Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
949
Views
5
Helpful
1
Replies

NAT before IPSEC

Go to solution
rsumner
Level 1
Level 1

‎08-30-2021 04:05 PM

I'm struggling to determine how to configure NAT on my C8200 and CSR1000v to support the following scenario.

 

I have hosts in 192.168.1.0/24 (identified as being behind R1)  that need to establish a connection to hosts in 192.168.3.0/24 (identified as being behind A1).  These two networks are connected through R2 via a VTI IPSEC tunnel that goes from R1 to R2 and an policy-based IPSEC tunnel that goes from R2 to A1.  You'll notice in the diagram below, the encrypted domain for R2 and A1 doesn't include the 192.168.1.0/24 subnet, therefor I must NAT the traffic once it hits R2.  

 

iosxe-nat-before-tunnel.png

On other network appliances, I can match on the source subnet, destination subnet, and specify that the interface IP of R2 (192.168.2.1) must be used.  I've read the NAT Configuration Guide several times attempting various methods and the traffic never reaches the destination.

 

Note: On R2, the traffic from R1 comes in over Tunnel1 and then has to go out GigabitEthernet1 via the IPSEC policy to reach 192.168.3.0/24

 

Thanks in advance for the guidance. 

1 Accepted Solution

Accepted Solutions

Go to solution
rsumner
Level 1
Level 1

‎08-31-2021 09:21 AM

I was able to figure this one out on my own.  I was making it more complicated than I needed it to be.  All of these changes were done on the R2 CSR1000v:

 

  • On GigabitEthernet1, make sure that ip nat outside is defined
  • On Tunnel1, make sure that ip nat inside is defined
  • Create an access list to match the source traffic of 192.168.1.0/24 (eg: nat-FROM-R1)
  • And then a simple overload NAT: ip nat inside source list nat-FROM-R1 interface GigabitEthernet1 overload

 

After doing this, I can see the NAT translation in show ip nat translation:

 

CSR1KV-R2#show ip nat translations 

Pro  Inside global         Inside local          Outside local         Outside global

icmp 192.168.2.1:37434  192.168.1.36:37434   192.168.3.5:37434   192.168.3.5:37434

 

I've done plenty of configurations of NAT on ASA devices, so I'm just getting used to the way IOSXE handles these "inside local" and "outside local" translations.  

View solution in original post

0 Helpful
1 Reply 1

Go to solution
rsumner
Level 1
Level 1

‎08-31-2021 09:21 AM

I was able to figure this one out on my own.  I was making it more complicated than I needed it to be.  All of these changes were done on the R2 CSR1000v:

 

  • On GigabitEthernet1, make sure that ip nat outside is defined
  • On Tunnel1, make sure that ip nat inside is defined
  • Create an access list to match the source traffic of 192.168.1.0/24 (eg: nat-FROM-R1)
  • And then a simple overload NAT: ip nat inside source list nat-FROM-R1 interface GigabitEthernet1 overload

 

After doing this, I can see the NAT translation in show ip nat translation:

 

CSR1KV-R2#show ip nat translations 

Pro  Inside global         Inside local          Outside local         Outside global

icmp 192.168.2.1:37434  192.168.1.36:37434   192.168.3.5:37434   192.168.3.5:37434

 

I've done plenty of configurations of NAT on ASA devices, so I'm just getting used to the way IOSXE handles these "inside local" and "outside local" translations.  

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card