Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4757
Views
0
Helpful
7
Replies

NAT, Site-to-Site IPsec VPN and Loopback interface

Go to solution
Adrian Bolzan
Level 1
Level 1

‎12-05-2014 03:03 AM - edited ‎03-05-2019 12:17 AM

 

Hello,

I would really appreciate some help on setting up a site-to-site VPN that requires NAT.

I suspect that our config is all wrong!


We have been requested to set up a site-to-site VPN with a partner company. We must access servers in their network.

We have a 2811 router.

They are using a Juniper firewall.


Due to requirements at their end, we must set up provide NATing for our internal IP addresses with a private IP address for the interface.

The VPN will be over the internet.

The network looks like this:


OurSite 1 -- WAN -- OurSite 2 -- Our 2811 router -- Internet -- Juniper F/W -- PartnerSite

computers on OurSite1 must access servers in the Partner Site.

OurSite 1 accesses the internet and the paartner site via a WAN and through OurSite 2 

OurSite 1 IP address range = 192.168.100.0/24
OurSite 2 IP address range = 192.168.200.0/23
Internal interface IP Address on our 2811 router = 192.168.200.254
Public interface on the 2811 router = 203.10.10.10

Public interface (peer address) on the Juniper = 201.30.30.30
partner site server private IP addresses = 10.95.1.176/28

Our partner has asked us to NAT all of our computers in OurSite1 through the private IP address = 10.10.10.50


(a) we have successfully created the VPN (phase 1)

(b) we cannot seem to get our computers to access our partnet's network.
- When we ssh to our partner's servers, using their private IP address, we actually connect to our router.

(c) when using the command: show crypto ipsec sa
- we do not see any packets going to the partner network

(d) we also do not see any entries for the relevant computers, servers and IP addresses when we do a "show ip nat translations"


I will add our config and perhaps someone would be kind enough to take a look and be able to offer some suggestions.

 

---- start ---

 

!

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!

crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2

!

crypto isakmp policy 15
 encr 3des
 authentication pre-share
 group 2

!
crypto isakmp key <key here> address 201.30.30.30 no-xauth

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto ipsec df-bit clear

!

!


crypto map SDM_CMAP_1 35 ipsec-isakmp
 description Tunnel to Partner 201.30.30.30
 set peer 201.30.30.30
 set transform-set ESP-3DES-SHA
 match address partner_vpn
 reverse-route
!
!

interface Loopback100
 description Loopback for inside NAT- PartnerVPN
 ip address 10.10.10.50 255.255.255.255
 ip nat outside
 ip virtual-reassembly
!
!

interface FastEthernet0/0
 description Private interface at OurSite 2, $ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$$ES_LAN$$FW_INSIDE$$ETH-LAN$
 ip address 192.168.200.254 255.255.254.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip policy route-map loopbackNAT
 duplex auto
 speed auto
 no mop enabled
!

 

!

ip access-list extended Partner_NAT
 permit ip 192.168.100.0 0.0.0.255 10.95.1.176 0.0.0.15

!

ip access-list extended partner_vpn
 permit ip host 10.10.10.50 10.95.1.176 0.0.0.15

!

route-map loopbackNAT permit 10
 description Partner VPN NAT
 match ip address Partner_NAT
 set ip next-hop 10.10.10.50

!

 

! And here is the access-list 100, which is mentioned in FastEthernet0/0 section (Our partner is the first permit line)
!
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=17
access-list 100 remark CCP_ACL Category=1
access-list 100 remark Required for Partner VPN
access-list 100 permit ip 192.168.100.0 0.0.0.255 10.95.1.176 0.0.0.15

access-list 100 permit tcp host 192.168.100.10 any eq smtp
access-list 100 permit tcp host 192.168.200.10 any eq smtp
access-list 100 deny   tcp any any eq smtp log
access-list 100 deny   ip 203.10.10.10 0.0.0.15 any log
access-list 100 deny   ip host 255.255.255.255 any log
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any log
access-list 100 permit ip any any
!
!

 
--- end ---


Thanks in advance for any assistance!

 

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Kelvin Willacey
Level 4
Level 4

‎12-05-2014 12:52 PM

Is this router performing the NAT? I don't see a NAT statement.

View solution in original post

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Adrian Bolzan

‎12-07-2014 06:27 PM

Thanks for the additional information. You are correct about the route map sending traffic to the loopback for translation. I did not catch that the first time I read through your post but clearly it is there. So ignore my 2).

 

If you are not sure of the syntax perhaps one approach would be to do show run | include nat and post the output. Another approach would be to post a more complete configuration.

 

HTH

 

Rick

HTH

Rick

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Kelvin Willacey
Level 4
Level 4

‎12-05-2014 12:52 PM

Is this router performing the NAT? I don't see a NAT statement.

0 Helpful

Go to solution
Adrian Bolzan
Level 1
Level 1
In response to Kelvin Willacey

‎12-05-2014 07:03 PM

thanks for the reply, KWillacey_2.

 

yes,

 

1. the router performs NAT for regular outbound connections (e.g. browsing, email delivery, etc.) for both OurSite 1 and OurSite 2, presenting to the internet as our public IP address 203.10.10.10

It does that now.

 

2. the router also performs PAT for incoming.

 

3. And this is the new work for the VPN

The router needs to perform NAT on the outgoing data from OurSite 1 to the partner network, however needs to present as 10.10.10.50 just for the VPN traffic. For normal outgoing traffic it needs to present as 203.10.10.10 (see point 1)

 

thanks for your assistance.

 

 

 

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Adrian Bolzan

‎12-06-2014 06:09 PM

I have 2 points about this issue.

1) you tell us that the router is doing nat but do not show us the logic for the nat. This may well be where the problem is but without seeing what the router is doing it is difficult for us to know the problem.

2) the name of the route map suggests that it is used for nat. But the syntax of the route map suggests that it is set up for Policy Based Routing. Without seeing more of the configuration it is difficult to know which it is. But I suspect that part of the problem is in the route map.

route-map loopbackNAT permit 10
 description Partner VPN NAT
 match ip address Partner_NAT
 set ip next-hop 10.10.10.50

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
Adrian Bolzan
Level 1
Level 1
In response to Richard Burts

‎12-07-2014 03:57 AM

thanks for the reply, Richard Burts.

 

1. regarding NAT

- I believe I am missing the NAT command, however, I am not 100% sure of that command's syntax in this context

 

2. regarding PBR

- my understanding was that I needed the route map to send the appropriate data through the loopback interface

- it seems that when I do a traceroute from OurSite 1 to the partnetSite , I am still not using the next-hop 10.50.50.50, but rather data is routed through the public internet

 

 

I am clearly missing something here...

 

I will review your comments and see if I can figure it out.

 

thanks again for your assistance.

 

 

 

 

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Adrian Bolzan

‎12-07-2014 06:27 PM

Thanks for the additional information. You are correct about the route map sending traffic to the loopback for translation. I did not catch that the first time I read through your post but clearly it is there. So ignore my 2).

 

If you are not sure of the syntax perhaps one approach would be to do show run | include nat and post the output. Another approach would be to post a more complete configuration.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
Adrian Bolzan
Level 1
Level 1
In response to Richard Burts

‎12-07-2014 06:44 PM

hello Richard Burts and KWillacey_2,

 

thanks again for the reply, Richard.

 

I decided to remove the Koopback interface, etc., and replace with a pool+tunnel and added the NAT command.

 

so:

!--- Defines a NAT pool named Partner-VPN-NAT with a range of a single IP
!--- address, 10.10.10.50
ip nat pool Partner-VPN-NAT 10.10.10.50 10.10.10.50 prefix-length 24


!--Hide NAT the Partner Nat traffic behind this ip
ip nat inside source list Partner_NAT pool Partner-VPN-NAT overload


! -- add to tunnel0's settings

interface Tunnel0
tunnel destination 201.30.30.30
ip nat outside

 

 

now, all connections are working.

 

thanks, again.

 

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Adrian Bolzan

‎12-08-2014 01:33 AM

I am glad to know that you found a solution that works, that all connections are working, and that our responses were helpful to you. Thanks for posting back to the forum to let us know that you solved it and how you solved it. And thanks for using the rating system to mark this question as answered.

 

HTH

 

Rick

HTH

Rick
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card