05-02-2020 10:10 AM
Hi!
I have been labbing today about a case I saw at work the other day. The Challange was that one Router (SiteA) needs to have 2 IPSEC tunnels to different sites, one of them with a overlapping subnet. I was able to get this working on my lab by doing static NAT with a route map, natting the traffic at both ends of the tunnel to another subnet, only when it was matching the interesting traffic for the tunnel. So when you just want to reach a server on the Web, you´ll get out with PAT as usual with your public address.
The thing is, what if I want to nat the whole subnet when going to the tunnel, instead of just static 1:1 NAT? I can´t find any other way of adding the route-map I wrote, other then applying it to end of a "ip nat inside source static" command.
Here is the LAB Topology and the configs for SiteA, B and C.
Thanks in advance.
SiteA
Current configuration : 4430 bytes ! version 15.6 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Router ! boot-start-marker boot-end-marker ! ! ! no aaa new-model ethernet lmi ce ! ! ! mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ! ! ! ! ! no ip icmp rate-limit unreachable ! ! ! ! ! ! no ip domain lookup ip cef no ipv6 cef ! multilink bundle-name authenticated ! ! ! ! ! redundancy ! no cdp log mismatch duplex ! ip tcp synwait-time 5 ! ! ! ! ! crypto isakmp policy 1 hash md5 authentication pre-share crypto isakmp key CCNP address 120.0.0.1 crypto isakmp key CCNP address 130.0.0.1 ! crypto isakmp peer address 120.0.0.1 ! crypto isakmp peer address 130.0.0.1 ! ! crypto ipsec transform-set SET esp-3des esp-md5-hmac mode tunnel crypto ipsec transform-set SETC esp-3des esp-sha-hmac mode tunnel ! ! ! crypto map MAP 1 ipsec-isakmp set peer 120.0.0.1 set transform-set SET match address 150 crypto map MAP 2 ipsec-isakmp set peer 130.0.0.1 set transform-set SETC match address 151 ! ! ! ! ! interface GigabitEthernet0/0 ip address 192.168.1.254 255.255.255.0 ip nat inside ip virtual-reassembly in duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/1 ip address 110.0.0.1 255.255.255.0 ip nat outside ip virtual-reassembly in duplex auto speed auto media-type rj45 crypto map MAP ! interface GigabitEthernet0/2 no ip address shutdown duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/3 no ip address shutdown duplex auto speed auto media-type rj45 ! ip forward-protocol nd ! ! no ip http server no ip http secure-server ip nat inside source list 100 interface GigabitEthernet0/1 overload ip nat inside source static 192.168.1.1 172.16.0.1 route-map NATTUNEL ip route 0.0.0.0 0.0.0.0 110.0.0.254 ! ! route-map NATTUNEL permit 1 match ip address 130 ! ! access-list 1 permit 192.168.1.0 0.0.0.255 access-list 100 deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255 access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 100 permit ip 192.168.1.0 0.0.0.255 any access-list 130 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255 access-list 150 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 151 permit ip 172.16.0.0 0.0.0.255 10.0.0.0 0.0.0.255 ! control-plane ! banner exec ^C ************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * **************************************************************************^C banner incoming ^C ************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * **************************************************************************^C banner login ^C ************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * **************************************************************************^C ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous line aux 0 exec-timeout 0 0 privilege level 15 logging synchronous line vty 0 4 login transport input none ! no scheduler allocate ! end Router#
Site C Current configuration : 4010 bytes ! version 15.6 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Router ! boot-start-marker boot-end-marker ! ! ! no aaa new-model ethernet lmi ce ! ! ! mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ! ! ! ! ! no ip icmp rate-limit unreachable ! ! ! ! ! ! no ip domain lookup ip cef no ipv6 cef ! multilink bundle-name authenticated ! ! ! ! ! redundancy ! no cdp log mismatch duplex ! ip tcp synwait-time 5 ! ! ! ! ! crypto isakmp policy 1 hash md5 authentication pre-share crypto isakmp key CCNP address 110.0.0.1 ! crypto isakmp peer address 110.0.0.1 ! ! crypto ipsec transform-set SETC esp-3des esp-sha-hmac mode tunnel ! ! ! crypto map MAPC 1 ipsec-isakmp set peer 110.0.0.1 set transform-set SETC match address 150 ! ! ! ! ! interface GigabitEthernet0/0 ip address 130.0.0.1 255.255.255.0 ip nat outside ip virtual-reassembly in duplex auto speed auto media-type rj45 crypto map MAPC ! interface GigabitEthernet0/1 ip address 192.168.1.254 255.255.255.0 ip nat inside ip virtual-reassembly in duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/2 no ip address shutdown duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/3 no ip address shutdown duplex auto speed auto media-type rj45 ! ip forward-protocol nd ! ! no ip http server no ip http secure-server ip nat inside source list 100 interface GigabitEthernet0/0 overload ip nat inside source static 192.168.1.100 10.0.0.1 route-map NATTUNEL ip route 0.0.0.0 0.0.0.0 130.0.0.254 ! ! route-map NATTUNEL permit 1 match ip address 111 150 ! ! access-list 100 deny ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.0.255 access-list 100 permit ip 192.168.1.0 0.0.0.255 any access-list 111 permit ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.0.255 access-list 150 permit ip 10.0.0.0 0.0.0.255 172.16.0.0 0.0.0.255 ! control-plane ! banner exec ^C ************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * **************************************************************************^C banner incoming ^C ************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * **************************************************************************^C banner login ^C ************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * **************************************************************************^C ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous line aux 0 exec-timeout 0 0 privilege level 15 logging synchronous line vty 0 4 login transport input none ! no scheduler allocate ! end Router#
Site B Building configuration... Current configuration : 3820 bytes ! version 15.6 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Router ! boot-start-marker boot-end-marker ! ! ! no aaa new-model ethernet lmi ce ! ! ! mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ! ! ! ! ! no ip icmp rate-limit unreachable ! ! ! ! ! ! no ip domain lookup ip cef no ipv6 cef ! multilink bundle-name authenticated ! ! ! ! ! redundancy ! no cdp log mismatch duplex ! ip tcp synwait-time 5 ! ! ! ! ! crypto isakmp policy 1 hash md5 authentication pre-share crypto isakmp key CCNP address 110.0.0.1 ! crypto isakmp peer address 110.0.0.1 ! ! crypto ipsec transform-set SET esp-3des esp-md5-hmac mode tunnel ! ! ! crypto map MAP 1 ipsec-isakmp set peer 110.0.0.1 set transform-set SET match address 150 ! ! ! ! ! interface GigabitEthernet0/0 ip address 120.0.0.1 255.255.255.0 ip nat outside ip virtual-reassembly in duplex auto speed auto media-type rj45 crypto map MAP ! interface GigabitEthernet0/1 ip address 192.168.2.254 255.255.255.0 ip nat inside ip virtual-reassembly in duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/2 no ip address shutdown duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/3 no ip address shutdown duplex auto speed auto media-type rj45 ! ip forward-protocol nd ! ! no ip http server no ip http secure-server ip nat inside source list 100 interface GigabitEthernet0/0 overload ip route 0.0.0.0 0.0.0.0 120.0.0.254 ! ! ! access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 100 permit ip 192.168.2.0 0.0.0.255 any log access-list 150 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 ! control-plane ! banner exec ^C ************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * **************************************************************************^C banner incoming ^C ************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * **************************************************************************^C banner login ^C ************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * **************************************************************************^C ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous line aux 0 exec-timeout 0 0 privilege level 15 logging synchronous line vty 0 4 login transport input none ! no scheduler allocate ! end Router#
Solved! Go to Solution.
05-25-2020 10:54 AM
I found out how to successfully NAT the whole subnet, only when going to the tunnel to Site C, on the site A Router I removed this line:
ip nat inside source static 192.168.1.1 172.16.0.1 route-map NATTUNEL
And made the following config:
ip nat pool POOL 172.16.0.1 172.16.0.254 netmask 255.255.255.0 ip nat inside source route-map NATTUNEL pool POOL
I also added a switch to Site A´s LAN, and another UbuntudockerGuest, now when I ping 10.0.0.1 on Site C ican see both translations happening like how wanted:
icmp 172.16.0.1:74 192.168.1.1:74 10.0.0.1:74 10.0.0.1:74 icmp 172.16.0.2:52 192.168.1.100:52 10.0.0.1:52 10.0.0.1:52
05-02-2020 10:28 AM
Hi
ip nat source static command does accept a network ..
ip nat inside source static network local-network global-network
05-02-2020 11:08 AM
Indeed it does, however I can´t insert the route-map at the end of that command, giving it a conditional match:
Which means it will always be translated. The tunnel to site C will work, but it will fail to site B.
05-25-2020 10:54 AM
I found out how to successfully NAT the whole subnet, only when going to the tunnel to Site C, on the site A Router I removed this line:
ip nat inside source static 192.168.1.1 172.16.0.1 route-map NATTUNEL
And made the following config:
ip nat pool POOL 172.16.0.1 172.16.0.254 netmask 255.255.255.0 ip nat inside source route-map NATTUNEL pool POOL
I also added a switch to Site A´s LAN, and another UbuntudockerGuest, now when I ping 10.0.0.1 on Site C ican see both translations happening like how wanted:
icmp 172.16.0.1:74 192.168.1.1:74 10.0.0.1:74 10.0.0.1:74 icmp 172.16.0.2:52 192.168.1.100:52 10.0.0.1:52 10.0.0.1:52
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: