Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
705
Views
0
Helpful
3
Replies

LAB Study Case: 2 IPSEC tunnels, with overlapping subnet to one of the sites.

Go to solution
nelsonpaiva
Level 1
Level 1

‎05-02-2020 10:10 AM

Hi!

 

I have been labbing today about a case I saw at work the other day. The Challange was that one Router (SiteA) needs to have 2 IPSEC tunnels to different sites, one of them with a overlapping subnet. I was able to get this working on my lab by doing static NAT with a route map, natting the traffic at both ends of the tunnel to another subnet, only when it was matching the interesting traffic for the tunnel. So when you just want to reach a server on the Web, you´ll get out with PAT as usual with your public address. 

The thing is, what if I want to nat the whole subnet when going to the tunnel, instead of just static 1:1 NAT? I can´t find any other way of adding the route-map I wrote, other then applying it to end of a "ip nat inside source static" command. 

 

Here is the LAB Topology and the configs for SiteA, B and C.

 

Thanks in advance.

 

labipsec.PNG

SiteA

Current configuration : 4430 bytes
!
version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
ethernet lmi ce
!
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
no ip icmp rate-limit unreachable
!
!
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
redundancy
!
no cdp log mismatch duplex
!
ip tcp synwait-time 5
!
!
!
!
!
crypto isakmp policy 1
 hash md5
 authentication pre-share
crypto isakmp key CCNP address 120.0.0.1
crypto isakmp key CCNP address 130.0.0.1
!
crypto isakmp peer address 120.0.0.1
!
crypto isakmp peer address 130.0.0.1
!
!
crypto ipsec transform-set SET esp-3des esp-md5-hmac
 mode tunnel
crypto ipsec transform-set SETC esp-3des esp-sha-hmac
 mode tunnel
!
!
!
crypto map MAP 1 ipsec-isakmp
 set peer 120.0.0.1
 set transform-set SET
 match address 150
crypto map MAP 2 ipsec-isakmp
 set peer 130.0.0.1
 set transform-set SETC
 match address 151
!
!
!
!
!
interface GigabitEthernet0/0
 ip address 192.168.1.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/1
 ip address 110.0.0.1 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 media-type rj45
 crypto map MAP
!
interface GigabitEthernet0/2
 no ip address
 shutdown
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/3
 no ip address
 shutdown
 duplex auto
 speed auto
 media-type rj45
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat inside source list 100 interface GigabitEthernet0/1 overload
ip nat inside source static 192.168.1.1 172.16.0.1 route-map NATTUNEL
ip route 0.0.0.0 0.0.0.0 110.0.0.254
!
!
route-map NATTUNEL permit 1
 match ip address 130
!
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 deny   ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 130 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 150 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 151 permit ip 172.16.0.0 0.0.0.255 10.0.0.0 0.0.0.255
!
control-plane
!
banner exec ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************^C
banner incoming ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************^C
banner login ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************^C
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
 transport input none
!
no scheduler allocate
!
end

Router#
Site C

Current configuration : 4010 bytes
!
version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
ethernet lmi ce
!
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
no ip icmp rate-limit unreachable
!
!
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
redundancy
!
no cdp log mismatch duplex
!
ip tcp synwait-time 5
!
!
!
!
!
crypto isakmp policy 1
 hash md5
 authentication pre-share
crypto isakmp key CCNP address 110.0.0.1
!
crypto isakmp peer address 110.0.0.1
!
!
crypto ipsec transform-set SETC esp-3des esp-sha-hmac
 mode tunnel
!
!
!
crypto map MAPC 1 ipsec-isakmp
 set peer 110.0.0.1
 set transform-set SETC
 match address 150
!
!
!
!
!
interface GigabitEthernet0/0
 ip address 130.0.0.1 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 media-type rj45
 crypto map MAPC
!
interface GigabitEthernet0/1
 ip address 192.168.1.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/2
 no ip address
 shutdown
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/3
 no ip address
 shutdown
 duplex auto
 speed auto
 media-type rj45
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat inside source list 100 interface GigabitEthernet0/0 overload
ip nat inside source static 192.168.1.100 10.0.0.1 route-map NATTUNEL
ip route 0.0.0.0 0.0.0.0 130.0.0.254
!
!
route-map NATTUNEL permit 1
 match ip address 111 150
!
!
access-list 100 deny   ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 111 permit ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 150 permit ip 10.0.0.0 0.0.0.255 172.16.0.0 0.0.0.255
!
control-plane
!
banner exec ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************^C
banner incoming ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************^C
banner login ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************^C
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
 transport input none
!
no scheduler allocate
!
end

Router#
Site B
Building configuration...

Current configuration : 3820 bytes
!
version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
ethernet lmi ce
!
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
no ip icmp rate-limit unreachable
!
!
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
redundancy
!
no cdp log mismatch duplex
!
ip tcp synwait-time 5
!
!
!
!
!
crypto isakmp policy 1
 hash md5
 authentication pre-share
crypto isakmp key CCNP address 110.0.0.1
!
crypto isakmp peer address 110.0.0.1
!
!
crypto ipsec transform-set SET esp-3des esp-md5-hmac
 mode tunnel
!
!
!
crypto map MAP 1 ipsec-isakmp
 set peer 110.0.0.1
 set transform-set SET
 match address 150
!
!
!
!
!
interface GigabitEthernet0/0
 ip address 120.0.0.1 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 media-type rj45
 crypto map MAP
!
interface GigabitEthernet0/1
 ip address 192.168.2.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/2
 no ip address
 shutdown
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/3
 no ip address
 shutdown
 duplex auto
 speed auto
 media-type rj45
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat inside source list 100 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 120.0.0.254
!
!
!
access-list 100 deny   ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 any log
access-list 150 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!
control-plane
!
banner exec ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************^C
banner incoming ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************^C
banner login ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************^C
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
 transport input none
!
no scheduler allocate
!
end

Router#
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nelsonpaiva
Level 1
Level 1
In response to nelsonpaiva

‎05-25-2020 10:54 AM

I found out how to successfully NAT the whole subnet, only when going to the tunnel to Site C, on the site A Router I removed this line:

 

 

ip nat inside source static 192.168.1.1 172.16.0.1 route-map NATTUNEL

 

And made the following config:

 

 

ip nat pool POOL 172.16.0.1 172.16.0.254 netmask 255.255.255.0

ip nat inside source route-map NATTUNEL pool POOL

 

 

I also added a switch to Site A´s LAN, and another UbuntudockerGuest, now when I ping 10.0.0.1 on Site C ican see both translations happening like how wanted:

 

icmp 172.16.0.1:74 192.168.1.1:74 10.0.0.1:74 10.0.0.1:74
icmp 172.16.0.2:52 192.168.1.100:52 10.0.0.1:52 10.0.0.1:52

View solution in original post

0 Helpful
3 Replies 3

Go to solution
omz
VIP Alumni
VIP Alumni

‎05-02-2020 10:28 AM

Hi

ip nat source static command does accept a network .. 

ip nat inside source static network local-network global-network

 

 

0 Helpful

Go to solution
nelsonpaiva
Level 1
Level 1
In response to omz

‎05-02-2020 11:08 AM

Indeed it does, however I can´t insert the route-map at the end of that command, giving it a conditional match:

lab.PNG

Which means it will always be translated. The tunnel to site C will work, but it will fail to site B.

0 Helpful

Go to solution
nelsonpaiva
Level 1
Level 1
In response to nelsonpaiva

‎05-25-2020 10:54 AM

I found out how to successfully NAT the whole subnet, only when going to the tunnel to Site C, on the site A Router I removed this line:

 

 

ip nat inside source static 192.168.1.1 172.16.0.1 route-map NATTUNEL

 

And made the following config:

 

 

ip nat pool POOL 172.16.0.1 172.16.0.254 netmask 255.255.255.0

ip nat inside source route-map NATTUNEL pool POOL

 

 

I also added a switch to Site A´s LAN, and another UbuntudockerGuest, now when I ping 10.0.0.1 on Site C ican see both translations happening like how wanted:

 

icmp 172.16.0.1:74 192.168.1.1:74 10.0.0.1:74 10.0.0.1:74
icmp 172.16.0.2:52 192.168.1.100:52 10.0.0.1:52 10.0.0.1:52
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card