Change source IP for packet incoming in VPN tunnel

tomasz.piotrowski · ‎02-10-2015

Hi

This following configuration allows me to change the source IP from 192.168.0.0/24 to 172.16.0.100 when hosts going to 10.0.0.100 and it works. But I can't achieve this goal for the hosts incoming from the tunnel VPN from subnet 192.168.6.0/24.

Does anybody can give me a hint where is the error?

crypto isakmp policy 100
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key pass address 11.11.11.11 no-xauth
!
crypto isakmp client configuration group test1
key test1pass
pool externalpool
acl ACL_VPN_DYN
!
!
crypto ipsec transform-set 3DESMD5 esp-3des esp-md5-hmac
!
crypto dynamic-map DYNMAP 5
set transform-set tra-vpn
!
crypto map external client authentication list authe-vpn
crypto map external isakmp authorization list autho-vpn
crypto map external client configuration address respond
crypto map external 5 ipsec-isakmp dynamic DYNMAP
crypto map external 10 ipsec-isakmp
set peer 11.11.11.11
set transform-set 3DESMD5
match address ACL_VPN_R1
!
!
interface GigabitEthernet0/0
ip address 1.2.3.4 255.255.255.252
ip nat outside
ip virtual-reassembly in
crypto map external

!
interface GigabitEthernet0/1
ip address 192.168.0.2 255.255.255.0
ip nat inside
ip virtual-reassembly in
!

!

ip local pool externalpool 192.168.6.1 192.168.6.254

ip nat pool NAT_POOL 172.16.0.100 172.16.0.100 netmask 255.255.255.252
ip nat inside source route-map RM_VPN pool NAT_POOL overload
ip nat inside source route-map RM_NAT_WAN1 interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 1.2.3.3

!
ip access-list extended ACL_NAT
deny ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255
deny ip 192.168.0.0 0.0.255.255 host 10.0.0.100
permit ip 192.168.0.0 0.0.0.255 any
ip access-list extended ACL_NAT_172.16.0.100
permit ip 192.168.0.0 0.0.0.255 host 10.0.0.100
permit ip 192.168.6.0 0.0.0.255 host 10.0.0.100
ip access-list extended ACL_VPN_DYN
permit ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255
permit ip host 10.0.0.100 192.168.6.0 0.0.0.255

ip access-list extended ACL_VPN_R1

permit ip host 172.16.0.100 host 10.0.0.100
!
!
!
route-map RM_VPN permit 10
match ip address ACL_NAT_172.16.0.100

!
route-map RM_NAT_WAN1 permit 10
match ip address ACL_NAT
match interface GigabitEthernet0/0

AllertGen · ‎02-13-2015

Hello, tomasz.piotrowski.

First, you can check is your rules works by "show access-list [name]" by each access-list. It's just your rules is little strange and without full config I can't undenstand why you did it so (for example why you need double NAT with IP pool and by interface Gi0/0). And I don't see interfaces for NAT pool too...

Best Regards.

tomasz.piotrowski · ‎02-13-2015

Thank you for your reply.

Yes, I checked the ACL.

The point is my vpn peer accepts packets to the address 10.0.0.100 only from IP 172.16.0.100, for this reason i used route-map in NAT statement

ip nat inside source route-map RM_VPN pool NAT_POOL overload

Packets from 192.168.0.0/24 (cable network in my organization) are nated as they should and everything works fine, but packet from software vpn clients (192.168.6.0/24) are not.

I dont have any interface for IP nat pool (loopback?), maybe that's the problem.

AllertGen · ‎02-15-2015

Hi, tomasz.piotrowski.

I think the problem that you don't have a line "deny ip host 172.16.0.100 host 10.0.0.100" at your ACL "ACL_NAT".

If it'll not work that need this information:

1. Do a command "show ip nat translations" when there is traffic from VPN host to 10.0.0.100.

2. Do a command "show access-list ACL_VPN_R1" when there is traffic from VPN host to 10.0.0.100.

3. Look at documentation how to configure NAT on stick, because you have a traffic from one VPN connection to another one via the same physical interface trought NAT. Because it's the same physical interface it can go without matching NAT rules (because at both VPN connections your psycial interface is nat outiside).

Best Regards.

tomasz.piotrowski · ‎02-16-2015

Hi

Thank you for your reply.

Adding your rule in ACL_NAT have no effect (the counter is empty)

Extended IP access list ACL_NAT
10 deny ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255 (137358858 matches)
20 deny ip host 172.16.0.100 host 10.0.0.100
30 deny ip 192.168.0.0 0.0.255.255 host 10.0.0.100
40 permit ip 192.168.0.0 0.0.0.255 any (51981552 matches)

AD.1.

#sh ip nat translations | i 172.16.0.100
tcp 172.16.0.100:49548 192.168.0.69:49548 10.0.0.100:80 10.0.0.100:80
tcp 172.16.0.100:50666 192.168.0.150:50666 10.0.0.100:80 10.0.0.100:80
tcp 172.16.0.100:50688 192.168.0.150:50688 10.0.0.100:80 10.0.0.100:80
tcp 172.16.0.100:50700 192.168.0.150:50700 10.0.0.100:80 10.0.0.100:80
tcp 172.16.0.100:50701 192.168.0.150:50701 10.0.0.100:80 10.0.0.100:80
tcp 172.16.0.100:50703 192.168.0.150:50703 10.0.0.100:80 10.0.0.100:80
tcp 172.16.0.100:50704 192.168.0.150:50704 10.0.0.100:80 10.0.0.100:80
tcp 172.16.0.100:49422 192.168.0.172:49422 10.0.0.100:80 10.0.0.100:80
tcp 172.16.0.100:49423 192.168.0.172:49423 10.0.0.100:80 10.0.0.100:80

AD.2.

Extended IP access list ACL_VPN_R1
10 permit ip host 172.16.0.100 host 10.0.0.100 (4245293 matches)

after clearing the counter does not have any of entries when I try to connect to the 10.0.0.100 from 192.168.6.0/24.

Regards

AllertGen · ‎02-16-2015

I think the problem that your users at VPN connection don't hit your NAT rules. So there is 2 solutions that I see:

1. Create a virtual interface and link your VPN users to this virtual interface. After this you need to make this interface as nat inside.

2. Use NAT on stick: http://networklessons.com/network-services/cisco-ios-nat-stick-configuration-example/

Best Regards.