Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1331
Views
10
Helpful
8
Replies

NAT Client VPN Traffic to internet

neilobrien
Level 1
Level 1

‎11-03-2010 10:26 AM - edited ‎03-04-2019 10:21 AM

Hi Guys,

I have a Cisco 2951 terminating my VPN's and I need my  VPN clients to access a public ip address but have the source address of  the router that terminates the VPN.

The VPN clients are split  tunnelled and I have added the public address to the split tunnel ACL in  order to bring it up through the tunnel but I'm sure I need to NAT it  back out from the router in some way.  I thought I needed to use "ip nat  outside...." but this only allows me to use NAT pools.

Can someone give me a pointer??

Thanks,

Neil

Labels:
0 Helpful
8 Replies 8

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎11-03-2010 10:34 AM

Hi,

Normally you don't NAT the VPN traffic and that's why the VPN clients can access the internal resources with their real private addresses.

If you want the VPN client to access the server with its public address, then you NAT the server through the VPN tunnel.

i.e.

Let's say the server is 10.1.1.1 with public IP 200.1.1.1

ip nat inside source static 10.1.1.1 200.1.1.1

Then, in the split-tunneling ACL:

ip access-list extended SPLIT

   permit ip host 200.1.1.1 VPN_CLIENT_SUBNET

In this way the communication through the tunnel flows between the Public IP of the server and the VPN subnet.

Federico.

0 Helpful

neilobrien
Level 1
Level 1
In response to Federico Coto Fajardo

‎11-03-2010 10:58 AM

Hi Federico,

The server I'm trying to access is not mine, it elsewhere on the internet.  But it only permits connections from my public ip, so I need clients who VPN into my network to go back out to this server but appear to be coming from my public ip.

Does that make sense?

THanks,

Neil

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to neilobrien

‎11-03-2010 11:08 AM

In that case you need to accept all the VPN client traffic and redirect it out to the Internet (doing PAT with your public IP) before sending the traffic to the Internet.

Federico.

0 Helpful

neilobrien
Level 1
Level 1
In response to Federico Coto Fajardo

‎11-03-2010 11:14 AM

Hi Federico,

I didn't think I needed to do that.  Because my VPN traffic is not crossing an NAT Inside interface, it's not going to get nat'd out like that.

i want to do what it is you're suggesting except only for one public ip.

On an ASA, you would just use the global nat statement with a routemap permitting the VPN client subnet to the pblic ip and that's it.

Thanks,

Neil

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to neilobrien

‎11-03-2010 11:19 AM

If having an ASA you will accept the VPN client traffic on the outside interface and hairpin the traffic backout doing NAT:

nat (outside) 1 VPN_POOL

global (outside) 1 interface

On a router I believe you cannot do that.

What you can do is receive the VPN traffic on the outside interface, redirect it to a loopback to have it NATed and backout the outside interface so it will get PATed to the public IP.

Federico.

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to gatlin007

‎11-03-2010 11:47 AM

The loopback trick will work, however Christopher's solution is even better :-)

Federico.

neilobrien
Level 1
Level 1

‎11-03-2010 01:37 PM

guys - this is exactly what I needed.

Thanks for your responses

Neil

0 Helpful
Customers Also Viewed These Support Documents