Rick....I used the first method and it worked absolutely fine...

- Ribin