NAT - source ip address

Oleg Volkov · ‎02-03-2015

Dear Sirs!

I have a stupid LTE router (Huawei) and I use it as backup link to the internet.
It is router, connected to the Cisco 880 router.

Also, I have primary internet link.
I use Site-to-Site VPN with cypto map (without Tunnel interfaces).
In the remote site, I use subnet 192.168.10.0/24
In the local site, I use subnet 192.168.9.0/24

I use dedicated interface, connected to the Huawei router (Backup).
IP address of the interface is 192.168.8.1.
I use "ip nat outside" on this interface, and use "ip nat inside" on inside interface.
IP address of the Huawei router (his LAN interface) - 192.168.8.2

Huawei does not know abour temote site subnet, because he does not have static routes - it is imposible on this router.
Inside PCs, can access to WEB interface of this router, because they goes throught dynamic NAT (Inside to Backup).

I want to access to the WEB interface of this router, through site-to-site VPN.
I need use NAT, for maping source IP from subnet 192.168.10.0 to IP from 192.168.9.0.
Remote PCs goes throught Outside interface to Backup interface,
On the Outside interface, I have "ip nat outside".

In the Cisco ASA, in case like this, I use nat (outside, backup) source dynamic REMOTE_SUBNET LOCAL_IP destination static BACKUP_SUBNET BACKUP_SUBNET

But I do not know, how do it in the IOS.

Thank!

--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog

Oleg Volkov · ‎02-05-2015

Hello!

I resolved this trouble!
It is not very elegant, but it work.
Huawei ip is 192.168.8.1 192.1

I did make a Loopback and Tunnel interfaces on each router:

RTR1 (with connected Huawei):

interface Loopback1
ip address 10.80.81.2 255.255.255.255

interface Tunnel1
ip address 10.80.80.2 255.255.255.252
ip nat inside
ip virtual-reassembly in
tunnel source Loopback1
tunnel mode ipip
tunnel destination 10.80.81.1

interface Vlan2 <- here is connected Huawei
ip address 192.168.8.2 255.255.255.0
ip nat outside
ip virtual-reassembly in
ip policy route-map BACKROUTERM

Access-list for route map:

Extended IP access list BACKROUTEACL
10 permit ip host 192.168.8.1 192.168.0.0 0.0.255.255
20 deny ip any any

Route-map for backward traffic from Huawei

route-map BACKROUTERM, permit, sequence 10
Match clauses:
ip address (access-lists): BACKROUTEACL
Set clauses:
ip next-hop 10.80.80.1

In crypto map access-list, we need to add:

permit ip host 10.80.81.2 host 10.80.81.1

ACL for nat traffic to the Huawei:

Extended IP access list HUNATTUNACL
10 permit ip 192.168.0.0 0.0.255.255 host 192.168.8.1

NAT:

ip nat inside source list HUNATTUNACL interface Vlan2 overload

RTR_Central:

interface Loopback1
ip address 10.80.81.1 255.255.255.255

interface Tunnel1
ip address 10.80.80.2 255.255.255.252
ip virtual-reassembly in
tunnel source Loopback1
tunnel mode ipip
tunnel destination 10.80.81.2

In crypto map access-list, we need to add:

permit ip host 10.80.81.1 host 10.80.81.2

And add route to Huawei via Tunnel:

ip route 192.168.8.1 255.255.255.255 10.80.80.2
------

I think, I can use NVI nat - but I do not like this technology - It may be hard to debugging and understanding, if other people will configure it is routers.

Also, I can use Tunnel interfaces for all VPN traffic, but for it, need to totaly reconfiguration all routers - I lazy today

--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog