Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2085
Views
5
Helpful
2
Replies

Traffic Split Between Static NAT and VPN

Go to solution
ihadfield
Level 1
Level 1

‎03-04-2014 02:27 PM - edited ‎03-04-2019 10:29 PM

Hello all,

We have a Site-to-Site VPN that is securing all traffic to/from 10.160.8.0/24 to/from 10.0.0.0/8.  This is for everything - including Internet traffic.  However, there is an exception (of course)...

The part I cannot get working is if traffic comes from the VPN (10.0.0.0/8) to 10.160.8.5 (on 80 or 443) then the return traffic must go back over the VPN.  BUT, if the 80 or 443 traffic comes from anyplace else (Internet via X.X.X.X that gets translated to 10.160.8.5), then it needs to be NATed back out to the Internet via Gig2.

I have the following configuration (tried to just have the neccessarry lines)...

interface GigabitEthernet2

ip address Y.Y.Y.Y 255.255.255.0    !! the X.X.X.X and Y.Y.Y.Y are in the same subnet

ip address X.X.X.X 255.255.255.0 secondary

ip nat outside

crypto map ipsec-map-S2S

interface GigabitEthernet4.2020

description 2020

encapsulation dot1Q 2020

ip address 10.160.8.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip nat inside source list NAT-Outbound interface GigabitEthernet2 overload

ip nat inside source static tcp 10.160.8.5 80 X.X.X.X 80 route-map NO-NAT extendable

ip nat inside source static tcp 10.160.8.5 443 X.X.X.X 443 route-map NO-NAT extendable

ip access-list extended NAT-Outbound

deny   tcp host 10.160.8.5 10.0.0.0 0.0.0.255 eq www

deny   tcp host 10.160.8.5 10.0.0.0 0.0.0.255 eq 443

permit tcp host 10.160.8.5 any eq www

permit tcp host 10.160.8.5 any eq 443

ip access-list extended NO-NAT

deny   tcp host 10.160.8.5 10.0.0.0 0.0.0.255 eq www

deny   tcp host 10.160.8.5 10.0.0.0 0.0.0.255 eq 443

permit ip any any

route-map NO-NAT permit 10

match ip address NO-NAT

With the above configuration, we can get to 10.160.8.5 from the Internet but cannot get to it over over the VPN tunnel (from 10.200.0.0/16).  If I remove the two "ip nat inside source static..." commands, then the opposite happens - I can then get to 10.160.8.5 from he VPN tunnel but I now cannot get to it from the Internet.

How can I get to it from both?  It seems that when I hit the first NAT statement (Gig2 overload) that the "deny" in the NAT-Outbound ACL punts me out of that NAT statement.  It then processes the next NAT statement (one of the "ip nat inside source static...") but the "deny" in the NO-NAT ACL does not seem to punt me out of that NAT statement.  That is my theory anyway (maybe something else is going on?)

Should this work like this or am I not understanding something correctly?  This is on a Cisco Cloud Services Router (CSR 1000v).

Thanks!

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
brquinn
Level 1
Level 1

‎03-05-2014 08:18 AM

Your netmask is wrong for your 10.0.0.0/8. I would not worry about port/protocol either since that can screw you up. A better way to do it would be to deny all IP vpn traffic.

ip access-list extended NAT-Outbound

deny ip 10.160.8.0 0.0.0.0.255 10.0.0.0 0.255.255.255

...

ip access-list extended NO-NAT

  deny ip 10.160.8.0 0.0.0.0.255 10.0.0.0 0.255.255.255

permit ip any any

Doc:

Configuring IPSec Router-to-Router with NAT Overload and Cisco Secure VPN Client


Thanks,

Brendan

View solution in original post

2 Replies 2

Go to solution
brquinn
Level 1
Level 1

‎03-05-2014 08:18 AM

Your netmask is wrong for your 10.0.0.0/8. I would not worry about port/protocol either since that can screw you up. A better way to do it would be to deny all IP vpn traffic.

ip access-list extended NAT-Outbound

deny ip 10.160.8.0 0.0.0.0.255 10.0.0.0 0.255.255.255

...

ip access-list extended NO-NAT

  deny ip 10.160.8.0 0.0.0.0.255 10.0.0.0 0.255.255.255

permit ip any any

Doc:

Configuring IPSec Router-to-Router with NAT Overload and Cisco Secure VPN Client


Thanks,

Brendan

Go to solution
ihadfield
Level 1
Level 1
In response to brquinn

‎03-05-2014 01:36 PM

Thanks Brendan!

Fixing the netmask was good (doh!! oh my part) but changing the NO-NAT ACL from deny tcp (with a port) to a deny ip did the trick.

Thanks!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card